Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

webbuying.exe + hijack this log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

webbuying.exe + hijack this log

Unread postby pacino77 » February 17th, 2008, 2:17 pm

hi everyone. i had malware problems in the past and thanks to this forum i solved them. now today webbuying.exe randomly shows up on my computer and i don't know what to do. any help would of course be greatly appreciated. here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 1:14:16 PM, on 2/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\paugey\APPLIC~1\DOBE~1\cmd.exe
C:\Documents and Settings\paugey\Application Data\F?nts\??anregw.exe
C:\Program Files\RABCO\X_RABCOse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.wikipedia.org/wiki/Main_Page
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RabioBHO - {1C2E5D27-A17C-4D89-85DD-3553C189380D} - C:\Program Files\RABCO\RABCO.dll
O2 - BHO: (no name) - {3A455DF1-4CE1-44F4-AC65-EB21B9C33D95} - C:\Program Files\Messenger\dipurexo89104.dll
O2 - BHO: (no name) - {3D37BDE7-5673-7A8F-5311-5900C9BF88B1} - C:\WINDOWS\system32\bip.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: MSEvents Object - {CE70731D-F28D-4D81-9D61-C8EE60378401} - C:\WINDOWS\system32\mljjk.dll (file missing)
O2 - BHO: (no name) - {D85530E8-D39D-49D0-9F36-300D594556D2} - C:\WINDOWS\system32\yayvttu.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\paugey\APPLIC~1\DOBE~1\cmd.exe" -vt yazb
O4 - HKCU\..\Run: [Kgk] "C:\Documents and Settings\paugey\Application Data\F?nts\??anregw.exe"
O4 - Startup: RABCO - Auto Update.lnk = C:\Program Files\RABCO\RABCOse.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: mljjk - C:\WINDOWS\system32\mljjk.dll (file missing)
O20 - Winlogon Notify: yayvttu - C:\WINDOWS\SYSTEM32\yayvttu.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
pacino77
Active Member
 
Posts: 11
Joined: February 17th, 2008, 2:11 pm
Advertisement
Register to Remove

Re: webbuying.exe + hijack this log

Unread postby dan12 » February 18th, 2008, 2:51 am

Hi, pacino77, and welcome to malwareremoval forums

I'm dan12, I'll be glad to help you with your computer problems.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.
If you can do these things, everything should go smoothly.
  • Please note you'll need to have Administrator priviledges to perform the fixes. (XP accounts are Administrator by default)
  • Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.
It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

I'm presently looking over your log and hope not to be too long.
Will be back with you as soon as I can.
Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: webbuying.exe + hijack this log

Unread postby dan12 » February 18th, 2008, 7:40 am

Hi,pacino77,

Download latest "highjackthis" version.

Delete HijackThis v1.99.1
  • Click Start
  • Go to Control Panel
  • Go to Add/Remove Programs
  • Find and click Remove for the following (if present). It could be that they have a space or something between it , but it has to look like it:
  • HijackThis v1.99.1
________________________

Download and Run HijackThis
Download HJTInstall.exe to your Desktop.
  • Doubleclick HJTInstall.exe to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Copy/Paste the log to your next reply please.
Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

please post new HJT log
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: webbuying.exe + hijack this log

Unread postby pacino77 » February 18th, 2008, 1:17 pm

hi dan--
thanks for your quick response. here is the new hijackthis log:
--paul

-------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:29 PM, on 2/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\mrofinu572.exe
C:\PROGRA~1\COMMON~1\AVSYST~1\ugcw.exe
C:\Program Files\Common Files\AVSystemCare\bm.exe
C:\DOCUME~1\paugey\APPLIC~1\DOBE~1\cmd.exe
C:\Documents and Settings\paugey\Application Data\F?nts\??anregw.exe
C:\Program Files\RABCO\X_RABCOse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://en.wikipedia.org/wiki/Main_Page
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program

Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program

Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ISUSPM Startup]

C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI]

C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe

61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKLM\..\Run: [AVSystemCare] C:\Program Files\AVSystemCare\pgs.exe
O4 - HKLM\..\Run: [ugcw] "C:\PROGRA~1\COMMON~1\AVSYST~1\ugcw.exe" -start
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common

Files\AVSystemCare\bm.exe" dm=http://avsystemcare.com;

ad=http://avsystemcare.com
O4 - HKLM\..\Run: [6c23b575] rundll32.exe

"C:\WINDOWS\system32\wtdjcxxc.dll",b
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\paugey\APPLIC~1\DOBE~1\cmd.exe" -vt

yazb
O4 - HKCU\..\Run: [Kgk] "C:\Documents and Settings\paugey\Application

Data\F?nts\??anregw.exe"
O4 - Startup: RABCO - Auto Update.lnk = C:\Program

Files\RABCO\RABCOse.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

(no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.avsystemcare.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus

scanner) -

http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility

Class) -

http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel

32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network

Monitor\netmon.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program

Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner

- C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 4915 bytes
pacino77
Active Member
 
Posts: 11
Joined: February 17th, 2008, 2:11 pm

Re: webbuying.exe + hijack this log

Unread postby dan12 » February 18th, 2008, 1:37 pm

Hi, pacino77,
Can you send me another log but this time in notepad go to > format and uncheck word wrap in the drop down box.
It makes it difficult to read the logs otherwise.
Thanks dan :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: webbuying.exe + hijack this log

Unread postby pacino77 » February 18th, 2008, 4:01 pm

of course!! sorry :roll: . here goes nothing:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:58:30 PM, on 2/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\mrofinu572.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\AVSystemCare\pgs.exe
C:\PROGRA~1\COMMON~1\AVSYST~1\ugcw.exe
C:\Program Files\Common Files\AVSystemCare\bm.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\paugey\APPLIC~1\DOBE~1\cmd.exe
C:\Documents and Settings\paugey\Application Data\F?nts\??anregw.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\RABCO\X_RABCOse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.wikipedia.org/wiki/Main_Page
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKLM\..\Run: [AVSystemCare] C:\Program Files\AVSystemCare\pgs.exe
O4 - HKLM\..\Run: [ugcw] "C:\PROGRA~1\COMMON~1\AVSYST~1\ugcw.exe" -start
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\AVSystemCare\bm.exe" dm=http://avsystemcare.com; ad=http://avsystemcare.com
O4 - HKLM\..\Run: [6c23b575] rundll32.exe "C:\WINDOWS\system32\wtdjcxxc.dll",b
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\paugey\APPLIC~1\DOBE~1\cmd.exe" -vt yazb
O4 - HKCU\..\Run: [Kgk] "C:\Documents and Settings\paugey\Application Data\F?nts\??anregw.exe"
O4 - Startup: RABCO - Auto Update.lnk = C:\Program Files\RABCO\RABCOse.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.avsystemcare.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 4838 bytes
pacino77
Active Member
 
Posts: 11
Joined: February 17th, 2008, 2:11 pm

Re: webbuying.exe + hijack this log

Unread postby dan12 » February 18th, 2008, 4:14 pm

Hi,pacino77

I believe we have some files hiding from us, I'm going to flush them out.

Please go to the C:\Program Files\HijackThis\HijackThis.exe. Right click on the HijackThis.exe file and select "Rename". Rename it removal.exe,

Then run HijackThis again and post a new log please.

Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: webbuying.exe + hijack this log

Unread postby pacino77 » February 18th, 2008, 4:34 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:32:28 PM, on 2/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\mrofinu572.exe
C:\Program Files\AVSystemCare\pgs.exe
C:\PROGRA~1\COMMON~1\AVSYST~1\ugcw.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\AVSystemCare\bm.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\paugey\APPLIC~1\DOBE~1\cmd.exe
C:\Documents and Settings\paugey\Application Data\F?nts\??anregw.exe
C:\Program Files\xInsIDE\xInsIDE.exe
C:\Program Files\RABCO\X_RABCOse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HijackThis\removal.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.wikipedia.org/wiki/Main_Page
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RabioBHO - {1C2E5D27-A17C-4D89-85DD-3553C189380D} - C:\Program Files\RABCO\RABCO.dll
O2 - BHO: {dd8a73ca-36dd-908a-0484-1a36065b4192} - {2914b560-63a1-4840-a809-dd63ac37a8dd} - C:\WINDOWS\system32\waoumbhj.dll
O2 - BHO: (no name) - {3113134D-CFB8-4F3F-803C-793E9B03E19D} - C:\WINDOWS\system32\gebcy.dll
O2 - BHO: (no name) - {3A455DF1-4CE1-44F4-AC65-EB21B9C33D95} - C:\Program Files\Messenger\dipurexo89104.dll
O2 - BHO: (no name) - {3D37BDE7-5673-7A8F-5311-5900C9BF88B1} - C:\WINDOWS\system32\bip.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: 0 - {A083E956-4ADA-4584-8B9D-4852A02A4F6B} - C:\Program Files\Internet Explorer\qukatojy636.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\xwhceluz.dll
O2 - BHO: MSEvents Object - {CE70731D-F28D-4D81-9D61-C8EE60378401} - C:\WINDOWS\system32\mljjk.dll (file missing)
O2 - BHO: (no name) - {D85530E8-D39D-49D0-9F36-300D594556D2} - C:\WINDOWS\system32\yayvttu.dll
O2 - BHO: IEFW Object - {FAAD2038-C371-473D-86F1-5B11D39C3775} - C:\Program Files\AVSystemCare\Tools\IEFWBHO.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKLM\..\Run: [AVSystemCare] C:\Program Files\AVSystemCare\pgs.exe
O4 - HKLM\..\Run: [ugcw] "C:\PROGRA~1\COMMON~1\AVSYST~1\ugcw.exe" -start
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\AVSystemCare\bm.exe" dm=http://avsystemcare.com; ad=http://avsystemcare.com
O4 - HKLM\..\Run: [6c23b575] rundll32.exe "C:\WINDOWS\system32\wtdjcxxc.dll",b
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\paugey\APPLIC~1\DOBE~1\cmd.exe" -vt yazb
O4 - HKCU\..\Run: [Kgk] "C:\Documents and Settings\paugey\Application Data\F?nts\??anregw.exe"
O4 - HKCU\..\Run: [xInsIDE] C:\Program Files\xInsIDE\xInsIDE.exe
O4 - Startup: RABCO - Auto Update.lnk = C:\Program Files\RABCO\RABCOse.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.avsystemcare.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O20 - Winlogon Notify: mljjk - C:\WINDOWS\system32\mljjk.dll (file missing)
O20 - Winlogon Notify: xwhceluz - C:\WINDOWS\SYSTEM32\xwhceluz.dll
O20 - Winlogon Notify: yayvttu - C:\WINDOWS\SYSTEM32\yayvttu.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6449 bytes
pacino77
Active Member
 
Posts: 11
Joined: February 17th, 2008, 2:11 pm

Re: webbuying.exe + hijack this log

Unread postby pacino77 » February 18th, 2008, 4:35 pm

hey cool, i joined at 1:11 and you joined at 2:22. :D
pacino77
Active Member
 
Posts: 11
Joined: February 17th, 2008, 2:11 pm

Re: webbuying.exe + hijack this log

Unread postby dan12 » February 19th, 2008, 2:48 am

Hi,pacino77,

Firstly, I don't see any protection on this machine, something we need to address urgently when clean.
You have a few Infections going on in this log.

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofi ... e-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


Please post the following:

ComboFix.txt
New highjackthis log

dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: webbuying.exe + hijack this log

Unread postby pacino77 » February 19th, 2008, 3:26 pm

combofix
ComboFix 08-02-20.1 - paugey 2008-02-19 13:37:33.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1599 [GMT -5:00]
Running from: C:\Documents and Settings\paugey\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\paugey\Application Data\WinTouch\WinTouch.exe
C:\WINDOWS\system32\gebcy.dll
C:\WINDOWS\system32\xwhceluz.dll
C:\WINDOWS\system32\yayvttu.dll
C:\Documents and Settings\All Users\Application Data\salesmonitor
C:\Documents and Settings\All Users\Desktop\AVSystemCare.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\AVSystemCare
C:\Documents and Settings\All Users\Start Menu\Programs\AVSystemCare\AVSystemCare.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\AVSystemCare\Contact Customer Support.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\AVSystemCare\Uninstall AVSystemCare.lnk
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
C:\Documents and Settings\paugey\Application Data\AVSystemCare
C:\Documents and Settings\paugey\Application Data\AVSystemCare\avtasks.dat
C:\Documents and Settings\paugey\Application Data\AVSystemCare\Logs\av.log
C:\Documents and Settings\paugey\Application Data\AVSystemCare\Logs\ga6Support.log
C:\Documents and Settings\paugey\Application Data\AVSystemCare\Logs\update.log
C:\Documents and Settings\paugey\Application Data\DOBE~1
C:\Documents and Settings\paugey\Application Data\DOBE~1\?dobe\
C:\Documents and Settings\paugey\Application Data\DOBE~1\cmd.exe
C:\Documents and Settings\paugey\Application Data\FNTS~1
C:\Documents and Settings\paugey\Application Data\FNTS~1\??anregw.exe
C:\Documents and Settings\paugey\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\paugey\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\paugey\Application Data\WinTouch\WTUninstaller.exe
C:\Documents and Settings\paugey\ResErrors.log
C:\Documents and Settings\paugey\Start Menu\Programs\Outerinfo
C:\Documents and Settings\paugey\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\paugey\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\AVSystemCare
C:\Program Files\AVSystemCare\Activate.exe
C:\Program Files\AVSystemCare\Config\pgs.xml
C:\Program Files\AVSystemCare\Dat\Activate.dat
C:\Program Files\AVSystemCare\Dat\BkSites.dat
C:\Program Files\AVSystemCare\Dat\bnlink.dat
C:\Program Files\AVSystemCare\Dat\incmp.dat
C:\Program Files\AVSystemCare\Dat\index.dat
C:\Program Files\AVSystemCare\Dat\pv.dat
C:\Program Files\AVSystemCare\Engines\AWBase\database\enemies.dat
C:\Program Files\AVSystemCare\Engines\AWBase\vbpv.dat
C:\Program Files\AVSystemCare\Engines\PGBase\vbpv.dat
C:\Program Files\AVSystemCare\Engines\plugins\BORLNDMM.DLL
C:\Program Files\AVSystemCare\Engines\plugins\SCANADWR.DLL
C:\Program Files\AVSystemCare\Engines\plugins\SCANBCDR.DLL
C:\Program Files\AVSystemCare\Engines\plugins\SCANDLDR.DLL
C:\Program Files\AVSystemCare\Engines\plugins\SCANDOS1.DLL
C:\Program Files\AVSystemCare\Engines\plugins\SCANEMUL.DLL
C:\Program Files\AVSystemCare\Engines\plugins\SCANFUNC.DLL
C:\Program Files\AVSystemCare\Engines\plugins\SCANKRNL.DLL
C:\Program Files\AVSystemCare\Engines\plugins\SCANMCR1.DLL
C:\Program Files\AVSystemCare\Engines\plugins\SCANOTHR.DLL
C:\Program Files\AVSystemCare\Engines\plugins\SCANSCR.DLL
C:\Program Files\AVSystemCare\Engines\plugins\SCANTOOL.DLL
C:\Program Files\AVSystemCare\Engines\plugins\SCANTROJ.DLL
C:\Program Files\AVSystemCare\Engines\plugins\SCANWIN1.DLL
C:\Program Files\AVSystemCare\Engines\plugins\UNACPU.DLL
C:\Program Files\AVSystemCare\Engines\plugins\UNADBX.DLL
C:\Program Files\AVSystemCare\Engines\plugins\unamscan.dll
C:\Program Files\AVSystemCare\Engines\plugins\UNMIME.DLL
C:\Program Files\AVSystemCare\Engines\plugins\UNPACK.DLL
C:\Program Files\AVSystemCare\Engines\plugins\UNPACKS.DLL
C:\Program Files\AVSystemCare\Engines\plugins\UNPACKS2.DLL
C:\Program Files\AVSystemCare\Engines\plugins\UNPEPACK.DLL
C:\Program Files\AVSystemCare\Engines\plugins\UpDate\UA27601.DLL
C:\Program Files\AVSystemCare\Engines\plugins\UpDate\UA27602.DLL
C:\Program Files\AVSystemCare\Engines\plugins\UpDate\UA27603.DLL
C:\Program Files\AVSystemCare\Engines\plugins\UpDate\UA27604.DLL
C:\Program Files\AVSystemCare\Engines\plugins\UpDate\UADAILY.DLL
C:\Program Files\AVSystemCare\Engines\plugins\vbpv.dat
C:\Program Files\AVSystemCare\FMTR.sys
C:\Program Files\AVSystemCare\fopnl.dll
C:\Program Files\AVSystemCare\FWSettings.bin
C:\Program Files\AVSystemCare\GA6PAX.ocx
C:\Program Files\AVSystemCare\GA6PAX.xml
C:\Program Files\AVSystemCare\Graphics\cross.gif
C:\Program Files\AVSystemCare\Graphics\ga6p.gif
C:\Program Files\AVSystemCare\Graphics\kb.url
C:\Program Files\AVSystemCare\Graphics\main.ico
C:\Program Files\AVSystemCare\Graphics\mini.ico
C:\Program Files\AVSystemCare\Graphics\Online.url
C:\Program Files\AVSystemCare\Graphics\rm.url
C:\Program Files\AVSystemCare\Graphics\support.ico
C:\Program Files\AVSystemCare\Graphics\Support.url
C:\Program Files\AVSystemCare\Graphics\uninstall.ico
C:\Program Files\AVSystemCare\history.db
C:\Program Files\AVSystemCare\LA\lapv.dat
C:\Program Files\AVSystemCare\LA\License.rtf
C:\Program Files\AVSystemCare\pgs.exe
C:\Program Files\AVSystemCare\ResErrors.log
C:\Program Files\AVSystemCare\Restart.exe
C:\Program Files\AVSystemCare\rpt.dll
C:\Program Files\AVSystemCare\RTasks.exe
C:\Program Files\AVSystemCare\scnkrnl.dll
C:\Program Files\AVSystemCare\settings.ini
C:\Program Files\AVSystemCare\sqlite3.dll
C:\Program Files\AVSystemCare\sr.log
C:\Program Files\AVSystemCare\Tools\IEFWBHO.dll
C:\Program Files\AVSystemCare\Tools\pg.dll
C:\Program Files\AVSystemCare\unins000.dat
C:\Program Files\AVSystemCare\unins000.exe
C:\Program Files\AVSystemCare\Up\ASupdater.dat
C:\Program Files\AVSystemCare\Up\gup.exe
C:\Program Files\AVSystemCare\Up\PGupdater.dat
C:\Program Files\AVSystemCare\Up\UBupdater.dat
C:\Program Files\AVSystemCare\Up\up.dat
C:\Program Files\AVSystemCare\Up\updater.dat
C:\Program Files\Common Files\AVSystemCare
C:\Program Files\Common Files\AVSystemCare\bm.exe
C:\Program Files\Common Files\AVSystemCare\ugcw.exe
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\inetget2
C:\Program Files\Internet Explorer\qukatojy.dll
C:\Program Files\Internet Explorer\qukatojy19.dll
C:\Program Files\Internet Explorer\qukatojy544.dll
C:\Program Files\Internet Explorer\qukatojy636.dll
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\Router
C:\Program Files\Router\Router.exe
C:\Program Files\Router\UnInstall.exe
C:\Program Files\Temporary
C:\Program Files\Temporary\InsiDERIns.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\isgTi19
C:\Temp\isgTi19\lPig.log
C:\WINDOWS\b104.exe
C:\WINDOWS\b116.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\b151.exe
C:\WINDOWS\b153.exe
C:\WINDOWS\cGF1Z2V5\
C:\WINDOWS\cGF1Z2V5\\asappsrv.dll
C:\WINDOWS\cGF1Z2V5\\command.exe
C:\WINDOWS\cGF1Z2V5\\w3IYtZpc.vbs
C:\WINDOWS\cGF1Z2V5\command.exe
C:\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M0611NetInstaller.exe
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\a1
C:\WINDOWS\system32\a1\tliamdll2.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\bip.dll
C:\WINDOWS\system32\bsbioakt.ini
C:\WINDOWS\system32\cbxxxvv.dll
C:\WINDOWS\system32\cxxcjdtw.ini
C:\WINDOWS\system32\drivers\fmtr.sys
C:\WINDOWS\system32\edmkcsmt.dll
C:\WINDOWS\system32\gebcy.dll
C:\WINDOWS\system32\iifefgg.dll
C:\WINDOWS\system32\jkklj.dll
C:\WINDOWS\system32\k5
C:\WINDOWS\system32\k5\thgd2241dll.exe
C:\WINDOWS\system32\lcwmpwnm.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe
C:\WINDOWS\system32\p9
C:\WINDOWS\system32\p9\liopud89104.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\ssqonlk.dll
C:\WINDOWS\system32\tkaoibsb.dll
C:\WINDOWS\system32\v6
C:\WINDOWS\system32\vturr.dll
C:\WINDOWS\system32\w11
C:\WINDOWS\system32\w11\hiba3133.exe
C:\WINDOWS\system32\waoumbhj.dll
C:\WINDOWS\system32\windows
C:\WINDOWS\system32\wtdjcxxc.dll
C:\WINDOWS\system32\xwhceluz.dll
C:\WINDOWS\system32\xwhceluz.dllbox
C:\WINDOWS\system32\yayvttu.dll
C:\WINDOWS\system32\ycbeg.ini
C:\WINDOWS\system32\ycbeg.ini2
C:\WINDOWS\tk58.exe
C:\WINDOWS\uninstall_nmon.vbs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_FMTR
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\fmtr
-------\Network Monitor


((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.

2008-02-18 15:03 . 2008-02-18 15:03 <DIR> d-------- C:\Program Files\xInsIDE
2008-02-17 23:25 . 2008-02-17 23:25 <DIR> d--hs---- C:\UGA6P
2008-02-17 23:25 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-02-17 13:27 . 2008-02-17 13:27 36,864 --a------ C:\WINDOWS\17PHolmes572.exe
2008-02-17 12:35 . 2008-02-17 12:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-02-17 12:32 . 2008-02-17 12:34 <DIR> d-------- C:\Program Files\RABCO
2008-02-17 12:32 . 2008-02-17 12:36 36,864 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2008-02-17 12:31 . 2008-02-20 13:45 <DIR> d-------- C:\Temp
2008-01-28 21:58 . 2008-01-28 21:58 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-28 21:58 . 2008-01-28 21:58 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-18 20:31 5,632 --sha-w C:\Program Files\Thumbs.db
2008-01-25 17:17 --------- d-----w C:\Program Files\Soulseek
2006-04-06 03:23 22,560 ----a-w C:\Documents and Settings\paugey\Application Data\GDIPFONTCACHEV1.DAT
2005-10-24 01:14 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2005-11-18 02:07 27,661 --sha-w C:\WINDOWS\system32\mllmj.dll
2005-11-18 02:07 27,661 --sha-w C:\WINDOWS\system32\pmnlm.dll
2005-11-03 01:54 28,173 --sha-w C:\WINDOWS\system32\vtstt.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C2E5D27-A17C-4D89-85DD-3553C189380D}]
2008-01-30 14:02 414992 --a------ C:\Program Files\RABCO\RABCO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A455DF1-4CE1-44F4-AC65-EB21B9C33D95}]
2008-02-07 20:07 217088 --a------ C:\Program Files\Messenger\dipurexo89104.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2005-02-17 10:18 24576 C:\WINDOWS\MIDIDEF.EXE]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"Sen"="C:\DOCUME~1\paugey\APPLIC~1\DOBE~1\cmd.exe" [ ]
"Kgk"="C:\Documents and Settings\paugey\Application Data\F?nts\??anregw.exe" [ ]
"xInsIDE"="C:\Program Files\xInsIDE\xInsIDE.exe" [2008-02-18 15:03 53248]
"Router"="C:\Program Files\Router\Router.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-15 15:02 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-15 15:02 126976]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05 127035]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\Quickset.exe" [2005-03-04 11:26 606208]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-09-16 08:43 274432]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-09-23 14:58 155648]
"CTHelper"="CTHELPER.EXE" [2005-02-17 10:23 14848 C:\WINDOWS\CTHELPER.EXE]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 10:08 1347584]

C:\Documents and Settings\paugey\Start Menu\Programs\Startup\
RABCO - Auto Update.lnk - C:\Program Files\RABCO\RABCOse.exe [2008-02-17 12:31:59 183216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjk]
C:\WINDOWS\system32\mljjk.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=C:\WINDOWS\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2004-09-13 16:33 155648 C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
--a------ 2005-09-05 22:35 61440 c:\dell\bldbubg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2005-03-04 11:26 606208 C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2005-05-15 02:04 332800 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 16:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
C:\Program Files\Norton Internet Security\cfgwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 16:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 16:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-09-23 14:58 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2003-11-19 17:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

S3 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows []
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;C:\WINDOWS\system32\DRIVERS\netusbxp.sys [2002-02-19 13:34]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 14:15:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\RABCO\X_RABCOse.exe
.
**************************************************************************
.
Completion time: 2008-02-20 14:17:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-20 19:17:48
.
2008-02-13 02:49:43 --- E O F ---


hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:22:10 PM, on 2/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\xInsIDE\xInsIDE.exe
C:\Program Files\RABCO\X_RABCOse.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\removal.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.wikipedia.org/wiki/Main_Page
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RabioBHO - {1C2E5D27-A17C-4D89-85DD-3553C189380D} - C:\Program Files\RABCO\RABCO.dll
O2 - BHO: (no name) - {3A455DF1-4CE1-44F4-AC65-EB21B9C33D95} - C:\Program Files\Messenger\dipurexo89104.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\paugey\APPLIC~1\DOBE~1\cmd.exe" -vt yazb
O4 - HKCU\..\Run: [Kgk] "C:\Documents and Settings\paugey\Application Data\F?nts\??anregw.exe"
O4 - HKCU\..\Run: [xInsIDE] C:\Program Files\xInsIDE\xInsIDE.exe
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - Startup: RABCO - Auto Update.lnk = C:\Program Files\RABCO\RABCOse.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.avsystemcare.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O20 - Winlogon Notify: mljjk - C:\WINDOWS\system32\mljjk.dll (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 4753 bytes
pacino77
Active Member
 
Posts: 11
Joined: February 17th, 2008, 2:11 pm

Re: webbuying.exe + hijack this log

Unread postby pacino77 » February 19th, 2008, 3:33 pm

also, and i suppose these are minor things, but the status bar in internet explorer keeps disappearing and the icon representing my c: drive has changed to a red x. like this:

X

thanks again for all your help dan.
pacino77
Active Member
 
Posts: 11
Joined: February 17th, 2008, 2:11 pm

Re: webbuying.exe + hijack this log

Unread postby dan12 » February 19th, 2008, 7:18 pm

Thanks for your returned logs, I will be going through them shortly as you can appreciate there is some content to get through.
Hope not to keep you too long.
dan :D
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: webbuying.exe + hijack this log

Unread postby dan12 » February 20th, 2008, 2:53 pm

pacino77,

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
    File::
C:\WINDOWS\system32\msxml3a.dll
C:\WINDOWS\17PHolmes572.exe
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\system32\mllmj.dll
C:\WINDOWS\system32\pmnlm.dll
C:\WINDOWS\system32\vtstt.dll
C:\WINDOWS\system32\mljjk.dll

    Folder::
C:\Program Files\RABCO
C:\Program Files\Router
C:\Program Files\xInsIDE
C:\UGA6P
C:\Documents and Settings\All Users\Application Data\Rabio
C:\Program Files\RABCO

    Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C2E5D27-A17C-4D89-85DD-3553C189380D}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A455DF1-4CE1-44F4-AC65-EB21B9C33D95}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kgk"=-
"xInsIDE"=-
"Sen"=-
"Router"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjk]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]


    Driver::
MSControlService

DirLook::
C:\WINDOWS\17C:\Temp
C:\WINDOWS\17C:

    


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Please post ComboFix.txt
and a new highjackthis log
dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: webbuying.exe + hijack this log

Unread postby pacino77 » February 20th, 2008, 11:46 pm

combofix

ComboFix 08-02-20.1 - paugey 2008-02-21 22:19:42.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1690 [GMT -5:00]
Running from: C:\Documents and Settings\paugey\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\paugey\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\17PHolmes572.exe
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\system32\mljjk.dll
C:\WINDOWS\system32\mllmj.dll
C:\WINDOWS\system32\msxml3a.dll
C:\WINDOWS\system32\pmnlm.dll
C:\WINDOWS\system32\vtstt.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Rabio
C:\Program Files\Internet Explorer\qukatojy.dll
C:\Program Files\RABCO
C:\Program Files\RABCO\ExecutionDll.dll
C:\Program Files\RABCO\RABCO.dll
C:\Program Files\RABCO\RABCO.dll.intermediate.manifest
C:\Program Files\RABCO\RABCOse.exe
C:\Program Files\RABCO\RABCOse.info
C:\Program Files\RABCO\RABCOse.original
C:\Program Files\RABCO\Setup.log
C:\Program Files\RABCO\un_RABCOSetup_16230.exe
C:\Program Files\RABCO\un_RABCOSetup_16230.txt
C:\Program Files\RABCO\X_RABCOse.exe
C:\Program Files\RABCO\X_RABCOse.log
C:\Program Files\xInsIDE
C:\Program Files\xInsIDE\xInsIDE.exe
C:\UGA6P
C:\WINDOWS\17PHolmes572.exe
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\system32\mllmj.dll
C:\WINDOWS\system32\msxml3a.dll
C:\WINDOWS\system32\pmnlm.dll
C:\WINDOWS\system32\vtstt.dll
C:\WINDOWS\tk58.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_MSCONTROLSERVICE
-------\MSControlService


((((((((((((((((((((((((( Files Created from 2008-01-22 to 2008-02-22 )))))))))))))))))))))))))))))))
.

2008-02-17 12:31 . 2008-02-20 13:45 <DIR> d-------- C:\Temp
2008-01-28 21:58 . 2008-01-28 21:58 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-28 21:58 . 2008-01-28 21:58 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-20 19:21 5,632 --sha-w C:\Program Files\Thumbs.db
2008-01-25 17:17 --------- d-----w C:\Program Files\Soulseek
2006-04-06 03:23 22,560 ----a-w C:\Documents and Settings\paugey\Application Data\GDIPFONTCACHEV1.DAT
2005-10-24 01:14 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\17C: ----

C:\WINDOWS\17C:\

---- Directory of C:\WINDOWS\17C:\Temp ----

C:\WINDOWS\17C:\Temp\


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2005-02-17 10:18 24576 C:\WINDOWS\MIDIDEF.EXE]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-15 15:02 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-15 15:02 126976]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05 127035]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\Quickset.exe" [2005-03-04 11:26 606208]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-09-16 08:43 274432]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-09-23 14:58 155648]
"CTHelper"="CTHELPER.EXE" [2005-02-17 10:23 14848 C:\WINDOWS\CTHELPER.EXE]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 10:08 1347584]

C:\Documents and Settings\paugey\Start Menu\Programs\Startup\
RABCO - Auto Update.lnk - C:\QooBox\Quarantine\C\Program Files\RABCO\RABCOse.exe.vir [2008-02-17 12:31:59 183216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=C:\WINDOWS\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2004-09-13 16:33 155648 C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
--a------ 2005-09-05 22:35 61440 c:\dell\bldbubg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2005-03-04 11:26 606208 C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2005-05-15 02:04 332800 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 16:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 16:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 16:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-09-23 14:58 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2003-11-19 17:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;C:\WINDOWS\system32\DRIVERS\netusbxp.sys [2002-02-19 13:34]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-21 22:23:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-02-21 22:25:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-22 03:25:13
ComboFix2.txt 2008-02-20 19:17:52
.
2008-02-13 02:49:43 --- E O F ---


hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:45:10 PM, on 2/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\removal.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.wikipedia.org/wiki/Main_Page
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: RABCO - Auto Update.lnk = C:\QooBox\Quarantine\C\Program Files\RABCO\RABCOse.exe.vir
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.avsystemcare.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 4045 bytes
pacino77
Active Member
 
Posts: 11
Joined: February 17th, 2008, 2:11 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 45 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware