Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

hijackthis log help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: hijackthis log help

Unread postby KGRUMPY » April 8th, 2008, 8:05 am

Here are 2 of my logs I can not get Combo fix to run. I have done the Norton thing and I have installed a new Antivirus.

Malwarebytes' Anti-Malware 1.11
Database version: 599

Scan type: Quick Scan
Objects scanned: 32366
Time elapsed: 8 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 30

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PopCapLoader.PopCapLoaderCtrl2 (Adware.PopCap) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PopCapLoader.PopCapLoaderCtrl2.1 (Adware.PopCap) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\xflock (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\PostInstallC (Malware.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\180search assistant (Adware.180Solutions) -> No action taken.
C:\Program Files\stc (Fake.Dropped.Malware) -> No action taken.
C:\Program Files\Sysmnt (Fake.Dropped.Malware) -> No action taken.

Files Infected:
C:\Program Files\180search assistant\180sa.exe (Adware.180Solutions) -> No action taken.
C:\Program Files\180search assistant\sau.exe (Adware.180Solutions) -> No action taken.
C:\Program Files\stc\csv5p070.exe (Fake.Dropped.Malware) -> No action taken.
C:\Program Files\Sysmnt\Ssmgr.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\avifile32.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\avisynthex32.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\aviwrap32.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\browserad.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\changeurl_30.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\msa64chk.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\msapasrc.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\123messenger.per (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\ntnut.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\shdocpe.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\shdocpl.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\winsb.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\system32\MSNSA32.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\system32\shdocpe.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\system32\SIPSPI32.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\apphelp32.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\asferror32.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\asycfilt32.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\athprxy32.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\ati2dvaa32.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\ati2dvag32.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\audiosrv32.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\autodisc32.dll (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\licencia.txt (Malware.Trace) -> No action taken.
C:\WINDOWS\telefonos.txt (Malware.Trace) -> No action taken.
C:\WINDOWS\textos.txt (Malware.Trace) -> No action taken.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:05, on 2008-04-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\internet explorer\iexplore.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\WZSE0.TMP\SymNRT.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2033F38F-240C-49D3-BB5A-52D77924A80E} - C:\WINDOWS\system32\awtsRkjH.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WorkFlow] F:\Install\WorkFlow.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4546796421
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Fix-It Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 10471 bytes
KGRUMPY
Regular Member
 
Posts: 41
Joined: April 2nd, 2008, 7:39 pm
Advertisement
Register to Remove

Re: hijackthis log help

Unread postby KGRUMPY » April 8th, 2008, 8:06 am

Here is another log.

Malwarebytes' Anti-Malware 1.11
Database version: 599

Scan type: Quick Scan
Objects scanned: 32366
Time elapsed: 8 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 30

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PopCapLoader.PopCapLoaderCtrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PopCapLoader.PopCapLoaderCtrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\xflock (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\PostInstallC (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\180search assistant (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\stc (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\Sysmnt (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\180search assistant\180sa.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\180search assistant\sau.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\stc\csv5p070.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\Sysmnt\Ssmgr.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\avifile32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\avisynthex32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\aviwrap32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\browserad.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\changeurl_30.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msa64chk.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msapasrc.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\123messenger.per (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ntnut.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\shdocpe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\shdocpl.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\winsb.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSNSA32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\shdocpe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SIPSPI32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\apphelp32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\asferror32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\asycfilt32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\athprxy32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ati2dvaa32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ati2dvag32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\audiosrv32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\autodisc32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\licencia.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\telefonos.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\textos.txt (Malware.Trace) -> Quarantined and deleted successfully.
KGRUMPY
Regular Member
 
Posts: 41
Joined: April 2nd, 2008, 7:39 pm

Re: hijackthis log help

Unread postby chryssi2001 » April 8th, 2008, 1:08 pm

Hello KGRUMPY,

Please download ATF cleaner
Make sure that all browser windows are closed.
    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
----------------------------------------------
USING TASK MANAGER

Stop the following processes using Task Manager (press ctrl+alt+del, select the Processes tab, highlight the first process in the list and click End Process). Continue through the list (one at a time) until all processes have been ended. If something isn't found, please continue with the next process in the list.

PifSvc.exe

----------------------------------------------
Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to and find the following Folders and files: if found, delete the following (some may not be present after previous steps):

C:\Program Files\Common Files\Symantec Shared
C:\Program Files\Norton Internet Security
----------------------------------------------
Delete bad services
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat
Please save it on your desktop.

@echo off
sc stop "LiveUpdate Notice Service"
sc stop "Symantec RemoteAssist"
sc delete "LiveUpdate Notice Service"
sc delete "Symantec RemoteAssist"
exit


Double click FixServices.bat. A window will open and close. This is normal.
----------------------------------------------
FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

O2 - BHO: (no name) - {2033F38F-240C-49D3-BB5A-52D77924A80E} - C:\WINDOWS\system32\awtsRkjH.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
----------------------------------------------
Post back:
A new HijackThis log.
You wanted to ask something. Please do so.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: hijackthis log help

Unread postby KGRUMPY » April 8th, 2008, 4:26 pm

I am not finding in Task Manager a process called PifSvc.exe
Here is my new HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:48, on 2008-04-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WorkFlow] F:\Install\WorkFlow.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\IEXPLORE.EXE http://www.symantec.com/techsupp/servle ... 0D2.DMTemp
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4546796421
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Fix-It Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 10039 bytes
I first want to THANK YOU for taking your time to help me. As you can tell I am unsure of alot of thing when it comes to my computer, :? My question is my sons laptop is also acting up,but I don't think it is malware or a virus can I post a HJT log for it or will that help.
KGRUMPY
Regular Member
 
Posts: 41
Joined: April 2nd, 2008, 7:39 pm

Re: hijackthis log help

Unread postby KGRUMPY » April 8th, 2008, 6:40 pm

I ran a virus scan with one of the programs you suggested. Here is the log from that.



AntiVir PersonalEdition Classic
Report file date: 2008-04-08 16:02

Scanning for 1185187 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: YOUR-FSYLY0JTWN

Version information:
BUILD.DAT : 270 15603 Bytes 2007-09-19 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 2007-08-23 19:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 2007-08-16 18:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 2007-08-14 21:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 2007-08-21 18:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 2007-07-18 20:27:15
ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 2008-03-07 22:01:24
ANTIVIR2.VDF : 7.0.3.127 649216 Bytes 2008-04-07 22:01:24
ANTIVIR3.VDF : 7.0.3.130 10240 Bytes 2008-04-07 22:01:24
AVEWIN32.DLL : 7.6.0.81 3424768 Bytes 2008-04-07 22:01:25
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2007-02-26 16:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 2007-07-18 13:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 2007-04-16 19:16:24
AVPACK32.DLL : 7.6.0.3 360488 Bytes 2008-04-07 22:01:25
AVREG.DLL : 7.0.1.6 30760 Bytes 2007-07-18 13:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 2007-08-28 18:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 2007-07-18 13:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 2007-03-08 17:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 2007-08-07 18:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 2007-08-21 18:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 2007-07-23 15:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: D:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: 2008-04-08 16:02

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'update.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned
Scan process 'mxtask.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'hpqgalry.exe' - '1' Module(s) have been scanned
Scan process 'SpamSub.exe' - '1' Module(s) have been scanned
Scan process 'WUSB54Gv4.exe' - '1' Module(s) have been scanned
Scan process 'WLService.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'KodakCCS.exe' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
Scan process 'mxtask.exe' - '1' Module(s) have been scanned
Scan process 'dad9.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'Remind32.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'hpcmpmgr.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'shwicon2k.exe' - '1' Module(s) have been scanned
Scan process 'ltmsg.exe' - '1' Module(s) have been scanned
Scan process 'kbd.exe' - '1' Module(s) have been scanned
Scan process 'hphmon05.exe' - '1' Module(s) have been scanned
Scan process 'HpqCmon.exe' - '1' Module(s) have been scanned
Scan process 'hpsysdrv.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
51 processes with 51 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'D:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '48' files ).


Starting the file scan:

Begin scan in 'C:\' <HP_PAVILION>
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[INFO] The file was moved to '4864defd.qua'!
C:\QooBox\Quarantine\C\WINDOWS\sjqrcbil.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was moved to '486ce8ac.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\kallebxy.dll.vir
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '4867e8ac.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\oxxdmohl.dll.vir
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '4873e8c6.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\pmnljihf.dll.vir
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was moved to '4869e8bf.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\tuvSjKCv.dll.vir
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was moved to '4871e8cb.qua'!
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1201\A0164394.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '482ce928.qua'!
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1201\A0164398.exe
[DETECTION] Is the Trojan horse TR/Crypt.FKM.Gen
[INFO] The file was moved to '482ce92b.qua'!
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1201\A0164400.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was moved to '482ce92c.qua'!
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1201\A0164402.dll
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was moved to '482ce92f.qua'!
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1201\A0164404.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '482ce931.qua'!
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1201\A0164406.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '482ce933.qua'!
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1201\A0164407.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '482ce936.qua'!
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1201\A0164408.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '482ce938.qua'!
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1201\A0164409.exe
[DETECTION] Is the Trojan horse TR/Crypt.FKM.Gen
[INFO] The file was moved to '482ce93a.qua'!
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1211\A0165663.exe
[DETECTION] Is the Trojan horse TR/Crypt.FKM.Gen
[INFO] The file was moved to '482ce991.qua'!
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1211\A0165673.dll
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was moved to '482ce996.qua'!
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1211\A0165674.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '482ce998.qua'!
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1211\A0165675.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '482ce99c.qua'!
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1215\A0174734.dll
[DETECTION] Is the Trojan horse TR/Vundo.EFQ
[INFO] The file was moved to '482ce9e5.qua'!
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1215\A0174776.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '482ce9ea.qua'!
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1215\A0174777.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '482ce9eb.qua'!
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1215\A0174778.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '482ce9ed.qua'!
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1215\A0174779.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '482ce9ef.qua'!
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1215\A0174780.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '482ce9f1.qua'!
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1215\A0174781.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '482ce9f3.qua'!
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1215\A0174864.exe
[DETECTION] Is the Trojan horse TR/Dldr.Agent.KWG.1
[INFO] The file was moved to '482cea15.qua'!
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1216\A0176026.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '482cea25.qua'!
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1216\A0176051.dll
[DETECTION] Is the Trojan horse TR/Vundo.EFU
[INFO] The file was moved to '482cea28.qua'!
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1216\A0176104.dll
[DETECTION] Is the Trojan horse TR/Vundo.EFU
[INFO] The file was moved to '482cea2b.qua'!
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1216\A0176105.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '482cea2d.qua'!
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1216\A0176169.dll
[DETECTION] Is the Trojan horse TR/Vundo.EFU
[INFO] The file was moved to '482cea2f.qua'!
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1216\A0176170.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '482cea31.qua'!
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1216\A0176171.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '482cea33.qua'!
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1216\A0176174.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '482cea34.qua'!
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1218\A0177868.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '482cea68.qua'!
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1218\A0177869.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '4951bfe9.qua'!
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1218\A0177890.dll
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was moved to '482cea69.qua'!
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1219\A0178004.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was moved to '482cea6d.qua'!
C:\WINDOWS\sjqrcbil.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was moved to '486ceaf0.qua'!
Begin scan in 'D:\' <HP_RECOVERY>


End of the scan: 2008-04-08 17:36
Used time: 1:34:01 min

The scan has been done completely.

9211 Scanning directories
450614 Files were scanned
39 viruses and/or unwanted programs were found
1 Files were classified as suspicious:
0 files were deleted
0 files were repaired
40 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
450575 Files not concerned
14095 Archives were scanned
1 Warnings
5 Notes
KGRUMPY
Regular Member
 
Posts: 41
Joined: April 2nd, 2008, 7:39 pm

Re: hijackthis log help

Unread postby chryssi2001 » April 9th, 2008, 3:59 pm

Hello KGRUMPY,

I first want to THANK YOU for taking your time to help me. As you can tell I am unsure of alot of thing when it comes to my computer,
My question is my sons laptop is also acting up,but I don't think it is malware or a virus can I post a HJT log for it or will that help.

You are welcome. :)

This forum is dedicated to remove malware.

You can post a HijackThis log from your sons laptop, in a new thread to be checked by a helper. If it's not a malware issue the helper will give him some GeneralTroubleshooting Forums addresses to use, and they will help him resolve the problem.
----------------------------------------------
Download http://www.techsupportforum.com/sectools/ResetTeaTimer.zip
Unzip the tool to your desktop.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.
Delete ResetTeaTimer.bat
----------------------------------------------
Spybot Search & Destroy
  • Double-click to open Spybot S&D.
  • Click on Recovery Button.
  • Put a tick in every item in there.
  • Click on Purge selected Items.
  • Allow it to remove all items.
  • Close Spybot S&D.
----------------------------------------------
We need to uninstall and re-install Combofix as it's updated.

UNINSTALL COMBOFIX

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK.
  • Note the space between the X and the U, it needs to be there.
  • Image
You can also delete any logs we have produced, and empty your Recycle bin.
----------------------------------------------
Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

Download this file from one of the three below listed places and place it at your DESKTOP :
For information regarding this download, please visit this webpage:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Don't run it yet.
----------------------------------------------
COMBOFIX-Script
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "@"=-
    
    
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------------------------------------------
Please pay attention to the red parts. I want you to run a full scan.
It will need about 30-40 minutes. The other reports you gave me were for a short scan which was 8 minutes. Again remove Everything it will find. See my instructions.

Re-run Malwarebytes' Anti-Malware
  • Update the tool.
  • Select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Post that log back here.
----------------------------------------------
Post back:
Combofix report.
Malwarebytes' Anti-Malware report.
A new HijackThis log.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: hijackthis log help

Unread postby KGRUMPY » April 9th, 2008, 7:57 pm

here is the combo log

ComboFix 08-04-09.5 - Owner 2008-04-09 17:14:05.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.186 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))
.

2008-04-08 06:54 . 2008-04-08 06:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-07 16:58 . 2008-04-07 16:58 <DIR> d-------- C:\Program Files\Avira
2008-04-07 16:58 . 2008-04-07 16:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-04-07 16:34 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-07 16:22 . 2008-04-07 16:22 <DIR> d-------- C:\WINDOWS\ktavdlri
2008-04-07 07:25 . 2008-04-08 06:54 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-07 07:25 . 2008-04-07 07:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-07 07:10 . 2008-04-07 16:22 <DIR> d-------- C:\Documents and Settings\Owner\.SunDownloadManager
2008-04-05 10:19 . 2008-04-05 10:19 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-05 10:19 . 2008-04-05 10:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-03 08:17 . 2008-04-04 20:25 1,075 --a------ C:\WINDOWS\wininit.ini
2008-04-02 16:49 . 2008-04-06 12:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-02 06:55 . 2008-04-03 10:48 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-02 06:55 . 2008-04-03 08:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-01 20:58 . 2008-04-01 20:58 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\VCOM
2008-04-01 20:40 . 2008-04-03 10:21 <DIR> d--h----- C:\VCOM
2008-04-01 20:40 . 2008-04-01 20:40 <DIR> dr-hs---- C:\_Backup.RC
2008-04-01 20:37 . 2008-04-01 20:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\VCOM
2008-04-01 20:36 . 2008-04-01 20:36 <DIR> d-------- C:\Program Files\VCOM
2008-04-01 17:29 . 2008-04-01 17:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2008-04-01 16:58 . 2008-04-01 16:58 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-30 17:18 . 2008-04-01 20:25 <DIR> d-------- C:\Program Files\XoftSpySE
2008-03-30 16:43 . 2008-04-01 20:32 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-30 16:43 . 2008-04-01 20:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-03-30 16:43 . 2008-03-30 16:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-30 14:26 . 2008-03-30 14:26 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-30 14:26 . 2008-03-30 14:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-30 14:25 . 2008-04-01 20:32 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-30 11:43 . 2008-03-30 13:56 <DIR> d-------- C:\Program Files\Win_Performance
2008-03-29 21:56 . 2008-03-29 21:56 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\ICAClient

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-07 21:36 --------- d-----w C:\Program Files\Java
2008-04-06 17:21 5,118 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-04-02 01:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-02 01:29 --------- d-----w C:\Program Files\Quicken
2008-03-27 02:13 --------- d-----w C:\Program Files\Microsoft Works
2008-03-23 01:30 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2005-07-07 03:27 6,576 ----a-w C:\Documents and Settings\All Users\Application Data\ypinfo.bin
2005-02-14 05:20 32 --sha-w C:\WINDOWS\{6A6A1728-1589-45B1-98B0-AB84EED2A8FF}.dat
2005-02-21 02:14 32 --sha-w C:\WINDOWS\{78E6C56C-4DE2-4213-952E-49E449F561F8}.dat
2004-02-06 20:59 32 --sha-w C:\WINDOWS\{DA0A8175-5381-4F04-8D48-85FB0ED0BDAE}.dat
2005-02-21 02:14 32 --sha-w C:\WINDOWS\system32\{AEBBDD7D-5CC3-4A6F-A065-8875D2C9ADD7}.dat
2005-02-14 05:20 32 --sha-w C:\WINDOWS\system32\{B4CB734F-0A29-4058-B37E-C0950E014062}.dat
.

((((((((((((((((((((((((((((( snapshot@2008-04-06_10.06.53.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-03 17:27:10 12,288 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-04-08 21:09:05 12,288 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-04-03 17:27:10 135,168 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-04-08 21:09:04 135,168 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-04-03 17:27:10 11,264 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-04-08 21:09:05 11,264 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-04-03 17:27:10 27,136 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-04-08 21:09:05 27,136 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-04-03 17:27:11 4,096 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-04-08 21:09:05 4,096 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-04-03 17:27:11 794,624 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-04-08 21:09:05 794,624 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-04-03 17:27:10 249,856 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-04-08 21:09:05 249,856 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-04-03 17:27:11 23,040 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-04-08 21:09:05 23,040 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-04-03 17:27:10 286,720 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-04-08 21:09:04 286,720 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-04-03 17:27:09 409,600 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-04-08 21:09:04 409,600 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-04-09 22:16:39 53,248 ----a-w C:\WINDOWS\PSEXESVC.EXE
- 2007-12-07 01:07:12 1,023,488 ----a-w C:\WINDOWS\system32\browseui.dll
+ 2008-02-16 08:59:34 1,023,488 ----a-w C:\WINDOWS\system32\browseui.dll
- 2007-12-07 01:07:12 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
+ 2008-02-16 08:59:35 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
- 2007-12-07 01:07:12 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
+ 2008-02-16 08:59:35 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
- 2007-12-07 01:07:12 1,023,488 -c--a-w C:\WINDOWS\system32\dllcache\browseui.dll
+ 2008-02-16 08:59:34 1,023,488 -c--a-w C:\WINDOWS\system32\dllcache\browseui.dll
- 2007-12-07 01:07:12 151,040 -c--a-w C:\WINDOWS\system32\dllcache\cdfview.dll
+ 2008-02-16 08:59:35 151,040 -c--a-w C:\WINDOWS\system32\dllcache\cdfview.dll
- 2007-12-07 01:07:12 1,054,208 -c--a-w C:\WINDOWS\system32\dllcache\danim.dll
+ 2008-02-16 08:59:35 1,054,208 -c--a-w C:\WINDOWS\system32\dllcache\danim.dll
- 2006-06-26 17:37:10 148,480 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2008-02-20 05:32:43 148,992 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2008-02-20 05:32:43 45,568 -c----w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
- 2007-12-07 01:07:12 357,888 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-02-16 08:59:35 357,888 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2007-12-07 01:07:12 205,312 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-02-16 08:59:35 205,312 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-12-07 01:07:12 55,808 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-02-16 08:59:35 55,808 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2007-06-19 13:31:19 282,112 -c--a-w C:\WINDOWS\system32\dllcache\gdi32.dll
+ 2008-02-20 06:51:05 282,624 -c--a-w C:\WINDOWS\system32\dllcache\gdi32.dll
- 2007-12-06 13:07:07 18,432 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
+ 2008-02-15 09:23:37 18,432 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
- 2007-12-07 01:07:12 251,392 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
+ 2008-02-16 08:59:35 251,392 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
- 2007-12-07 01:07:12 96,256 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
+ 2008-02-16 08:59:35 96,256 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
- 2007-11-14 07:26:56 450,560 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
+ 2007-12-18 14:40:58 450,560 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
- 2007-12-07 01:07:12 16,384 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-02-16 08:59:35 16,384 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2007-12-07 14:37:14 3,059,200 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-02-16 22:29:38 3,059,712 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2007-12-07 01:07:13 449,024 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-02-16 08:59:37 449,024 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2007-12-07 01:07:13 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-02-16 08:59:37 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2007-12-07 01:07:13 532,480 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-02-16 08:59:37 532,480 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2007-12-07 01:07:13 39,424 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-02-16 08:59:37 39,424 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2007-12-07 01:07:13 1,494,528 -c--a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
+ 2008-02-16 08:59:38 1,494,528 -c--a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
- 2007-12-07 01:07:13 474,112 -c--a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
+ 2008-02-16 08:59:38 474,112 -c--a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
- 2007-12-07 01:07:14 615,424 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-02-16 08:59:38 615,936 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2007-12-18 14:40:58 417,792 -c----w C:\WINDOWS\system32\dllcache\vbscript.dll
- 2007-03-08 13:47:48 1,843,584 -c--a-w C:\WINDOWS\system32\dllcache\win32k.sys
+ 2008-03-19 09:47:00 1,845,248 -c--a-w C:\WINDOWS\system32\dllcache\win32k.sys
- 2007-12-07 01:07:14 659,456 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-02-16 08:59:39 659,456 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2006-06-26 17:37:10 148,480 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2008-02-20 05:32:43 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2007-08-09 18:04:11 40,768 ----a-w C:\WINDOWS\system32\drivers\avgntdd.sys
+ 2007-07-18 19:22:19 21,312 ----a-w C:\WINDOWS\system32\drivers\avgntmgr.sys
+ 2008-04-07 22:01:25 61,632 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2007-03-01 15:34:36 28,352 ----a-w C:\WINDOWS\system32\drivers\ssmdrv.sys
- 2007-12-07 01:07:12 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-02-16 08:59:35 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2007-12-07 01:07:12 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-02-16 08:59:35 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-12-07 01:07:12 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2008-02-16 08:59:35 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2008-04-03 18:54:05 1,051,864 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-04-08 23:00:00 1,051,864 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2007-12-07 01:07:12 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2008-02-16 08:59:35 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
- 2007-12-07 01:07:12 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2008-02-16 08:59:35 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
- 2006-10-12 07:35:14 49,248 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-02-22 06:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2006-10-12 07:35:24 53,346 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-02-22 06:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2006-10-12 09:10:56 127,078 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-02-22 07:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2007-11-14 07:26:56 450,560 ----a-w C:\WINDOWS\system32\jscript.dll
+ 2007-12-18 14:40:58 450,560 ----a-w C:\WINDOWS\system32\jscript.dll
- 2007-12-07 01:07:12 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-02-16 08:59:35 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2008-03-05 16:30:54 19,148,408 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-04-06 05:56:20 19,836,024 ----a-w C:\WINDOWS\system32\MRT.exe
- 2007-12-07 14:37:14 3,059,200 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-02-16 22:29:38 3,059,712 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-12-07 01:07:13 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-02-16 08:59:37 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2007-12-07 01:07:13 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-02-16 08:59:37 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
- 2007-12-07 01:07:13 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-02-16 08:59:37 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
- 2008-03-24 20:37:27 55,240 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-09 01:30:03 55,240 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-24 20:37:28 387,808 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-09 01:30:03 387,808 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-12-07 01:07:13 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-02-16 08:59:37 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2008-03-30 21:34:54 3,588 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2008-04-07 21:22:57 1,751,732 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
- 2007-12-07 01:07:13 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
+ 2008-02-16 08:59:38 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
- 2007-12-07 01:07:13 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
+ 2008-02-16 08:59:38 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
- 2007-12-07 01:07:14 615,424 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-02-16 08:59:38 615,936 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2004-08-04 07:56:46 417,792 ----a-w C:\WINDOWS\system32\vbscript.dll
+ 2007-12-18 14:40:58 417,792 ----a-w C:\WINDOWS\system32\vbscript.dll
- 2007-12-06 09:38:31 350,720 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2008-02-15 09:06:21 351,744 ----a-w C:\WINDOWS\system32\xpsp3res.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"="" []
"NVIEW"="nview.dll" [2003-08-19 04:56 852038 C:\WINDOWS\system32\nview.dll]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"@"="C:\Program Files\Internet Explorer\IEXPLORE.exe" [2004-08-04 02:56 93184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 09:07 114688]
"CamMonitor"="c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 09:23 90112]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-23 04:55 483328]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 22:02 61440]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 10:01 110592]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 23:42 212992]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-08-19 04:56 4841472]
"nwiz"="nwiz.exe" [2003-08-19 04:56 323584 C:\WINDOWS\system32\nwiz.exe]
"LTMSG"="LTMSG.exe" [2003-07-14 19:52 40960 C:\WINDOWS\ltmsg.exe]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-08-14 21:11 139264]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-06-21 12:40 172032]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-12-18 01:20 278528]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 18:57 81920]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 15:54 241664]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11 49152]
"WorkFlow"="F:\Install\WorkFlow.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-27 13:25 180269]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-12 20:48 155648]
"VirusScannerPro"="C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe" [2006-09-07 19:28 57344]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-07 17:01 249896]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Corel Registration.lnk - C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe [2004-08-07 19:27:26 67584]
Desktop Application Director 9.LNK - C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe [2004-08-07 19:28:52 225280]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 23:31:38 241664]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-29 00:06:36 53248]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 03:22:40 757760]
Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 15:12:08 16423]
Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-10-11 00:26:40 16384]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-02-05 15:29:20 54512]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ :\WINDOWS\syste

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=

R2 WUSB54Gv4SVC;WUSB54Gv4SVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe" []
S3 UNDPX2A;UNDPX2A;C:\WINDOWS\system32\drivers\UNDPX2A.SYS []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56428b69-c42d-11da-98c6-0012178ff96f}]
\Shell\AutoRun\command - K:\setupSNK.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - GTNDIS5
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 17:16:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-09 17:17:46
ComboFix-quarantined-files.txt 2008-04-09 22:17:28
ComboFix2.txt 2008-04-06 19:49:26
ComboFix3.txt 2008-04-06 15:07:16
Pre-Run: 111,780,499,456 bytes free
Post-Run: 111,759,708,160 bytes free
.
2008-04-08 21:12:08 --- E O F ---
KGRUMPY
Regular Member
 
Posts: 41
Joined: April 2nd, 2008, 7:39 pm

Re: hijackthis log help

Unread postby KGRUMPY » April 9th, 2008, 7:59 pm

And here is the Anti-Malware log

ComboFix 08-04-09.5 - Owner 2008-04-09 17:14:05.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.186 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))
.

2008-04-08 06:54 . 2008-04-08 06:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-07 16:58 . 2008-04-07 16:58 <DIR> d-------- C:\Program Files\Avira
2008-04-07 16:58 . 2008-04-07 16:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-04-07 16:34 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-07 16:22 . 2008-04-07 16:22 <DIR> d-------- C:\WINDOWS\ktavdlri
2008-04-07 07:25 . 2008-04-08 06:54 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-07 07:25 . 2008-04-07 07:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-07 07:10 . 2008-04-07 16:22 <DIR> d-------- C:\Documents and Settings\Owner\.SunDownloadManager
2008-04-05 10:19 . 2008-04-05 10:19 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-05 10:19 . 2008-04-05 10:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-03 08:17 . 2008-04-04 20:25 1,075 --a------ C:\WINDOWS\wininit.ini
2008-04-02 16:49 . 2008-04-06 12:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-02 06:55 . 2008-04-03 10:48 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-02 06:55 . 2008-04-03 08:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-01 20:58 . 2008-04-01 20:58 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\VCOM
2008-04-01 20:40 . 2008-04-03 10:21 <DIR> d--h----- C:\VCOM
2008-04-01 20:40 . 2008-04-01 20:40 <DIR> dr-hs---- C:\_Backup.RC
2008-04-01 20:37 . 2008-04-01 20:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\VCOM
2008-04-01 20:36 . 2008-04-01 20:36 <DIR> d-------- C:\Program Files\VCOM
2008-04-01 17:29 . 2008-04-01 17:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2008-04-01 16:58 . 2008-04-01 16:58 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-30 17:18 . 2008-04-01 20:25 <DIR> d-------- C:\Program Files\XoftSpySE
2008-03-30 16:43 . 2008-04-01 20:32 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-30 16:43 . 2008-04-01 20:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-03-30 16:43 . 2008-03-30 16:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-30 14:26 . 2008-03-30 14:26 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-30 14:26 . 2008-03-30 14:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-30 14:25 . 2008-04-01 20:32 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-30 11:43 . 2008-03-30 13:56 <DIR> d-------- C:\Program Files\Win_Performance
2008-03-29 21:56 . 2008-03-29 21:56 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\ICAClient

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-07 21:36 --------- d-----w C:\Program Files\Java
2008-04-06 17:21 5,118 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-04-02 01:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-02 01:29 --------- d-----w C:\Program Files\Quicken
2008-03-27 02:13 --------- d-----w C:\Program Files\Microsoft Works
2008-03-23 01:30 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2005-07-07 03:27 6,576 ----a-w C:\Documents and Settings\All Users\Application Data\ypinfo.bin
2005-02-14 05:20 32 --sha-w C:\WINDOWS\{6A6A1728-1589-45B1-98B0-AB84EED2A8FF}.dat
2005-02-21 02:14 32 --sha-w C:\WINDOWS\{78E6C56C-4DE2-4213-952E-49E449F561F8}.dat
2004-02-06 20:59 32 --sha-w C:\WINDOWS\{DA0A8175-5381-4F04-8D48-85FB0ED0BDAE}.dat
2005-02-21 02:14 32 --sha-w C:\WINDOWS\system32\{AEBBDD7D-5CC3-4A6F-A065-8875D2C9ADD7}.dat
2005-02-14 05:20 32 --sha-w C:\WINDOWS\system32\{B4CB734F-0A29-4058-B37E-C0950E014062}.dat
.

((((((((((((((((((((((((((((( snapshot@2008-04-06_10.06.53.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-03 17:27:10 12,288 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-04-08 21:09:05 12,288 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-04-03 17:27:10 135,168 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-04-08 21:09:04 135,168 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-04-03 17:27:10 11,264 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-04-08 21:09:05 11,264 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-04-03 17:27:10 27,136 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-04-08 21:09:05 27,136 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-04-03 17:27:11 4,096 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-04-08 21:09:05 4,096 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-04-03 17:27:11 794,624 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-04-08 21:09:05 794,624 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-04-03 17:27:10 249,856 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-04-08 21:09:05 249,856 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-04-03 17:27:11 23,040 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-04-08 21:09:05 23,040 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-04-03 17:27:10 286,720 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-04-08 21:09:04 286,720 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-04-03 17:27:09 409,600 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-04-08 21:09:04 409,600 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-04-09 22:16:39 53,248 ----a-w C:\WINDOWS\PSEXESVC.EXE
- 2007-12-07 01:07:12 1,023,488 ----a-w C:\WINDOWS\system32\browseui.dll
+ 2008-02-16 08:59:34 1,023,488 ----a-w C:\WINDOWS\system32\browseui.dll
- 2007-12-07 01:07:12 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
+ 2008-02-16 08:59:35 151,040 ----a-w C:\WINDOWS\system32\cdfview.dll
- 2007-12-07 01:07:12 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
+ 2008-02-16 08:59:35 1,054,208 ----a-w C:\WINDOWS\system32\danim.dll
- 2007-12-07 01:07:12 1,023,488 -c--a-w C:\WINDOWS\system32\dllcache\browseui.dll
+ 2008-02-16 08:59:34 1,023,488 -c--a-w C:\WINDOWS\system32\dllcache\browseui.dll
- 2007-12-07 01:07:12 151,040 -c--a-w C:\WINDOWS\system32\dllcache\cdfview.dll
+ 2008-02-16 08:59:35 151,040 -c--a-w C:\WINDOWS\system32\dllcache\cdfview.dll
- 2007-12-07 01:07:12 1,054,208 -c--a-w C:\WINDOWS\system32\dllcache\danim.dll
+ 2008-02-16 08:59:35 1,054,208 -c--a-w C:\WINDOWS\system32\dllcache\danim.dll
- 2006-06-26 17:37:10 148,480 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2008-02-20 05:32:43 148,992 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2008-02-20 05:32:43 45,568 -c----w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
- 2007-12-07 01:07:12 357,888 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-02-16 08:59:35 357,888 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2007-12-07 01:07:12 205,312 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-02-16 08:59:35 205,312 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-12-07 01:07:12 55,808 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-02-16 08:59:35 55,808 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2007-06-19 13:31:19 282,112 -c--a-w C:\WINDOWS\system32\dllcache\gdi32.dll
+ 2008-02-20 06:51:05 282,624 -c--a-w C:\WINDOWS\system32\dllcache\gdi32.dll
- 2007-12-06 13:07:07 18,432 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
+ 2008-02-15 09:23:37 18,432 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
- 2007-12-07 01:07:12 251,392 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
+ 2008-02-16 08:59:35 251,392 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
- 2007-12-07 01:07:12 96,256 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
+ 2008-02-16 08:59:35 96,256 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
- 2007-11-14 07:26:56 450,560 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
+ 2007-12-18 14:40:58 450,560 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
- 2007-12-07 01:07:12 16,384 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-02-16 08:59:35 16,384 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2007-12-07 14:37:14 3,059,200 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-02-16 22:29:38 3,059,712 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2007-12-07 01:07:13 449,024 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-02-16 08:59:37 449,024 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2007-12-07 01:07:13 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-02-16 08:59:37 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2007-12-07 01:07:13 532,480 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-02-16 08:59:37 532,480 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2007-12-07 01:07:13 39,424 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-02-16 08:59:37 39,424 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2007-12-07 01:07:13 1,494,528 -c--a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
+ 2008-02-16 08:59:38 1,494,528 -c--a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
- 2007-12-07 01:07:13 474,112 -c--a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
+ 2008-02-16 08:59:38 474,112 -c--a-w C:\WINDOWS\system32\dllcache\shlwapi.dll
- 2007-12-07 01:07:14 615,424 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-02-16 08:59:38 615,936 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2007-12-18 14:40:58 417,792 -c----w C:\WINDOWS\system32\dllcache\vbscript.dll
- 2007-03-08 13:47:48 1,843,584 -c--a-w C:\WINDOWS\system32\dllcache\win32k.sys
+ 2008-03-19 09:47:00 1,845,248 -c--a-w C:\WINDOWS\system32\dllcache\win32k.sys
- 2007-12-07 01:07:14 659,456 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-02-16 08:59:39 659,456 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2006-06-26 17:37:10 148,480 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2008-02-20 05:32:43 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2007-08-09 18:04:11 40,768 ----a-w C:\WINDOWS\system32\drivers\avgntdd.sys
+ 2007-07-18 19:22:19 21,312 ----a-w C:\WINDOWS\system32\drivers\avgntmgr.sys
+ 2008-04-07 22:01:25 61,632 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2007-03-01 15:34:36 28,352 ----a-w C:\WINDOWS\system32\drivers\ssmdrv.sys
- 2007-12-07 01:07:12 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-02-16 08:59:35 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2007-12-07 01:07:12 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-02-16 08:59:35 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-12-07 01:07:12 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2008-02-16 08:59:35 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2008-04-03 18:54:05 1,051,864 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-04-08 23:00:00 1,051,864 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2007-12-07 01:07:12 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2008-02-16 08:59:35 251,392 ----a-w C:\WINDOWS\system32\iepeers.dll
- 2007-12-07 01:07:12 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2008-02-16 08:59:35 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
- 2006-10-12 07:35:14 49,248 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-02-22 06:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2006-10-12 07:35:24 53,346 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-02-22 06:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2006-10-12 09:10:56 127,078 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-02-22 07:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2007-11-14 07:26:56 450,560 ----a-w C:\WINDOWS\system32\jscript.dll
+ 2007-12-18 14:40:58 450,560 ----a-w C:\WINDOWS\system32\jscript.dll
- 2007-12-07 01:07:12 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-02-16 08:59:35 16,384 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2008-03-05 16:30:54 19,148,408 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-04-06 05:56:20 19,836,024 ----a-w C:\WINDOWS\system32\MRT.exe
- 2007-12-07 14:37:14 3,059,200 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-02-16 22:29:38 3,059,712 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-12-07 01:07:13 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-02-16 08:59:37 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2007-12-07 01:07:13 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-02-16 08:59:37 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
- 2007-12-07 01:07:13 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-02-16 08:59:37 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
- 2008-03-24 20:37:27 55,240 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-09 01:30:03 55,240 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-24 20:37:28 387,808 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-09 01:30:03 387,808 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-12-07 01:07:13 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-02-16 08:59:37 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2008-03-30 21:34:54 3,588 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2008-04-07 21:22:57 1,751,732 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
- 2007-12-07 01:07:13 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
+ 2008-02-16 08:59:38 1,494,528 ----a-w C:\WINDOWS\system32\shdocvw.dll
- 2007-12-07 01:07:13 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
+ 2008-02-16 08:59:38 474,112 ----a-w C:\WINDOWS\system32\shlwapi.dll
- 2007-12-07 01:07:14 615,424 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-02-16 08:59:38 615,936 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2004-08-04 07:56:46 417,792 ----a-w C:\WINDOWS\system32\vbscript.dll
+ 2007-12-18 14:40:58 417,792 ----a-w C:\WINDOWS\system32\vbscript.dll
- 2007-12-06 09:38:31 350,720 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2008-02-15 09:06:21 351,744 ----a-w C:\WINDOWS\system32\xpsp3res.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"="" []
"NVIEW"="nview.dll" [2003-08-19 04:56 852038 C:\WINDOWS\system32\nview.dll]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"@"="C:\Program Files\Internet Explorer\IEXPLORE.exe" [2004-08-04 02:56 93184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 09:07 114688]
"CamMonitor"="c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 09:23 90112]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-23 04:55 483328]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 22:02 61440]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 10:01 110592]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 23:42 212992]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-08-19 04:56 4841472]
"nwiz"="nwiz.exe" [2003-08-19 04:56 323584 C:\WINDOWS\system32\nwiz.exe]
"LTMSG"="LTMSG.exe" [2003-07-14 19:52 40960 C:\WINDOWS\ltmsg.exe]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-08-14 21:11 139264]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-06-21 12:40 172032]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-12-18 01:20 278528]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 18:57 81920]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 15:54 241664]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11 49152]
"WorkFlow"="F:\Install\WorkFlow.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-27 13:25 180269]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-12 20:48 155648]
"VirusScannerPro"="C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe" [2006-09-07 19:28 57344]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-07 17:01 249896]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Corel Registration.lnk - C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe [2004-08-07 19:27:26 67584]
Desktop Application Director 9.LNK - C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe [2004-08-07 19:28:52 225280]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 23:31:38 241664]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-29 00:06:36 53248]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 03:22:40 757760]
Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 15:12:08 16423]
Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-10-11 00:26:40 16384]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-02-05 15:29:20 54512]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ :\WINDOWS\syste

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=

R2 WUSB54Gv4SVC;WUSB54Gv4SVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe" []
S3 UNDPX2A;UNDPX2A;C:\WINDOWS\system32\drivers\UNDPX2A.SYS []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56428b69-c42d-11da-98c6-0012178ff96f}]
\Shell\AutoRun\command - K:\setupSNK.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - GTNDIS5
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 17:16:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-09 17:17:46
ComboFix-quarantined-files.txt 2008-04-09 22:17:28
ComboFix2.txt 2008-04-06 19:49:26
ComboFix3.txt 2008-04-06 15:07:16
Pre-Run: 111,780,499,456 bytes free
Post-Run: 111,759,708,160 bytes free
.
2008-04-08 21:12:08 --- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:42:16 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WorkFlow] F:\Install\WorkFlow.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\IEXPLORE.EXE http://www.symantec.com/techsupp/servle ... 0D2.DMTemp
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4546796421
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Fix-It Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 10058 bytes
KGRUMPY
Regular Member
 
Posts: 41
Joined: April 2nd, 2008, 7:39 pm

Re: hijackthis log help

Unread postby chryssi2001 » April 10th, 2008, 1:25 am

Hello KGRUMPY,

Did you do this step before running Combofix again?

COMBOFIX-Script
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "@"=-
    
    
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
---------------------------------------------------
Please just tell me if you followed the above step, Do Not re-run Combofix again.

You posted Combofix report twice instead of Malwarebytes' Anti-Malware report.
Post back Malwarebytes' Anti-Malware report if you have it.
If you didn't follow the step with Combofix do not run Malwarebytes' Anti-Malware report.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: hijackthis log help

Unread postby KGRUMPY » April 10th, 2008, 7:58 am

Sorry my other half tried to help I had meetings all evening. I do not think he disabled the antivirus.before doing this step. I also did not see it saved to the desktop. I just saved it there. I did NOT re-run combo fix. I will wait for your directions to do so. Here is the malware log. SORRY for all the trouble :oops: The log seems kinda short is this good or is something wrong? I am also rerunning this for an updated log.

Malwarebytes' Anti-Malware 1.11
Database version: 604

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|)
Objects scanned: 133138
Time elapsed: 1 hour(s), 22 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1201\A0164399.exe (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1201\A0164401.dll (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1201\A0164403.exe (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1201\A0164451.exe (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1201\A0164452.dll (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1201\A0164453.exe (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP1201\A0164465.dll (Adware.WebHancer) -> Quarantined and deleted successfully.
KGRUMPY
Regular Member
 
Posts: 41
Joined: April 2nd, 2008, 7:39 pm

Re: hijackthis log help

Unread postby chryssi2001 » April 10th, 2008, 9:33 am

Hi,

did you run this step, before you posted the latest Combofix report? Can you ask your other half please? I need to know before we continue.

viewtopic.php?p=285823#p285823

Please do not run any scans or tools unless i tell you too.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: hijackthis log help

Unread postby KGRUMPY » April 10th, 2008, 4:35 pm

Yes he did this step before he posted the combofix report.
KGRUMPY
Regular Member
 
Posts: 41
Joined: April 2nd, 2008, 7:39 pm

Re: hijackthis log help

Unread postby chryssi2001 » April 11th, 2008, 1:16 am

Hello KGRUMPY,

Malwarebytes' Anti-Malware report looks fine. Those items are in system restore and we are going to clean them later.
----------------------------------------------
FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\IEXPLORE.EXE http://www.symantec.com/techsupp/servle ... 0D2.DMTemp


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
----------------------------------------------
COMBOFIX-Script
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    Folder::
    C:\WINDOWS\ktavdlri
    
    Registry::
    [-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
    
    
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------------------------------------------
Additional to the above please follow these instructions and post back the log it will be created.

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the code to Notepad. Save it as All Files and name it "Fix.bat" (including quotation marks). Please save it on your desktop.

Code: Select all
@echo off
if exist log.txt del log.txt
set key=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
@(
swreg acl %key%
echo.
swreg query %key% | FindStr.exe -i Packages
echo.
swreg acl %key% /reset /q
swreg add %key% /v "Notification Packages" /t reg_multi_sz /d scecli
swreg acl %key% /ra:f /ro:f /q
swreg acl %key%
echo.
swreg query %key% | FindStr.exe -i Packages
)>log.txt
Start Notepad Log.txt
del %0


Double click Fix.bat. A window will open and close. This is normal. Post back the log that is produced.
----------------------------------------------
Post back:
Combofix report.
Fix.bar log.
A new HijackThis log.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: hijackthis log help

Unread postby KGRUMPY » April 11th, 2008, 7:34 am

ComboFix 08-04-09.5 - Owner 2008-04-11 6:21:28.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.141 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\ktavdlri

.
((((((((((((((((((((((((( Files Created from 2008-03-11 to 2008-04-11 )))))))))))))))))))))))))))))))
.

2008-04-10 21:07 . 2008-04-10 21:07 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-10 21:07 . 2008-04-10 21:07 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-08 06:54 . 2008-04-08 06:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-07 16:58 . 2008-04-07 16:58 <DIR> d-------- C:\Program Files\Avira
2008-04-07 16:58 . 2008-04-07 16:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-04-07 16:34 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-07 07:25 . 2008-04-08 06:54 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-07 07:25 . 2008-04-07 07:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-07 07:10 . 2008-04-07 16:22 <DIR> d-------- C:\Documents and Settings\Owner\.SunDownloadManager
2008-04-05 10:19 . 2008-04-05 10:19 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-05 10:19 . 2008-04-05 10:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-03 08:17 . 2008-04-04 20:25 1,075 --a------ C:\WINDOWS\wininit.ini
2008-04-02 16:49 . 2008-04-06 12:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-02 06:55 . 2008-04-03 10:48 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-02 06:55 . 2008-04-03 08:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-01 20:58 . 2008-04-01 20:58 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\VCOM
2008-04-01 20:40 . 2008-04-03 10:21 <DIR> d--h----- C:\VCOM
2008-04-01 20:40 . 2008-04-01 20:40 <DIR> dr-hs---- C:\_Backup.RC
2008-04-01 20:37 . 2008-04-01 20:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\VCOM
2008-04-01 20:36 . 2008-04-01 20:36 <DIR> d-------- C:\Program Files\VCOM
2008-04-01 17:29 . 2008-04-01 17:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Uniblue
2008-04-01 16:58 . 2008-04-01 16:58 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-30 17:18 . 2008-04-01 20:25 <DIR> d-------- C:\Program Files\XoftSpySE
2008-03-30 16:43 . 2008-04-01 20:32 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-30 16:43 . 2008-04-01 20:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-03-30 16:43 . 2008-03-30 16:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-30 14:26 . 2008-03-30 14:26 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-30 14:26 . 2008-03-30 14:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-30 14:25 . 2008-04-01 20:32 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-30 11:43 . 2008-03-30 13:56 <DIR> d-------- C:\Program Files\Win_Performance
2008-03-29 21:56 . 2008-03-29 21:56 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\ICAClient

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-07 21:36 --------- d-----w C:\Program Files\Java
2008-04-06 17:21 5,118 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-04-02 01:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-02 01:29 --------- d-----w C:\Program Files\Quicken
2008-03-27 02:13 --------- d-----w C:\Program Files\Microsoft Works
2008-03-23 01:30 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2005-07-07 03:27 6,576 ----a-w C:\Documents and Settings\All Users\Application Data\ypinfo.bin
2005-02-14 05:20 32 --sha-w C:\WINDOWS\{6A6A1728-1589-45B1-98B0-AB84EED2A8FF}.dat
2005-02-21 02:14 32 --sha-w C:\WINDOWS\{78E6C56C-4DE2-4213-952E-49E449F561F8}.dat
2004-02-06 20:59 32 --sha-w C:\WINDOWS\{DA0A8175-5381-4F04-8D48-85FB0ED0BDAE}.dat
2005-02-21 02:14 32 --sha-w C:\WINDOWS\system32\{AEBBDD7D-5CC3-4A6F-A065-8875D2C9ADD7}.dat
2005-02-14 05:20 32 --sha-w C:\WINDOWS\system32\{B4CB734F-0A29-4058-B37E-C0950E014062}.dat
.

((((((((((((((((((((((((((((( snapshot_2008-04-09_17.17.13.42 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-09 22:16:39 53,248 ----a-w C:\WINDOWS\PSEXESVC.EXE
+ 2008-04-11 11:24:11 53,248 ----a-w C:\WINDOWS\PSEXESVC.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"="" []
"NVIEW"="nview.dll" [2003-08-19 04:56 852038 C:\WINDOWS\system32\nview.dll]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 09:07 114688]
"CamMonitor"="c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 09:23 90112]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-23 04:55 483328]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 22:02 61440]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 10:01 110592]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 23:42 212992]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-08-19 04:56 4841472]
"nwiz"="nwiz.exe" [2003-08-19 04:56 323584 C:\WINDOWS\system32\nwiz.exe]
"LTMSG"="LTMSG.exe" [2003-07-14 19:52 40960 C:\WINDOWS\ltmsg.exe]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-08-14 21:11 139264]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-06-21 12:40 172032]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-12-18 01:20 278528]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 18:57 81920]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 15:54 241664]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11 49152]
"WorkFlow"="F:\Install\WorkFlow.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-27 13:25 180269]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-12 20:48 155648]
"VirusScannerPro"="C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe" [2006-09-07 19:28 57344]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-07 17:01 249896]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Corel Registration.lnk - C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe [2004-08-07 19:27:26 67584]
Desktop Application Director 9.LNK - C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe [2004-08-07 19:28:52 225280]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 23:31:38 241664]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-29 00:06:36 53248]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 03:22:40 757760]
Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 15:12:08 16423]
Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-10-11 00:26:40 16384]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-02-05 15:29:20 54512]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=

R2 WUSB54Gv4SVC;WUSB54Gv4SVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe" []
S3 UNDPX2A;UNDPX2A;C:\WINDOWS\system32\drivers\UNDPX2A.SYS []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56428b69-c42d-11da-98c6-0012178ff96f}]
\Shell\AutoRun\command - K:\setupSNK.exe

*Newly Created Service* - GTNDIS5
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-11 06:24:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-11 6:25:29
ComboFix-quarantined-files.txt 2008-04-11 11:25:04
ComboFix2.txt 2008-04-09 22:17:46
ComboFix3.txt 2008-04-06 19:49:26
ComboFix4.txt 2008-04-06 15:07:16
Pre-Run: 111,740,596,224 bytes free
Post-Run: 111,721,508,864 bytes free
.
2008-04-08 21:12:08 --- E O F ---



*******************************************************************************
Registrykey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Permissions:
*******************************************************************************
Username
Type Permissions Inheritance
*******************************************************************************
YOUR-FSYLY0JTWN\Users
Allowed Read This Key Only (Inherited)
YOUR-FSYLY0JTWN\Users
Allowed Special (Unknown) Subkeys only (Inherited)
YOUR-FSYLY0JTWN\Administrators
Allowed Full Control This Key Only (Inherited)
YOUR-FSYLY0JTWN\Administrators
Allowed Special (Unknown) Subkeys only (Inherited)
NT AUTHORITY\SYSTEM
Allowed Full Control This Key Only (Inherited)
NT AUTHORITY\SYSTEM
Allowed Special (Unknown) Subkeys only (Inherited)
\CREATOR OWNER
Allowed Special (Unknown) Subkeys only (Inherited)
Perms

No Auditing set

Owner: Administrators (YOUR-FSYLY0JTWN\Administrators)

Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

*******************************************************************************
Registrykey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Permissions:
*******************************************************************************
Username
Type Permissions Inheritance
*******************************************************************************
YOUR-FSYLY0JTWN\Users
Allowed Read This Key Only (Inherited)
YOUR-FSYLY0JTWN\Users
Allowed Special (Unknown) Subkeys only (Inherited)
YOUR-FSYLY0JTWN\Administrators
Allowed Full Control This Key Only (Inherited)
YOUR-FSYLY0JTWN\Administrators
Allowed Special (Unknown) Subkeys only (Inherited)
NT AUTHORITY\SYSTEM
Allowed Full Control This Key Only (Inherited)
NT AUTHORITY\SYSTEM
Allowed Special (Unknown) Subkeys only (Inherited)
\CREATOR OWNER
Allowed Special (Unknown) Subkeys only (Inherited)
Perms

No Auditing set

Owner: Administrators (YOUR-FSYLY0JTWN\Administrators)

Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:33:50 AM, on 4/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WorkFlow] F:\Install\WorkFlow.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4546796421
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Fix-It Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 9979 bytes
Here are all my logs Sorry for the problems yesterday.
KGRUMPY
Regular Member
 
Posts: 41
Joined: April 2nd, 2008, 7:39 pm

Re: hijackthis log help

Unread postby chryssi2001 » April 11th, 2008, 7:55 am

Hello KGRUMPY,

No problem :) Everything looks better now. Nearly to the end! ;)
----------------------------------------------
I can't see any firewall in your HijackThis log, so i assume you use windows firewall.

FIREWALL
Without a firewall your computer is susceptible to being hacked and taken over. If you use the Windows Firewall you might think that's sufficient but it only controls one way of the traffic (inbound). Simply using a Firewall in its default configuration can lower your risk greatly. It's preferable to install one of the suggested firewalls.
Vista users, must check compatibility with Vista before installation.

FREE FIREWALLS
Tutorial about Firewalls can be found here
----------------------------------------------
Update Adobe Reader
Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version. Adobe Reader 8.
You can download it from http://www.adobe.com/products/acrobat/readstep2.html
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Adobe 8 is a large program and if you prefer a smaller program you can get Foxit 2.0 instead from http://www.foxitsoftware.com/pdf/rd_intro.php
----------------------------------------------
Run Kaspersky Online AV Scanner
Using Internet Explorer Go to http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html and click the Accept button at the end of the page.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer" and then put the kettle on!
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.
----------------------------------------------
Post back:
Kaspersky report.
A new HijackThis log.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 57 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware