Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: vundo, viruses, and spyware

  1. #1
    Junior Member
    Join Date
    Aug 2007
    Posts
    8

    Default vundo, viruses, and spyware

    Hi, I am helping a family member with their computer. I ran vundo.exe by Atribune and removed the vundo files. I updated Java and removed outerinfo pop ups with their uninstaller. I downloaded adaware 2007 and Avg antispyware and ran them both to delete the spyware. I also updated the hosts file based on a tutorial from bleepingcomputer.com.Lastly I downloaded and ran Avg virus scanner and removed 125 viruses. I have ran hijack this and will post the log file. Could you please check it over to see if there is anything else I need to do to make sure the computer is running normal. Thank you for your help in advance.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:32:31 PM, on 8/24/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    O2 - BHO: 0 - {28560137-3A09-4ECC-B884-EF23FEB6FF91} - C:\Program Files\Common Files\qucamo484.dll (file missing)
    O2 - BHO: (no name) - {3A1949A6-8895-495C-AD13-7E975292C40A} - C:\WINDOWS\system32\geeba.dll (file missing)
    O2 - BHO: (no name) - {46EF926F-52C5-431B-AAC9-509B0B73F0FF} - C:\Program Files\Windows NT\meqo83122.dll (file missing)
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {6D09D9F7-AC00-4B70-9AD1-8C1FD6C60014} - C:\Program Files\Windows NT\meqo4444.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: (no name) - {C8227A17-9ADA-E425-8BD8-95ABAD0405E6} - C:\WINDOWS\system32\akotiwtt.dll (file missing)
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [AIMPro] "C:\Program Files\AIM\AIM Pro\aimpro.exe"
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1170013887\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
    O4 - HKCU\..\Run: [Ikbegevc] C:\WINDOWS\??stem32\t?skmgr.exe
    O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.0\webbuying.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-21-1422578528-1849913357-3896940808-1006\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" (User 'shelby')
    O4 - HKUS\S-1-5-21-1422578528-1849913357-3896940808-1006\..\Run: [Aim6] (User 'shelby')
    O4 - HKUS\S-1-5-21-1422578528-1849913357-3896940808-1006\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl (User 'shelby')
    O4 - HKUS\S-1-5-21-1422578528-1849913357-3896940808-1006\..\Run: [Sen] "C:\DOCUME~1\shelby\APPLIC~1\SSTEM~1\chkdsk.exe" -vt yazb (User 'shelby')
    O4 - HKUS\S-1-5-21-1422578528-1849913357-3896940808-1006\..\Run: [Kuvw] "C:\Documents and Settings\shelby\My Documents\M?crosoft\w?nlogon.exe" (User 'shelby')
    O4 - HKUS\S-1-5-21-1422578528-1849913357-3896940808-1006\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe (User 'shelby')
    O4 - HKUS\S-1-5-21-1422578528-1849913357-3896940808-1006\..\Run: [WinTouch] C:\Documents and Settings\shelby\Application Data\WinTouch\WinTouch.exe (User 'shelby')
    O4 - HKUS\S-1-5-21-1422578528-1849913357-3896940808-1006\..\Run: [SfKg6w] C:\Documents and Settings\shelby\Application Data\Microsoft\Windows\sdyljkhk.exe (User 'shelby')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - S-1-5-21-1422578528-1849913357-3896940808-1006 Startup: TA_Start.lnk = C:\WINDOWS\TISKY009.exe (User 'shelby')
    O4 - S-1-5-21-1422578528-1849913357-3896940808-1006 Startup: Think-Adz.lnk = C:\WINDOWS\system32\rwintmdt.exe (User 'shelby')
    O4 - S-1-5-21-1422578528-1849913357-3896940808-1006 User Startup: TA_Start.lnk = C:\WINDOWS\TISKY009.exe (User 'shelby')
    O4 - S-1-5-21-1422578528-1849913357-3896940808-1006 User Startup: Think-Adz.lnk = C:\WINDOWS\system32\rwintmdt.exe (User 'shelby')
    O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
    O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\rwintmdt.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\qhcplzd.exe (file missing)

    --
    End of file - 10325 bytes

  2. #2
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,252

    Default

    Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
    "BEFORE you POST" (READ this Procedure before Requesting Assistance)
    http://forums.spybot.info/showthread.php?t=288
    All advice given is taken at your own risk.
    Please make sure you have read this information so we are on the same page.

    You have a nasty infection here, this may take a while? My first suggestion, because you have trojans, is to stay offline except when troubleshooting until I tell you that you are clean. Nice of you to help out, remove Vundofix from the computer including the C:\Vundofix Backups\ If we need the tool again we will download it fresh.

    1) C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
    http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
    http://www.spywareinfo.com/newslette....php#viewpoint
    http://www.clickz.com/news/article.php/3561546

    2) Ad-Aware 2007 <<< this is a new version and not much is know yet, please exit that program until you finish.

    3) AVG Anti-Spyware: Deactivate the Resident Shield
    - Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
    - To do this, click "Change State" to the right of the Resident Shield option in the main window.
    - You will clearly see the status change to Inactive if you have done this correctly.

    4) Open Hijackthis.
    Click the "Open the Misc Tools" section Button.
    Click the "Open Uninstall Manager" Button.
    Click the "Save list..." Button.
    Save it to your desktop. Copy and paste the contents into your reply.
    (You may edit out Microsoft, Hotfixes, Security Update for Windows XP, Update for Windows XP and Windows XP Hotfix to shorten the list)

    5) Thanks to sUBs and anyone else who helped with this fix.

    Download ComboFix from Here or Here to your Desktop.
    • Double click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  3. #3
    Junior Member
    Join Date
    Aug 2007
    Posts
    8

    Default

    I have followed all the steps you suggested. I was unable to find a way to exit adaware 2007 but it is not currently running that I can see. I also forgot to mention that the computer is setup for two users but I only have one logged in. Thanks again for your help.
    Uninstall programs list

    Ad-Aware 2007
    Adobe Acrobat - Reader 6.0.2 Update
    Adobe Flash Player 9 ActiveX
    AIM 6
    AOLIcon
    Apple Software Update
    AVG 7.5
    AVG Anti-Spyware 7.5
    Dell Driver Reset Tool
    Dell Media Experience
    DellSupport
    Digital Content Portal
    EarthLink setup files
    EducateU
    Get High Speed Internet!
    HijackThis 2.0.2
    HP Customer Participation Program 7.0
    HP Document Viewer 7.0
    HP Imaging Device Functions 7.0
    HP Photosmart Premier Software 6.5
    HP Photosmart, Officejet and Deskjet 7.0.A
    HP Software Update
    HP Solution Center 7.0
    Intel(R) 537EP V9x DF PCI Modem
    Intel(R) Extreme Graphics 2 Driver
    Intel(R) PRO Network Adapters and Drivers
    Intel(R) PROSet for Wired Connections
    Internet Explorer Default Page
    iPod for Windows 2006-03-23
    iTunes
    Java(TM) 6 Update 2
    Learn2 Player (Uninstall Only)
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB928366)
    Microsoft Encarta Encyclopedia Standard 2005
    Microsoft Money 2005
    Microsoft Picture It! Premium 10
    Microsoft Plus! Digital Media Edition Installer
    Microsoft Plus! Photo Story 2 LE
    Microsoft Streets and Trips 2005
    Microsoft Word 2002
    Microsoft Works
    Microsoft Works 2005 Setup Launcher
    Microsoft Works Suite Add-in for Microsoft Word
    Modem Event Monitor
    Modem Helper
    Modem On Hold
    MSN
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    NetZeroInstallers
    OCR Software by I.R.I.S 7.0
    Photo Click
    PowerDVD 5.5
    QuickTime
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896424)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911567)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB912919)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB917344)
    Security Update for Windows XP (KB917422)
    Security Update for Windows XP (KB917953)
    Security Update for Windows XP (KB918118)
    Security Update for Windows XP (KB918439)
    Security Update for Windows XP (KB919007)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920214)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB920685)
    Security Update for Windows XP (KB921398)
    Security Update for Windows XP (KB921503)
    Security Update for Windows XP (KB921883)
    Security Update for Windows XP (KB922616)
    Security Update for Windows XP (KB922819)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923414)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923694)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924191)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924496)
    Security Update for Windows XP (KB924667)
    Security Update for Windows XP (KB925454)
    Security Update for Windows XP (KB925486)
    Security Update for Windows XP (KB925902)
    Security Update for Windows XP (KB926255)
    Security Update for Windows XP (KB926436)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB927802)
    Security Update for Windows XP (KB928090)
    Security Update for Windows XP (KB928255)
    Security Update for Windows XP (KB928843)
    Security Update for Windows XP (KB929123)
    Security Update for Windows XP (KB929969)
    Security Update for Windows XP (KB930178)
    Security Update for Windows XP (KB931261)
    Security Update for Windows XP (KB931768)
    Security Update for Windows XP (KB931784)
    Security Update for Windows XP (KB932168)
    Security Update for Windows XP (KB933566)
    Security Update for Windows XP (KB935839)
    Security Update for Windows XP (KB935840)
    Security Update for Windows XP (KB936021)
    Security Update for Windows XP (KB937143)
    Security Update for Windows XP (KB938127)
    Security Update for Windows XP (KB938829)
    Shockwave
    Sonic DLA
    Sonic Update Manager
    Trend Micro PC-cillin Internet Security 12
    Update for Windows XP (KB894391)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB908531)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB911280)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update for Windows XP (KB927891)
    Update for Windows XP (KB929338)
    Update for Windows XP (KB930916)
    Update for Windows XP (KB931836)
    Update for Windows XP (KB936357)
    Update for Windows XP (KB938828)
    WebCyberCoach 3.2 Dell
    Windows Installer 3.1 (KB893803)
    Windows Media Format Runtime
    Windows Media Player 10
    Windows Media Player 10
    Windows Overlay Components
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB885884
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB890859

    combo fix log

    ComboFix 07-08-25.2 - "scott" 2007-08-25 12:04:09.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.224 [GMT -4:00]
    * Created a new restore point


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
    C:\DOCUME~1\NETWOR~1\Desktop\searchus.exe
    C:\DOCUME~1\scott\Desktop\internet.lnk
    C:\DOCUME~1\scott\err.log
    C:\DOCUME~1\scott\STARTM~1\Programs\Startup.\TA_Start.lnk
    C:\DOCUME~1\scott\STARTM~1\Programs\Startup\ta_start.lnk
    C:\DOCUME~1\scott\STARTM~1\Programs\Startup\think-adz.lnk
    C:\DOCUME~1\shelby\APPLIC~1\macromedia\Flash Player\#SharedObjects\BQGPG27P\www.broadcaster.com
    C:\DOCUME~1\shelby\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
    C:\DOCUME~1\shelby\APPLIC~1\sstem~1
    C:\DOCUME~1\shelby\APPLIC~1\WinTouch
    C:\DOCUME~1\shelby\Desktop\internet.lnk
    C:\DOCUME~1\shelby\err.log
    C:\DOCUME~1\shelby\MYDOCU~1\mcroso~1
    C:\DOCUME~1\shelby\STARTM~1\Programs\Outerinfo
    C:\DOCUME~1\shelby\STARTM~1\Programs\Startup\ta_start.lnk
    C:\DOCUME~1\shelby\STARTM~1\Programs\Startup\think-adz.lnk
    C:\Program Files\Common Files\asks~1
    C:\Program Files\Common Files\dobe~1
    C:\Program Files\Common Files\WinAntiSpyware 2007
    C:\Program Files\Common Files\winantispyware 2007\err.log
    C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
    C:\Program Files\inetget2
    C:\Program Files\Windows NT\meqo4444.dll
    C:\Program Files\winpop
    C:\Program Files\winpop\winpop.exe
    C:\temp\0c2
    C:\temp\0c2\tmpFF.log
    C:\temp\brr
    C:\temp\brr\tmpZTF.log
    C:\WINDOWS\cookies.ini
    C:\WINDOWS\pppatc~1
    C:\WINDOWS\scurit~1
    C:\WINDOWS\stem32~1
    C:\WINDOWS\system32\b02FdUe
    C:\WINDOWS\system32\C1
    C:\WINDOWS\system32\C3
    C:\WINDOWS\system32\C5
    C:\WINDOWS\system32\C9
    C:\WINDOWS\system32\cfjhjbhx.exe
    C:\WINDOWS\system32\dgqqafpq.exe
    C:\WINDOWS\system32\drivers\fopn.sys
    C:\WINDOWS\system32\E5
    C:\WINDOWS\system32\fdmhgvat.exe
    C:\WINDOWS\system32\kdtbevfq.exe
    C:\WINDOWS\system32\kjhhypko.exe
    C:\WINDOWS\system32\lgowvjgq.exe
    C:\WINDOWS\system32\msnav32.ax
    C:\WINDOWS\system32\ppuwumnr.exe
    C:\WINDOWS\system32\pqbjihbv.exe
    C:\WINDOWS\system32\qkqiopwo.exe
    C:\WINDOWS\system32\rldjissh.exe
    C:\WINDOWS\system32\vamtddep.exe
    C:\WINDOWS\system32\win
    C:\WINDOWS\system32\winnb58.dll
    C:\WINDOWS\system32\winpfz32.sys
    C:\WINDOWS\system32\wylilohm.exe
    C:\WINDOWS\system32\zxdnt3d.cfg
    C:\WINDOWS\TTC-4444.exe


    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


    -------\LEGACY_CMDSERVICE
    -------\LEGACY_FOPN
    -------\LEGACY_NETWORK_MONITOR
    -------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
    -------\Windows Overlay Components


    ((((((((((((((((((((((((( Files Created from 2007-07-25 to 2007-08-25 )))))))))))))))))))))))))))))))


    2007-08-25 12:02 51,200 --a------ C:\WINDOWS\nircmd.exe
    2007-08-22 18:57 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
    2007-08-21 19:56 <DIR> d--hs---- C:\found.000
    2007-08-19 19:56 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-08-19 19:56 <DIR> d-------- C:\my downloads
    2007-08-19 17:14 <DIR> d-------- C:\WINDOWS\pss
    2007-08-19 15:08 <DIR> d-------- C:\Program Files\Lavasoft
    2007-08-19 15:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
    2007-08-18 21:21 1,731,659 ---hs---- C:\WINDOWS\system32\abeeg.ini2
    2007-08-06 22:10 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
    2007-08-06 22:08 <DIR> d--hs---- C:\WINDOWS\c2hlbGJ5
    2007-08-04 17:20 1,590,201 ---hs---- C:\WINDOWS\system32\abeeg.bak2
    2007-08-03 22:21 1,594,617 ---hs---- C:\WINDOWS\system32\abeeg.bak1
    2007-08-03 22:15 <DIR> d-------- C:\Temp
    2007-07-31 22:51 <DIR> d-------- C:\DOCUME~1\scott\APPLIC~1\Aim


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-08-25 12:06 --------- d-------- C:\Program Files\Windows NT
    2007-08-25 11:48 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
    2007-08-24 18:29 --------- d-------- C:\Program Files\Trend Micro
    2007-08-22 19:00 246 --a------ C:\Program Files\Common Files\qucamo484
    2007-08-19 19:57 --------- d-------- C:\DOCUME~1\shelby\APPLIC~1\AOL
    2007-08-19 19:54 --------- d-------- C:\Program Files\Common Files\AOL
    2007-08-19 19:53 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
    2007-08-18 19:55 --------- d-------- C:\Program Files\AIM
    2007-08-08 16:51 --------- d-------- C:\Program Files\Common Files\Real
    2007-08-08 16:32 --------- d-------- C:\Program Files\Common Files\Sonic Shared
    2007-08-01 14:39 --------- d-------- C:\DOCUME~1\shelby\APPLIC~1\LimeWire
    2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
    2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
    2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
    2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
    2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
    2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
    2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
    2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
    2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
    2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
    2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
    2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
    2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
    2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
    2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
    2007-07-28 05:06 135 --a------ C:\Program Files\Common Files\rtelebi.html
    2007-07-13 22:28 --------- d-------- C:\Program Files\AOD
    2007-07-03 02:46 --------- d-------- C:\DOCUME~1\shelby\APPLIC~1\Aim
    2007-06-26 11:13 851968 --------- C:\WINDOWS\system32\dllcache\vgx.dll
    2007-06-26 10:09 658944 --------- C:\WINDOWS\system32\dllcache\wininet.dll
    2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
    2007-06-26 02:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
    2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
    2007-06-19 09:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
    2007-06-14 14:09 96256 --------- C:\WINDOWS\system32\dllcache\inseng.dll
    2007-06-14 14:09 615424 --------- C:\WINDOWS\system32\dllcache\urlmon.dll
    2007-06-14 14:09 55808 --------- C:\WINDOWS\system32\dllcache\extmgr.dll
    2007-06-14 14:09 532480 --------- C:\WINDOWS\system32\dllcache\mstime.dll
    2007-06-14 14:09 474112 --------- C:\WINDOWS\system32\dllcache\shlwapi.dll
    2007-06-14 14:09 449024 --------- C:\WINDOWS\system32\dllcache\mshtmled.dll
    2007-06-14 14:09 39424 --------- C:\WINDOWS\system32\dllcache\pngfilt.dll
    2007-06-14 14:09 357888 --------- C:\WINDOWS\system32\dllcache\dxtmsft.dll
    2007-06-14 14:09 3058688 --------- C:\WINDOWS\system32\dllcache\mshtml.dll
    2007-06-14 14:09 251392 --------- C:\WINDOWS\system32\dllcache\iepeers.dll
    2007-06-14 14:09 205312 --------- C:\WINDOWS\system32\dllcache\dxtrans.dll
    2007-06-14 14:09 16384 --------- C:\WINDOWS\system32\dllcache\jsproxy.dll
    2007-06-14 14:09 151040 --------- C:\WINDOWS\system32\dllcache\cdfview.dll
    2007-06-14 14:09 1494528 --------- C:\WINDOWS\system32\dllcache\shdocvw.dll
    2007-06-14 14:09 146432 --------- C:\WINDOWS\system32\dllcache\msrating.dll
    2007-06-14 14:09 1054208 --------- C:\WINDOWS\system32\dllcache\danim.dll
    2007-06-14 14:09 1023488 --------- C:\WINDOWS\system32\dllcache\browseui.dll
    2007-06-14 10:07 18432 --------- C:\WINDOWS\system32\dllcache\iedw.exe
    2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
    2007-06-13 06:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
    2006-02-19 05:28 12288 --a------ C:\WINDOWS\Fonts.\RandFont.dll


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28560137-3A09-4ECC-B884-EF23FEB6FF91}]
    C:\Program Files\Common Files\qucamo484.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A1949A6-8895-495C-AD13-7E975292C40A}]
    C:\WINDOWS\system32\geeba.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{46EF926F-52C5-431B-AAC9-509B0B73F0FF}]
    C:\Program Files\Windows NT\meqo83122.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C8227A17-9ADA-E425-8BD8-95ABAD0405E6}]
    C:\WINDOWS\system32\akotiwtt.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 21:42]
    "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-05 21:22]
    "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-05 21:19]
    "Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-05 21:23]
    "IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 22:12]
    "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 18:19]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 11:54]
    "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 03:05]
    "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 18:50]
    "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 18:50]
    "DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 03:02]
    "pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 18:30]
    "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 04:41]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 20:05]
    "AIMPro"="C:\Program Files\AIM\AIM Pro\aimpro.exe" []
    "AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" []
    "HostManager"="C:\Program Files\Common Files\AOL\1170013887\ee\AOLSoftware.exe" []
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
    "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-22 19:11]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2005-08-15 21:38]
    "Ikbegevc"="C:\WINDOWS\??stem32\t?skmgr.exe" [2004-08-04 07:00]
    "Aim6"="" []

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableRegistryTools"=0 (0x0)



    Contents of the 'Scheduled Tasks' folder
    2007-08-02 12:25:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

    **************************************************************************

    catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-08-25 12:08:52
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-08-25 12:13:11 - machine was rebooted
    C:\ComboFix-quarantined-files.txt ... 2007-08-25 12:13

    --- E O F ---

  4. #4
    Junior Member
    Join Date
    Aug 2007
    Posts
    8

    Default

    Here is the hijack this log. It was to long to put with the other post.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:19:53 PM, on 8/25/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    O2 - BHO: 0 - {28560137-3A09-4ECC-B884-EF23FEB6FF91} - C:\Program Files\Common Files\qucamo484.dll (file missing)
    O2 - BHO: (no name) - {3A1949A6-8895-495C-AD13-7E975292C40A} - C:\WINDOWS\system32\geeba.dll (file missing)
    O2 - BHO: (no name) - {46EF926F-52C5-431B-AAC9-509B0B73F0FF} - C:\Program Files\Windows NT\meqo83122.dll (file missing)
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: (no name) - {C8227A17-9ADA-E425-8BD8-95ABAD0405E6} - C:\WINDOWS\system32\akotiwtt.dll (file missing)
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [AIMPro] "C:\Program Files\AIM\AIM Pro\aimpro.exe"
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1170013887\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
    O4 - HKCU\..\Run: [Ikbegevc] C:\WINDOWS\??stem32\t?skmgr.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

    --
    End of file - 7889 bytes

  5. #5
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,252

    Default

    Thanks for returning your information and the feedback, you said:
    I was unable to find a way to exit adaware 2007 but it is not currently running that I can see.
    I am not sure, I run Ad-Aware SE personal but do not intend to update to that program. Is it not free? That being the case, uninstall if you need to.
    I also forgot to mention that the computer is setup for two users but I only have one logged in.
    Always a chance one user is infected and another is not, I will need to see a HJT log at least at some point. I will let you know.

    You are running two antivirus programs at the same time and this is not a good thing. They conflict with each other and you will be less safe than if you ran one good program and maintained it properly. Uninstall one, update the one you keep and run a complete system scan, post for me any item that can't be removed, the complete name and pathway.
    http://service1.symantec.com/SUPPORT...00031316555206
    "Microsoft recommends that you have only one anti-virus program installed on your computer."
    http://www.washingtonpost.com/wp-dyn...120300087.html
    http://www.smartcomputing.com/editor...8s07/38s07.asp

    Grisoft\AVG7
    Trend Micro\Internet Security 12\
    Uninstall one of those before you post another HJT log.

    Uninstall List: I look for malware and security issues. As far as I can see, everything looks ok. You should make sure nothing is running you do not know.

    You can see all of the junk removed by combofix, let do this now:

    1) Please download ATF Cleaner by Atribune
    http://www.atribune.org/content/view/25/2/
    Save it to your Desktop. We will use this later.

    2) Use the instructions to turn these off, they will block HJT
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

    3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

    O2 - BHO: 0 - {28560137-3A09-4ECC-B884-EF23FEB6FF91} - C:\Program Files\Common Files\qucamo484.dll (file missing)
    O2 - BHO: (no name) - {3A1949A6-8895-495C-AD13-7E975292C40A} - C:\WINDOWS\system32\geeba.dll (file missing)
    O2 - BHO: (no name) - {46EF926F-52C5-431B-AAC9-509B0B73F0FF} - C:\Program Files\Windows NT\meqo83122.dll (file missing)
    O2 - BHO: (no name) - {C8227A17-9ADA-E425-8BD8-95ABAD0405E6} - C:\WINDOWS\system32\akotiwtt.dll (file missing)
    O4 - HKCU\..\Run: [Ikbegevc] C:\WINDOWS\??stem32\t?skmgr.exe

    Close all programs but HJT and all browser windows, then click on "Fix Checked"

    4) Follow the directions in this link to run AVG Anti-Spyware, make sure you delete or quarantine anything it finds and save the scan report to post.

    http://forums.security-central.us/showthread.php?t=3165

    5) Run ATF Cleaner
    Double-click ATF-Cleaner.exe to run the program.
    Click Select All found at the bottom of the list.
    Click the Empty Selected button.
    Click Exit on the Main menu to close the program.

    Restart the computer and post the AVG Anti-Spyware scan results, a new HJT log and your comments. How is the computer running now.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  6. #6
    Junior Member
    Join Date
    Aug 2007
    Posts
    8

    Default

    I deleted one of the virus scanners and adaware 2007. I will reinstall the adaware later. The computer for this user seems to be running great. I have not checked the other user yet. I would definetly like any suggestions to keep this computer safe and Thank You very much for your help.
    Avg Anti-spyware log

    ---------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 1:47:04 PM 8/25/2007

    + Scan result:



    C:\Documents and Settings\scott\Cookies\scott@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
    C:\Documents and Settings\scott\Cookies\scott@advertising[3].txt -> TrackingCookie.Advertising : Cleaned.
    C:\Documents and Settings\scott\Cookies\scott@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
    C:\Documents and Settings\shelby\Cookies\shelby@pro-market[2].txt -> TrackingCookie.Pro-market : Cleaned.


    ::Report end

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:53:47 PM, on 8/25/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wuauclt.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [AIMPro] "C:\Program Files\AIM\AIM Pro\aimpro.exe"
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1170013887\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

    --
    End of file - 6168 bytes

  7. #7
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,252

    Default

    Thanks for the feedback, good to hear your computer is running as it should. Once we finish I will post links to information from security experts, after you view that information, if you still have questions, post them and I will do my best to give you answers.

    Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:53:47 PM, on 8/25/2007
    I see no malware in this HJT log, looks good

    Sign in to the other user and create, then post a HJT log. Be sure to mark it plainly so you will know which is which.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  8. #8
    Junior Member
    Join Date
    Aug 2007
    Posts
    8

    Default

    Here is the Hijack Log for the second user. Thanks for your time and help.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:12:34 PM, on 8/25/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?rev=10253
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [AIMPro] "C:\Program Files\AIM\AIM Pro\aimpro.exe"
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1170013887\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\shelby\APPLIC~1\SSTEM~1\chkdsk.exe" -vt yazb
    O4 - HKCU\..\Run: [Kuvw] "C:\Documents and Settings\shelby\My Documents\M?crosoft\w?nlogon.exe"
    O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
    O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\shelby\Application Data\WinTouch\WinTouch.exe
    O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\shelby\Application Data\Microsoft\Windows\sdyljkhk.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-21-1422578528-1849913357-3896940808-1007\..\Run: [Aim6] (User 'scott')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\rtelebi.html

    --
    End of file - 7488 bytes

  9. #9
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,252

    Default

    Bunch of junk, I am not sure if we need to run combofix or not, let see if HJT will remove the stuff.

    While still signed into this user...

    1) Start > Control Panel > Add Remove programs and uninstall: PurityScan, OIN, Outerinfo, WinTouch, WinPop and anything else you see that you know should not be there.

    2) AVG Anti-Spyware: Deactivate the Resident Shield
    - Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
    - To do this, click "Change State" to the right of the Resident Shield option in the main window.
    - You will clearly see the status change to Inactive if you have done this correctly.

    3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
    R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
    O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\shelby\APPLIC~1\SSTEM~1\chkdsk.exe" -vt yazb
    O4 - HKCU\..\Run: [Kuvw] "C:\Documents and Settings\shelby\My Documents\M?crosoft\w?nlogon.exe"
    O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
    O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\shelby\Application Data\WinTouch\WinTouch.exe
    O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\shelby\Application Data\Microsoft\Windows\sdyljkhk.exe
    O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\rtelebi.html

    Close all programs but HJT and all browser windows, then click on "Fix Checked"

    4) RIGHT Click on Start then click on Explore. Locate and delete these items:
    (some files and folders may be gone, just do not miss any)

    C:\DOCUMENTS AND SETTINGS~1\shelby\APPLICATION DATA~1\SSTEM~1\ <<< delete that folder

    C:\Program Files\WinPop\ <<< delete that folder

    C:\Documents and Settings\shelby\Application Data\WinTouch\ <<< delete that folder

    C:\Documents and Settings\shelby\Application Data\Microsoft\Windows\sdyljkhk.exe <<< delete that file

    C:\Program Files\Common Files\rtelebi.html <<< delete that file

    Follow the directions in this link to run AVG Anti-Spyware, make sure you delete or quarantine anything it finds and save the scan report to post.http://forums.security-central.us/showthread.php?t=3165

    Run Clean Manager
    http://spyware-free.us/tutorials/cleanmgr/

    Restart the computer and post a new HJT log from each user, mark them plainly.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  10. #10
    Junior Member
    Join Date
    Aug 2007
    Posts
    8

    Default

    I have done all the steps. Here are the results.
    Hijack Log from the first user

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:25:24 PM, on 8/25/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wuauclt.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [AIMPro] "C:\Program Files\AIM\AIM Pro\aimpro.exe"
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1170013887\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

    --
    End of file - 6168 bytes

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •