Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Could somebody look at this log for me?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Could somebody look at this log for me?

Unread postby Negalith » March 22nd, 2008, 12:27 pm

Micro HijackThis v2.0.2
Scan saved at 2:19:47 AM, on 3/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\NeverwinterNights\NWN\nwserver.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\America Online 9.0\shellmon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0AFC05A7-B354-4474-98D1-207C75C733F0} - c:\windows\system32\comreso.dll
O2 - BHO: (no name) - {48AD580E-97B6-4FB8-9B38-AABE6D719EBD} - C:\WINDOWS\system32\adsldpn.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 9776794140
O20 - Winlogon Notify: gfnqirrt - C:\WINDOWS\SYSTEM32\comreso.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 5287 bytes
Negalith
Regular Member
 
Posts: 22
Joined: March 22nd, 2008, 12:25 pm
Advertisement
Register to Remove

Re: Could somebody look at this log for me?

Unread postby dan12 » March 22nd, 2008, 12:46 pm

Hi,Negalith, and welcome to malwareremoval forums

I'm dan12, I'll be glad to help you with your computer problems.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.
If you can do these things, everything should go smoothly.
  • Please note you'll need to have Administrator priviledges to perform the fixes. (XP accounts are Administrator by default)
  • Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.
It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

I'm presently looking over your log and hope not to be too long.
Will be back with you as soon as I can.
Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Could somebody look at this log for me?

Unread postby dan12 » March 22nd, 2008, 12:49 pm

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofi ... e-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


Dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Could somebody look at this log for me?

Unread postby Negalith » March 22nd, 2008, 1:43 pm

Thank you very much.....




ComboFix 08-03-22.1 - Jeff 2008-03-22 3:34:53.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1661 [GMT -6:00]
Running from: C:\Documents and Settings\Jeff\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\adsldpn.dll
C:\WINDOWS\system32\appcert
C:\WINDOWS\system32\comreso.dll
C:\WINDOWS\system32\drivers\anpjylxv.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VDYIPCQD
-------\Legacy_ZDNBFANT
-------\Service_vdyipcqd
-------\Service_zdnbfant


((((((((((((((((((((((((( Files Created from 2008-02-22 to 2008-03-22 )))))))))))))))))))))))))))))))
.

2008-03-22 02:16 . 2008-03-22 02:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-17 10:58 . 2008-01-08 21:24 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-03-17 09:24 . 2008-03-17 09:24 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-03-17 09:21 . 2008-02-22 01:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-14 15:23 . 2008-03-14 15:23 1,188,375 --a------ C:\WINDOWS\system32\libeay32.dll
2008-03-14 15:23 . 2008-03-14 15:23 741,632 --a------ C:\WINDOWS\system32\vctclwqu.dat
2008-03-14 15:23 . 2008-03-14 15:23 246,545 --a------ C:\WINDOWS\system32\libssl32.dll
2008-03-14 15:23 . 2008-03-14 15:23 42,752 --a------ C:\WINDOWS\system32\pudimfdq.dat
2008-03-14 15:23 . 2008-03-14 15:23 36,608 --a------ C:\WINDOWS\system32\nzeqmvbk.dat
2008-03-14 15:23 . 2008-03-14 15:23 35,072 --a------ C:\WINDOWS\system32\lptjkhtg.dat
2008-03-13 22:15 . 2008-03-13 22:15 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-03-13 22:13 . 2008-03-21 09:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-03-13 21:55 . 2008-03-13 21:54 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-13 21:55 . 2008-03-13 21:55 2,543 --a------ C:\WINDOWS\unins000.dat
2008-03-13 15:20 . 2008-03-13 15:20 120,576 --a------ C:\WINDOWS\system32\yiqwboxg.dat
2008-03-11 23:08 . 2008-03-11 23:18 <DIR> d-------- C:\temp
2008-02-22 22:53 . 2008-02-22 22:53 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-02-22 22:53 . 2008-03-21 04:41 13,652 --a------ C:\logfile
2008-02-22 22:52 . 2008-02-22 22:52 <DIR> d-------- C:\Program Files\Common Files\Kodak
2008-02-22 22:52 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-02-22 22:52 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-02-22 22:51 . 2008-02-22 22:53 <DIR> d-------- C:\Program Files\Kodak
2008-02-22 22:50 . 2008-02-22 22:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kodak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-17 15:21 --------- d-----w C:\Program Files\Java
2008-03-14 03:58 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-14 03:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-11 19:24 --------- d-----w C:\Documents and Settings\Jeff\Application Data\AdobeUM
2008-02-04 23:36 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-03 17:26 --------- d-----w C:\Program Files\Steam
2008-01-27 00:55 --------- d-----w C:\Program Files\Warcraft II BNE
2008-01-27 00:20 98,304 ----a-w C:\WINDOWS\W2BNEUnin.exe
2008-01-26 00:38 10,920 ----a-w C:\aolconnfix.exe
2008-01-20 17:57 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOL Fast Start"="C:\Program Files\America Online 9.0\AOL.exe" [2005-07-11 23:17 50776]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-09 13:06 7311360]
"nwiz"="nwiz.exe" [2005-12-09 13:06 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-12-09 13:06 86016]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-27 10:47 16208384 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]
"amd_dc_opt"="C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 11:06 77824]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 03:25 144784]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
--a------ 2005-07-11 23:17 50776 C:\Program Files\America Online 9.0\AOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
--a------ 2004-10-18 17:42 79448 C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-ra------ 2004-10-20 07:40 34904 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2004-11-03 15:03 125528 C:\Program Files\Common Files\AOL\1200056510\EE\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ka4]
C:\WINDOWS\system32\ka4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 1200 Series]
--a------ 2006-07-12 23:22 57344 C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
--a------ 2001-08-23 15:52 331830 C:\Program Files\Microsoft Works\WksSb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2001-08-16 22:41 28738 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-11 07:02 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2008-01-11 07:02 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 10:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-01-11 07:07 1266936 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
--a------ 2001-10-05 18:34 24576 C:\Program Files\Microsoft Works\wkfud.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\NeverwinterNights\\NWN\\nwmain.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Common Files\\AOL\\1200056510\\EE\\AOLServiceHost.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 17:01]
S3 gsplittm;gsplittm;C:\DOCUME~1\Jeff\LOCALS~1\Temp\gsplittm.sys []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-22 03:38:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2008-03-22 3:39:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-22 09:39:39








Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:40:56 AM, on 3/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 9776794140
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 4668 bytes
Negalith
Regular Member
 
Posts: 22
Joined: March 22nd, 2008, 12:25 pm

Re: Could somebody look at this log for me?

Unread postby dan12 » March 22nd, 2008, 10:19 pm

Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Jotti

Please visit Jotti
Copy/paste the the following file path into the window
C:\WINDOWS\system32\ka4.exe
Click Submit/Send File
Please post back, to let me know the results.

Please do the same for the following files
C:\WINDOWS\system32\vctclwqu.dat
C:\WINDOWS\system32\pudimfdq.dat
C:\WINDOWS\system32\nzeqmvbk.dat
C:\WINDOWS\system32\lptjkhtg.dat
C:\WINDOWS\system32\yiqwboxg.dat


If Jotti is too busy please try Virustotal
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Could somebody look at this log for me?

Unread postby Negalith » March 23rd, 2008, 1:07 pm

C:\WINDOWS\system32\ka4.exe
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

I dont believe I have a fire wall in place. I do however have a router--- I don't believe it would prohibit the download.


C:\WINDOWS\system32\vctclwqu.dat
"Found nothing" accross the board

C:\WINDOWS\system32\pudimfdq.dat
"Found nothing" accross the board

C:\WINDOWS\system32\nzeqmvbk.dat
"Found nothing" accross the board

C:\WINDOWS\system32\lptjkhtg.dat
"Found nothing" accross the board

C:\WINDOWS\system32\yiqwboxg.dat
"Found nothing" accross the board
Negalith
Regular Member
 
Posts: 22
Joined: March 22nd, 2008, 12:25 pm

Re: Could somebody look at this log for me?

Unread postby dan12 » March 23rd, 2008, 1:54 pm

Take your time anything your not sure on ask :)

Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present)

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u


------------------------

When you run cf this time it will drop two files on the desktop:[4]-Submit_Date_Time.zip & CF-Submit.htm
When CF finish running, it pops out with the CF log. If CF-Submit.htm is detected it will pop out a message box,click ok.
You will be presented with a box to submit a file.
You only needs to copy/paste the filepath into the box & click OK.


WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit


1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
http://malwareremoval.com/forum/viewtopic.php?p=278236#p278236


Suspect::[4] 
C:\WINDOWS\system32\vctclwqu.dat
C:\WINDOWS\system32\pudimfdq.dat
C:\WINDOWS\system32\nzeqmvbk.dat
C:\WINDOWS\system32\lptjkhtg.dat
C:\WINDOWS\system32\yiqwboxg.dat
C:\WINDOWS\system32\ka4.exe 

    File::
C:\DOCUME~1\Jeff\LOCALS~1\Temp\gsplittm.sys 


    Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"=-

     Driver::
gsplittm

    


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



----------------------------------


Please download ATF Cleaner here by Atribune. This program is for XP and Windows 2000 only.
It does not require any installation and uses minimal system resources. It is set up to clean IE, FireFox and Opera, and detects the browsers you have and grays out the other(s).

  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Recommend UNCHECKING COOKIES if you rely on system remembered passwords.
  • Click the Empty Selected button.

    If you use Firefox browser
  • Click Firefox at the top and choose: Select All EXCEPT FIREFOX SAVED PASSWORDS
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser
  • Click Opera at the top and choose: Select All EXCEPT COOKIES AND SAVED PASSWORDS
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your cookies and saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.



: Malwarebytes' Anti-Malware :

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\\Documents and Settings\\Username\\Application Data\\Malwarebytes\\Malwarebytes' Anti-Malware\\Logs\\mbam-log-date (time).txt


Please include in your next post:
  • Combofix log txt
  • Malwarebytes log
  • New highjackthis log

Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Could somebody look at this log for me?

Unread postby Negalith » March 25th, 2008, 1:02 am

You lost me a little bit here....

I ran Hijack This
I found the two items you mentioned.
I checked them.

Then what?
Do I run Combofix with the Hijack This window still open and the two items checked?
I tried that and no files were posted to the desktop. (which is where both Hijack This and Comofix are located)

The transition from HT to CF is confusing me a bit.
Thanks again
Negalith
Regular Member
 
Posts: 22
Joined: March 22nd, 2008, 12:25 pm

Re: Could somebody look at this log for me?

Unread postby dan12 » March 25th, 2008, 2:07 am

Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present)

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit

Your done with HJT at this point, exit the program.
--------------------

Now continue on with Instruction....

If you still don't get the two files on the desktop let me know!
dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Could somebody look at this log for me?

Unread postby Negalith » March 26th, 2008, 12:00 pm

combofix did not put any files on teh desk top....

It did however produce this log in Notepad.

****************
This is a log produced by Combofix BEFORE I used the script you provided
*****************

ComboFix 08-03-22.1 - Jeff 2008-03-26 10:56:47.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1628 [GMT -5:00]
Running from: C:\Documents and Settings\Jeff\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-26 to 2008-03-26 )))))))))))))))))))))))))))))))
.

2008-03-22 18:05 . 2008-03-26 10:49 <DIR> d-------- C:\gmax
2008-03-22 03:16 . 2008-03-22 03:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-17 11:58 . 2008-01-08 22:24 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-03-17 10:24 . 2008-03-17 10:24 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-03-17 10:21 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-14 16:23 . 2008-03-14 16:23 1,188,375 --a------ C:\WINDOWS\system32\libeay32.dll
2008-03-14 16:23 . 2008-03-14 16:23 741,632 --a------ C:\WINDOWS\system32\vctclwqu.dat
2008-03-14 16:23 . 2008-03-14 16:23 246,545 --a------ C:\WINDOWS\system32\libssl32.dll
2008-03-14 16:23 . 2008-03-14 16:23 42,752 --a------ C:\WINDOWS\system32\pudimfdq.dat
2008-03-14 16:23 . 2008-03-14 16:23 36,608 --a------ C:\WINDOWS\system32\nzeqmvbk.dat
2008-03-14 16:23 . 2008-03-14 16:23 35,072 --a------ C:\WINDOWS\system32\lptjkhtg.dat
2008-03-13 23:15 . 2008-03-13 23:15 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-03-13 23:13 . 2008-03-21 10:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-03-13 22:55 . 2008-03-13 22:54 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-13 22:55 . 2008-03-13 22:55 2,543 --a------ C:\WINDOWS\unins000.dat
2008-03-13 16:20 . 2008-03-13 16:20 120,576 --a------ C:\WINDOWS\system32\yiqwboxg.dat
2008-03-12 00:08 . 2008-03-12 00:18 <DIR> d-------- C:\temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-17 15:21 --------- d-----w C:\Program Files\Java
2008-03-14 03:58 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-14 03:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-23 04:53 --------- d-----w C:\Program Files\Kodak
2008-02-23 04:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-02-23 04:52 --------- d-----w C:\Program Files\Common Files\Kodak
2008-02-11 19:24 --------- d-----w C:\Documents and Settings\Jeff\Application Data\AdobeUM
2008-02-04 23:36 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-03 17:26 --------- d-----w C:\Program Files\Steam
2008-01-27 00:55 --------- d-----w C:\Program Files\Warcraft II BNE
2008-01-27 00:20 98,304 ----a-w C:\WINDOWS\W2BNEUnin.exe
2008-01-26 00:38 10,920 ----a-w C:\aolconnfix.exe
2008-01-20 17:57 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.

((((((((((((((((((((((((((((( snapshot@2008-03-22_ 3.39.33.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 14:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 13:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
- 2008-03-10 20:56:39 40,196 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-25 05:07:47 40,196 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-10 20:56:39 311,934 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-25 05:07:47 311,934 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2000-08-31 14:00:00 161,792 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2000-08-31 13:00:00 161,792 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOL Fast Start"="C:\Program Files\America Online 9.0\AOL.exe" [2005-07-12 00:17 50776]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-09 14:06 7311360]
"nwiz"="nwiz.exe" [2005-12-09 14:06 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-12-09 14:06 86016]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-27 11:47 16208384 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 19:04 2879488 C:\WINDOWS\SkyTel.exe]
"amd_dc_opt"="C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 12:06 77824]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
--a------ 2005-07-12 00:17 50776 C:\Program Files\America Online 9.0\AOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
--a------ 2004-10-18 18:42 79448 C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-ra------ 2004-10-20 08:40 34904 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2004-11-03 16:03 125528 C:\Program Files\Common Files\AOL\1200056510\EE\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ka4]
C:\WINDOWS\system32\ka4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 1200 Series]
--a------ 2006-07-13 00:22 57344 C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
--a------ 2001-08-23 16:52 331830 C:\Program Files\Microsoft Works\WksSb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2001-08-16 23:41 28738 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-11 08:02 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2008-01-11 08:02 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-01-11 08:07 1266936 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
--a------ 2001-10-05 19:34 24576 C:\Program Files\Microsoft Works\wkfud.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\NeverwinterNights\\NWN\\nwmain.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Common Files\\AOL\\1200056510\\EE\\AOLServiceHost.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 18:01]
S3 gsplittm;gsplittm;C:\DOCUME~1\Jeff\LOCALS~1\Temp\gsplittm.sys []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-26 10:57:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-26 10:57:55
ComboFix-quarantined-files.txt 2008-03-26 15:57:54
ComboFix2.txt 2008-03-25 04:56:32
ComboFix3.txt 2008-03-22 09:39:43








***************************
After using the custom script you privided, it produced this log
****************************
It also poped up a IE window and asked that I upload the below file to Bleeping Computer for annalysis. I did. Its a new zip file that was made on my desk top.
C:\Documents and Settings\Jeff\Desktop.\[4]-Submit_2008-03-26@11.02.zip





ComboFix 08-03-22.1 - Jeff 2008-03-26 11:02:58.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1613 [GMT -5:00]
Running from: C:\Documents and Settings\Jeff\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jeff\Desktop\CFScript..txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\DOCUME~1\Jeff\LOCALS~1\Temp\gsplittm.sys
.

((((((((((((((((((((((((( Files Created from 2008-02-26 to 2008-03-26 )))))))))))))))))))))))))))))))
.

2008-03-22 18:05 . 2008-03-26 10:49 <DIR> d-------- C:\gmax
2008-03-22 03:16 . 2008-03-22 03:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-17 11:58 . 2008-01-08 22:24 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-03-17 10:24 . 2008-03-17 10:24 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-03-17 10:21 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-14 16:23 . 2008-03-14 16:23 1,188,375 --a------ C:\WINDOWS\system32\libeay32.dll
2008-03-14 16:23 . 2008-03-14 16:23 741,632 --a------ C:\WINDOWS\system32\vctclwqu.dat
2008-03-14 16:23 . 2008-03-14 16:23 246,545 --a------ C:\WINDOWS\system32\libssl32.dll
2008-03-14 16:23 . 2008-03-14 16:23 42,752 --a------ C:\WINDOWS\system32\pudimfdq.dat
2008-03-14 16:23 . 2008-03-14 16:23 36,608 --a------ C:\WINDOWS\system32\nzeqmvbk.dat
2008-03-14 16:23 . 2008-03-14 16:23 35,072 --a------ C:\WINDOWS\system32\lptjkhtg.dat
2008-03-13 23:15 . 2008-03-13 23:15 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-03-13 23:13 . 2008-03-21 10:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-03-13 22:55 . 2008-03-13 22:54 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-13 22:55 . 2008-03-13 22:55 2,543 --a------ C:\WINDOWS\unins000.dat
2008-03-13 16:20 . 2008-03-13 16:20 120,576 --a------ C:\WINDOWS\system32\yiqwboxg.dat
2008-03-12 00:08 . 2008-03-12 00:18 <DIR> d-------- C:\temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-17 15:21 --------- d-----w C:\Program Files\Java
2008-03-14 03:58 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-14 03:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-23 04:53 --------- d-----w C:\Program Files\Kodak
2008-02-23 04:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-02-23 04:52 --------- d-----w C:\Program Files\Common Files\Kodak
2008-02-11 19:24 --------- d-----w C:\Documents and Settings\Jeff\Application Data\AdobeUM
2008-02-04 23:36 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-03 17:26 --------- d-----w C:\Program Files\Steam
2008-01-27 00:55 --------- d-----w C:\Program Files\Warcraft II BNE
2008-01-27 00:20 98,304 ----a-w C:\WINDOWS\W2BNEUnin.exe
2008-01-26 00:38 10,920 ----a-w C:\aolconnfix.exe
2008-01-20 17:57 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.

((((((((((((((((((((((((((((( snapshot@2008-03-22_ 3.39.33.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 14:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2000-08-31 13:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
- 2000-08-31 14:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2000-08-31 13:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2000-08-31 14:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 13:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
- 2008-03-10 20:56:39 40,196 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-25 05:07:47 40,196 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-10 20:56:39 311,934 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-25 05:07:47 311,934 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2000-08-31 14:00:00 161,792 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2000-08-31 13:00:00 161,792 ----a-w C:\WINDOWS\system32\swreg.exe
- 2008-03-22 09:38:20 40,960 ----a-w C:\WINDOWS\TEMP\rtdrvmon.exe
+ 2008-03-26 16:05:02 40,960 ----a-w C:\WINDOWS\TEMP\rtdrvmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOL Fast Start"="C:\Program Files\America Online 9.0\AOL.exe" [2005-07-12 00:17 50776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-09 14:06 7311360]
"nwiz"="nwiz.exe" [2005-12-09 14:06 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-12-09 14:06 86016]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-27 11:47 16208384 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 19:04 2879488 C:\WINDOWS\SkyTel.exe]
"amd_dc_opt"="C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 12:06 77824]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
--a------ 2005-07-12 00:17 50776 C:\Program Files\America Online 9.0\AOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
--a------ 2004-10-18 18:42 79448 C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-ra------ 2004-10-20 08:40 34904 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2004-11-03 16:03 125528 C:\Program Files\Common Files\AOL\1200056510\EE\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ka4]
C:\WINDOWS\system32\ka4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 1200 Series]
--a------ 2006-07-13 00:22 57344 C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
--a------ 2001-08-23 16:52 331830 C:\Program Files\Microsoft Works\WksSb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2001-08-16 23:41 28738 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-11 08:02 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2008-01-11 08:02 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-01-11 08:07 1266936 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
--a------ 2001-10-05 19:34 24576 C:\Program Files\Microsoft Works\wkfud.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\NeverwinterNights\\NWN\\nwmain.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Common Files\\AOL\\1200056510\\EE\\AOLServiceHost.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 18:01]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-26 11:04:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\America Online 9.0\shellmon.exe
.
**************************************************************************
.
Completion time: 2008-03-26 11:06:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-26 16:06:25
ComboFix2.txt 2008-03-26 15:57:56
ComboFix3.txt 2008-03-25 04:56:32
ComboFix4.txt 2008-03-22 09:39:43





Malwarebytes' Anti-Malware 1.09
Database version: 548

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 156078
Time elapsed: 23 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Last edited by Negalith on March 26th, 2008, 12:40 pm, edited 1 time in total.
Negalith
Regular Member
 
Posts: 22
Joined: March 22nd, 2008, 12:25 pm

Re: Could somebody look at this log for me?

Unread postby dan12 » March 26th, 2008, 12:34 pm

You have the other two logs I asked for..
* Malwarebytes log
* New highjackthis log

Thanks dan.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Could somebody look at this log for me?

Unread postby Negalith » March 26th, 2008, 12:44 pm

:) was right in teh process of adding those as you were responding...


The Malwarebytes log is posted above... I added it as you were entering your most recent post...

Below is the most recent Hijack This log


Thanks again




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41:40 AM, on 3/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\America Online 9.0\waol.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 9776794140
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 4314 bytes
Negalith
Regular Member
 
Posts: 22
Joined: March 22nd, 2008, 12:25 pm

Re: Could somebody look at this log for me?

Unread postby dan12 » March 26th, 2008, 1:07 pm

Ok, lets get you protected as you have no antivirus or firewall.
Just choose one same goes for the fire wall.

let me know how things are at this moment in time.


You aren't running Anti Virus Software

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network.
Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEditionClassic
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition
-Anti-virus program for Windows.
-The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition
-Free edition of the AVG anti-virus program for Windows.

There is no sign of a Third Party Firewall installed on your system.
As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

There are several possible reasons for the Firewall not showing.
  1. You are using Windows Firewall. This is not recommended as it will only stop incoming material. It permits all outgoing traffic.
  2. You are using a hardware firewall. It should be complemented with a Third Party Software Firewall
  3. You have a firewall, but you disabled it. Please re-enable it.
  4. You don't have a firewall at all.

If you don't have a third party firewall, please get ONE firewall and install it. Restart the computer for changes to take effect.

Online Armor
Comodo Personal Firewall

Please post back a new HijackThis log after installing the firewall.

please post a further HJT log.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Could somebody look at this log for me?

Unread postby dan12 » March 31st, 2008, 6:21 am

How we doing ?
We still have a little to do!
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Could somebody look at this log for me?

Unread postby Simon V. » April 5th, 2008, 4:12 am

Due to lack of response this topic is now closed.

If you still need help open a new thread in the Malware Removal forum and wait for a new helper.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read Donations For Malware Removal
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 49 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware