Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HJT log included, really need some help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

HJT log included, really need some help

Unread postby Sillywheel » February 5th, 2009, 10:23 pm

ok, so i posted here like a week ago, but, after downloading/running avira antivirus, i thought i was good. of course now, im kinda screwed. I have two csrss.exe processes running when i run task manager as an admin, avira is constantly spaming me with messages about trojans that it cant delete, and my comp is running at about half speed. just typing this message is rather difficult because it kinda lags a bit. ill post my HJT log, but as i tried to run it, a file called dummy.tmp came up on my desktop, and im inferring from the name that it might have kinda messed up the process a bit. Im ready and willing to delete anything you guys want me too, but my computer is denying permission to perform certain actions right now,,, like opening the security center. i would really appreciate any help with this, as iwould really rather not delete everything on my computer. hope to hear from you soon!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:00:26 PM, on 2/5/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\rundll32.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Program Files\Curse\CurseClient.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Users\TJ ARMSTRONG\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,C:\Windows\system32\twex.exe,
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "c:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [EPSON Stylus CX7400 Series (Copy 1)] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE /FU "C:\Windows\TEMP\E_S2B4E.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Lsass Service] C:\Users\TJARMS~1\AppData\Local\Temp\Rar$EX25.574\crack.exe
O4 - HKCU\..\Run: [userinit] C:\Users\TJ ARMSTRONG\AppData\Roaming\twex.exe
O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O13 - Gopher Prefix:
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8583 bytes
Sillywheel
Active Member
 
Posts: 12
Joined: January 27th, 2009, 11:23 pm
Advertisement
Register to Remove

Re: HJT log included, really need some help

Unread postby Odd dude » February 9th, 2009, 7:01 am

Hello and welcome to the forums!

I'm Odd dude, pleased to meet you; if it helps, you can call me OD ;). I will be helping you with your infection. However, it is important to take note of the following - quite the wall of text, I know, but please bear with me:

  • Logs from malware removal programs (Hijackthis is one of them) can take some time to analyze. I need you to be patient whilst I analyze any logs you post.
  • Please carefully read any instruction that I give you.
    Reading too lightly will cause you to miss important steps, which could have destructive effects.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • Only YOU must use these instructions, they are not suitable for any other computer, similar issues or not.
  • Do not do things I do not ask for, such as running a spyware scan. The one thing you should always do, though, is making sure that your antivirus definitions are up-to-date!
  • If I tell you to download a tool which you already have, please re-download it and do not use the copy you already have. This is because the tools are updated regularly.
  • In Windows Vista, all tools need to be started by right clicking and selecting Run as administrator!
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you were to do the same. From this point, we're in this together ;)
    Because of this, you must reply within five days
    . I will post a reminder should you seem to fail to do this, however, if you fail to reply within five days then, unless I have been notified of your absence in advance, the topic shall be closed!
  • As I am still in training at the Malware Removal University, anything I do must be checked by an experienced malware fighter. This means there might be a slight delay in my answers.
  • Lastly, I am no magican. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system. Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

I am now analyzing your situation and hope to be back with you soon. While I am reviewing your situation, could you please do the following for me:

Make an Uninstall List
I need you to create an uninstall list so I can further analyze your situation.

  • Start HijackThis.
  • Click Open the Misc Tools section
  • Click Open Uninstall Manager
  • Click Save list...
  • Save the list to your desktop, or any other convenient place.

Please post back:
  • Uninstall list
  • New hijackthis log
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: HJT log included, really need some help

Unread postby Sillywheel » February 9th, 2009, 5:46 pm

Hey thanks odd dude!
HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:38:40 PM, on 2/9/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Curse\CurseClient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Users\TJ ARMSTRONG\Desktop\HiJackThis.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,C:\Windows\system32\twex.exe,
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "c:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [EPSON Stylus CX7400 Series (Copy 1)] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE /FU "C:\Windows\TEMP\E_S2B4E.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Lsass Service] C:\Users\TJARMS~1\AppData\Local\Temp\Rar$EX25.574\crack.exe
O4 - HKCU\..\Run: [userinit] C:\Users\TJ ARMSTRONG\AppData\Roaming\twex.exe
O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O13 - Gopher Prefix:
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9278 bytes



and uninstall list:
Activation Assistant for the 2007 Microsoft Office suites
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8.1.1
Adobe Shockwave Player
Adobe Stock Photos 1.0
Age of Mythology
AIM 6
AppCore
Apple Mobile Device Support
Apple Software Update
ASL_HS_Installer32
AV
Avira AntiVir Personal - Free Antivirus
Bonjour
Broadcom 802.11 Wireless LAN Adapter
ccCommon
Cheat Engine 5.4
Conexant HD Audio
Curse Client
DivX
EPSON Printer Software
Hewlett-Packard Active Check for Health Check
Hewlett-Packard Asset Agent for Health Check
HijackThis 2.0.2
HP Active Support Library
HP Customer Experience Enhancements
HP DVD Play 3.0
HP Easy Setup - Core
HP Easy Setup - Frontend
HP Help and Support
HP Quick Launch Buttons 6.10 B9
HP Total Care Advisor
HP Update
HP User Guide 0041
HP Wireless Assistant
HPNetworkAssistant
iTunes
Java(TM) 6 Update 11
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6
LimeWire 4.16.6
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Microsoft Office Standard Edition 2003
Microsoft Works
Mozilla Firefox (3.0.6)
MSRedist
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML4 Parser
muvee autoProducer 5.0
Norton AntiVirus
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
Norton Security Scan
Norton Security Scan (Symantec Corporation)
NVIDIA Drivers
PlayNC Launcher
QuickTime
RealPlayer
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD Basic v9
Soft Data Fax Modem with SmartCP
Sonic Activation Module
SPBBC 32bit
SymNet
Synaptics Pointing Device Driver
Ventrilo Client
Viewpoint Media Player
Warcraft III
Windows Media Player Firefox Plugin
WinRAR archiver
World of Warcraft
Sillywheel
Active Member
 
Posts: 12
Joined: January 27th, 2009, 11:23 pm

Re: HJT log included, really need some help

Unread postby Odd dude » February 10th, 2009, 11:05 am

You are running multiple antivirus programs
This will have a dramatic effect on your computer.
  • Antivirus programs take up a lot of memory - imagine running two!
  • Your computer stability is reduced by running more antivirus programs than one
  • Your two antivirus programs both patch important system areas and could hinder eachother
  • Antivirus software cannot scan files that are already in use by another antivirus scanner. This means they will both miss malware!
With all this in mind, please remove one of these two programs:

Norton Internet Security
Avira AntiVir


If you paid for Norton I recommend you to keep it, because it also has a firewall which protects from direct attacks over the internet.

Before we begin cleaning you, I would like you to read the following topic:
viewtopic.php?f=11&t=33112

I want you to realize this: Person-to-Person file sharing programmes are the #1 cause of infection to people. The program might not be infected, but the files you download with it most certainly can - and in fact, most of them will - be infected.

Please uninstall the Person-to-Person file sharing programmes mentioned below through Add/Remove Programs in the Control Panel.

LimeWire 4.16.6

Also uninstall any other P2P programs I may have missed. Thanks :)

Submit files for analysis
We need to have something checked for malware. Please go to Jotti's.
  • Click File to upload & scan and copy and paste the first line of the following list into the browse box:
    Code: Select all
    C:\Windows\system32\twex.exe
    C:\Users\TJARMS~1\AppData\Local\Temp\Rar$EX25.574\crack.exe
  • Click Submit. The file will now be scanned for malware and the results will be displayed from the screen. Select the part where the virus scan results are shown (the part starting with A-squared and ending with VBA32) and copy and paste this to notepad.
  • Repeat this procedure for any other files I have listed.
  • Copy and paste the whole notepad file you just made into your reply.

In your next reply, post:
- Result of Jotti scans
- New uninstall list
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: HJT log included, really need some help

Unread postby Sillywheel » February 10th, 2009, 11:08 pm

ok, i have a few questions. I didnt delete norton or avira because a. norton has a good firewall, but its virus definitions are really old and my family probably wont be purchasing it in the near future. and b. avira notifies me of viruses that it cant seem to delete, but norton doesnt notify me about them. So which one should i delete? Also i deleted limewire as i dont really use it much anyways. But heres the major problem: i searched for both those files, both with the search function and by manually following the paths and...i couldnt find them. at all. so what would you recommend i do? new uninstall list:

Activation Assistant for the 2007 Microsoft Office suites
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8.1.1
Adobe Shockwave Player
Adobe Stock Photos 1.0
Age of Mythology
AIM 6
AppCore
Apple Mobile Device Support
Apple Software Update
ASL_HS_Installer32
AV
Avira AntiVir Personal - Free Antivirus
Bonjour
Broadcom 802.11 Wireless LAN Adapter
ccCommon
Cheat Engine 5.4
Conexant HD Audio
Curse Client
DivX
EPSON Printer Software
Hewlett-Packard Active Check for Health Check
Hewlett-Packard Asset Agent for Health Check
HijackThis 2.0.2
HP Active Support Library
HP Customer Experience Enhancements
HP DVD Play 3.0
HP Easy Setup - Core
HP Easy Setup - Frontend
HP Help and Support
HP Quick Launch Buttons 6.10 B9
HP Total Care Advisor
HP Update
HP User Guide 0041
HP Wireless Assistant
HPNetworkAssistant
iTunes
Java(TM) 6 Update 11
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Microsoft Office Standard Edition 2003
Microsoft Works
Mozilla Firefox (3.0.6)
MSRedist
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML4 Parser
muvee autoProducer 5.0
Norton AntiVirus
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
Norton Security Scan
Norton Security Scan (Symantec Corporation)
NVIDIA Drivers
PlayNC Launcher
QuickTime
RealPlayer
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD Basic v9
Soft Data Fax Modem with SmartCP
Sonic Activation Module
SPBBC 32bit
SymNet
Synaptics Pointing Device Driver
Ventrilo Client
Viewpoint Media Player
Warcraft III
Windows Media Player Firefox Plugin
WinRAR archiver
World of Warcraft

thanks!
Sillywheel
Active Member
 
Posts: 12
Joined: January 27th, 2009, 11:23 pm

Re: HJT log included, really need some help

Unread postby Odd dude » February 11th, 2009, 10:55 am

ok, i have a few questions. I didnt delete norton or avira because a. norton has a good firewall, but its virus definitions are really old and my family probably wont be purchasing it in the near future.

In that case it is no good.
and b. avira notifies me of viruses that it cant seem to delete, but norton doesnt notify me about them. So which one should i delete?

You should uninstall Norton and I can recommend you a free firewall programme once we've finished.
Also i deleted limewire as i dont really use it much anyways.

Excellent :)
But heres the major problem: i searched for both those files, both with the search function and by manually following the paths and...i couldnt find them. at all. so what would you recommend i do?

Did you copy and paste the file names into the browse box?
If you try to locate them by yourself you most likely won't find them because they are likely to be hidden, however if you copy and pasted the paths into the box the computer will.
If you did and the computer still gave an error about the file(s) not being there, then they are simply not there.

See if it works if after clicking Browse you copy and paste the filename into the box in which you are asked to type the file name.

In your next post, tell me if that did work and post a new hijackthis log.
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: HJT log included, really need some help

Unread postby Sillywheel » February 11th, 2009, 6:20 pm

K norton deleted. i copied and pasted the paths originally, in addition to manually trying to find them, but i tried again with no luck.it says that twex doesn't exist and the other path doesn't actually exist.but i just looked at the log and they're still present there. i don't know what to make of that... anyway here's the new log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:14:50 PM, on 2/11/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Curse\CurseClient.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\TJ ARMSTRONG\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,C:\Windows\system32\twex.exe,
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [EPSON Stylus CX7400 Series (Copy 1)] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE /FU "C:\Windows\TEMP\E_S2B4E.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Lsass Service] C:\Users\TJARMS~1\AppData\Local\Temp\Rar$EX25.574\crack.exe
O4 - HKCU\..\Run: [userinit] C:\Users\TJ ARMSTRONG\AppData\Roaming\twex.exe
O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O13 - Gopher Prefix:
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7996 bytes
Sillywheel
Active Member
 
Posts: 12
Joined: January 27th, 2009, 11:23 pm

Re: HJT log included, really need some help

Unread postby Odd dude » February 12th, 2009, 11:07 am

i copied and pasted the paths originally, in addition to manually trying to find them, but i tried again with no luck.it says that twex doesn't exist and the other path doesn't actually exist.but i just looked at the log and they're still present there. i don't know what to make of that...
That means the files just aren't there.
HijackThis just lists the entries, it almost never knows whether a file is actually there or not.

Just to be sure, see if you can upload this file:
C:\Users\TJ ARMSTRONG\AppData\Roaming\twex.exe
It's also one of those twex things, but in a different location.

ATF-Cleaner
Download ATF-Cleaner by Atribune to your desktop.
Start the program and place a check next to the following items:
  • Windows Temp
  • Current User Temp
  • All Users Temp
  • Temporary Internet Files
  • Java Cache
  • Recycle Bin
Now click Empty Selected and click OK.

If you use FireFox, click the FireFox tab and place a check Select All. Click Empty Selected and answer No at the prompt.
If you use Opera, click the Opera tab and place a check Select All. Click Empty Selected and answer No at the prompt.

Right click HJT and choose run as administrator. Click do a system scan only. Put a check next to the following lines, close all open windows except HJT, and click fix checked:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,C:\Windows\system32\twex.exe,
O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
O4 - HKCU\..\Run: [Lsass Service] C:\Users\TJARMS~1\AppData\Local\Temp\Rar$EX25.574\crack.exe
O4 - HKCU\..\Run: [userinit] C:\Users\TJ ARMSTRONG\AppData\Roaming\twex.exe

Copy and paste this to notepad:
Code: Select all
@echo off
if not "%1"=="active" (
cmd /v:on /c "%0" active
exit
)
setlocal
for %%i in (m c) do %%id\oddbox
set count=0
echo == OD-S^&D LOGFILE ==>Quarantine.txt
for /f "tokens=* usebackq" %%i in (`dir\^/l^/a^/s^/b^|find^/i "twex.exe"^&^&dir\^/l^/a^/s^/b^|find^/i "frmwrk32.exe"`) do (
set /a count=!COUNT!+1
Echo !COUNT!: %%i>>Quarantine.txt
move "%%i" "\oddbox\%%~ni.vir!COUNT!">>Quarantine.txt 2>>&1
)
echo == EOF == %count%>>Quarantine.txt
copy Quarantine.txt "%Userprofile%\Desktop\PostThis.txt"
cd/d %userprofile%\Desktop
notepad PostThis.txt
endlocal

Save it to your desktop as "Search.bat". Please include the quotation marks.
Double click the file to run a small fix. It will search for some files, this might take up to ten minutes. When done, a notepad file will pop up. I would like you to post the contents of that notepad file in your next post.
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: HJT log included, really need some help

Unread postby Sillywheel » February 12th, 2009, 8:19 pm

Ran HJT and fixed selected files, the twex thing did not work, deleted all temp files, ran search.bat and a blank command prompt window came up, then after a while it said 1 File(s) copied and gave me this:

== OD-S&D LOGFILE ==


...that is all. also after fixing files and deleting temp ones, im still getting fairly frequent avira notifications.

It says C:\Windows\System32\senekadxrqximj.dll
Is the TR/Crypt.XPACK.Gen Trojan.

thanks!
Sillywheel
Active Member
 
Posts: 12
Joined: January 27th, 2009, 11:23 pm

Re: HJT log included, really need some help

Unread postby Odd dude » February 13th, 2009, 8:32 am

Seneka trojan = bad news
Empty logfile = good news

ComboFix
IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without expert guidance.

ComboFix uses very brute tactics to rip malware off your system. Do not panic if your antivirus software warns you about the file.

:!: Please disable all your antivirus software, firewalls, and antispyware software BEFORE running ComboFix!! :!:

(If you don't know how to do this, please inform me and do not proceed)

  • Download ComboFix from here and save it to your desktop. Do NOT save it as ComboFix.exe, rather rename it to CombiFax.exe (otherwise the virus may attack it).
  • Disable ALL antivirus/antimalware programs before proceeding!
  • Now start ComboFix.
  • The tool will check whether the Recovery Console is present on your system. If it is not, ComboFix will prompt you whether you would like to install it.
  • If it is not, make sure you are connected to the internet as ComboFix needs to download a file. When you are connected to the internet, click Yes and follow the prompts. When asked whether to continue scanning or to exit, click Yes to continue scanning (no need to disconnect from the internet as ComboFix breaks your internet connection for you).
  • Do not touch the computer AT ALL while ComboFix is running!
  • When finished, the report will open. Reenable your protection software and post the log in your next reply

If you cannot connect to the internet after running ComboFix, plug the cable/reciever/whatever you use to connect to the internet out and back in.
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: HJT log included, really need some help

Unread postby Sillywheel » February 13th, 2009, 5:12 pm

Logfile:

ComboFix 09-02-12.03 - TJ ARMSTRONG 2009-02-13 15:57:18.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1982.1167 [GMT -5:00]
Running from: c:\users\TJ ARMSTRONG\Desktop\combifax.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\TJ ARMSTRONG\AppData\Roaming\Microsoft\Windows\lsass.exe
c:\windows\Ikelejoguxabo.dll
c:\windows\system32\drivers\senekaqetfoyfl.sys
c:\windows\system32\senekadxrqximj.dll
c:\windows\system32\senekanripwgps.dat
c:\windows\system32\senekaufrvnpsi.dll
c:\windows\system32\senekavppkrhxe.dat
c:\windows\system32\test.ttt
c:\windows\system32\twain32
c:\windows\system32\twain32\local.ds
c:\windows\system32\twain32\user.ds
c:\windows\system32\uniq.tll
c:\windows\system32\warning.gif
c:\windows\system32\win32hlp.cnf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA


((((((((((((((((((((((((( Files Created from 2009-01-13 to 2009-02-13 )))))))))))))))))))))))))))))))
.

2009-02-13 16:01 . 2009-02-13 16:03 1,436 --a------ c:\windows\System32\senekagepxjfxd.dat
2009-02-13 16:01 . 2009-02-13 16:01 0 --a------ c:\windows\System32\senekapop.dll
2009-02-13 16:01 . 2009-02-13 16:01 0 --a------ c:\windows\System32\drivers\seneka.sys
2009-02-12 18:25 . 2009-02-12 18:25 <DIR> d-------- C:\oddbox
2009-02-01 01:06 . 2009-02-01 01:06 <DIR> d-------- c:\program files\Curse
2009-01-30 23:57 . 2009-01-30 23:57 <DIR> d-------- c:\users\All Users\WindowsSearch
2009-01-30 23:57 . 2009-01-30 23:57 <DIR> d-------- c:\programdata\WindowsSearch
2009-01-30 22:30 . 2009-01-31 12:23 <DIR> d-------- c:\users\Public\Games
2009-01-30 22:30 . 2009-01-30 22:30 <DIR> d-------- c:\users\All Users\Blizzard
2009-01-30 22:30 . 2009-01-30 22:30 <DIR> d-------- c:\programdata\Blizzard
2009-01-27 22:51 . 2009-01-27 22:51 <DIR> d-------- c:\users\All Users\Avira
2009-01-27 22:51 . 2009-01-27 22:51 <DIR> d-------- c:\programdata\Avira
2009-01-27 22:51 . 2009-01-27 22:51 <DIR> d-------- c:\program files\Avira
2009-01-27 21:56 . 2009-01-28 17:45 <DIR> d--hs---- c:\users\TJ ARMSTRONG\AppData\Roaming\twain32
2009-01-27 21:48 . 2009-02-03 07:32 97,802,174 --a------ c:\windows\MEMORY.DMP
2009-01-26 23:28 . 2009-01-26 23:28 <DIR> d-------- c:\users\TJ ARMSTRONG\Program Files
2009-01-26 23:25 . 2009-01-26 23:25 0 --a------ c:\windows\System32\drivers\senekactlyqdrl.sys
2009-01-26 19:32 . 2009-01-26 21:20 139,264 --a------ c:\windows\War3Unin.exe
2009-01-26 19:32 . 2009-01-26 21:20 55,187 --a------ c:\windows\War3Unin.dat
2009-01-26 19:32 . 2009-01-26 21:20 2,829 --a------ c:\windows\War3Unin.pif
2009-01-26 19:30 . 2009-02-09 23:43 <DIR> d-------- c:\program files\Warcraft III
2009-01-26 17:00 . 2009-01-27 21:58 <DIR> d-------- c:\users\TJ ARMSTRONG\AppData\Roaming\DNA
2009-01-26 17:00 . 2009-01-26 17:00 <DIR> d-------- c:\program files\DNA
2009-01-26 17:00 . 2009-01-26 17:00 <DIR> d-------- c:\program files\BitTorrent
2009-01-22 07:44 . 2009-01-22 07:44 0 --ah----- c:\windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-01-19 20:24 . 2008-05-08 16:59 180,224 --a------ c:\windows\System32\scrobj.dll
2009-01-19 20:24 . 2008-05-08 16:59 172,032 --a------ c:\windows\System32\scrrun.dll
2009-01-19 20:24 . 2008-05-08 16:58 135,168 --a------ c:\windows\System32\cscript.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-13 12:19 13,354 ----a-w c:\users\TJ ARMSTRONG\AppData\Roaming\nvModes.dat
2009-02-12 12:46 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-11 22:00 --------- d-----w c:\programdata\Symantec
2009-02-11 21:59 --------- d-----w c:\program files\Symantec
2009-02-11 02:39 --------- d-----w c:\program files\LimeWire
2009-02-11 02:34 --------- d-----w c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire
2009-01-31 11:00 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2009-01-31 06:22 --------- d-----w c:\program files\World of Warcraft
2009-01-31 03:03 --------- d-----w c:\program files\Common Files\Adobe
2009-01-31 01:47 --------- d-----w c:\program files\Silkroad
2009-01-31 01:29 --------- d-----w c:\program files\NCSoft
2009-01-27 00:39 --------- d-----w c:\programdata\Roxio
2009-01-25 08:13 --------- d-----w c:\program files\Windows Mail
2009-01-17 09:09 174 --sha-w c:\program files\desktop.ini
2009-01-08 12:24 --------- d-----w c:\program files\Cheat Engine
2008-12-18 12:41 410,984 ----a-w c:\windows\System32\deploytk.dll
2008-12-18 12:41 --------- d-----w c:\program files\Java
2008-12-16 02:42 288,768 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-07 22:21 82,432 ----a-w c:\windows\System32\axaltocm.dll
2008-12-07 22:21 101,888 ----a-w c:\windows\System32\ifxcardm.dll
2008-04-20 21:59 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-04-20 21:59 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-04-20 21:59 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"EPSON Stylus CX7400 Series (Copy 1)"="c:\windows\system32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE" [2007-02-15 179200]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2008-10-10 4789760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 815104]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-12-02 167936]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-12-04 46704]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 317152]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-18 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-22 185896]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-11-27 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-11-27 7757824]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-11-27 81920]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-07 44128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"c:\\Program Files\\NCsoft\\Exteel\\System\\Exteel.exe"= c:\program files\NCsoft\Exteel\System\Exteel.exe:*:Enabled:Exteel

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{426245FF-FD86-44A1-808F-6C65F78EB0F6}"= UDP:c:\program files\HP\QuickPlay\QP.exe:QP
"{5102BC89-BB9B-476D-A72D-6D8C72515009}"= TCP:c:\program files\HP\QuickPlay\QP.exe:QP
"{298FAB4F-536D-4FC5-B474-71842BE4A921}"= c:\program files\Compaq Connections\3572475\Program\Compaq Connections:Compaq Connections
"{B5AED527-A53D-44EF-A5CB-5763FD79DC7C}"= UDP:c:\program files\Compaq Connections\3572475\Program\Compaq Connections.exe:Compaq Connections
"{8ED81263-017D-4E79-B622-77341D771807}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{9AC08782-A6FC-4B0E-8756-0D177BC4952A}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{DFE2EC3F-F81A-4A35-AAFD-B9588DE3AB14}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{96793B7B-DC7E-466E-A987-5C3C4AAAA853}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{0381F178-CC1A-43A4-AA5B-6F1B9AE9F9E2}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{E2E329B1-A53F-41CF-8394-1CD945620BFA}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{8D4F6724-D07D-4935-9327-FCB965266A1C}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{E2417725-34DC-4710-95EC-EEE2779AB801}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{4D148BDB-1523-4C24-9EF1-C06054061C22}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{54040D5F-7A35-400D-9CFA-E2591C3E5DF0}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{551D91B1-2CD1-459E-AA3B-E734958FB583}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{A109D7F6-9AC7-40EA-B8DD-D868323C2E47}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{C8E802A6-243C-445D-B0CA-72BB0750FAB0}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{40B5B7D6-06BD-4BA6-8794-8878FDB6AC3A}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{47B38B73-354A-4290-9178-E9816961E4D2}"= UDP:c:\program files\Curse\CurseClient.exe:Curse Client
"{2199A966-BA74-499F-95E2-6F534EDC98B2}"= TCP:c:\program files\Curse\CurseClient.exe:Curse Client
"TCP Query User{11CD4A69-F24D-409F-AB97-D9DF3211C8BD}c:\\program files\\curse\\curseclient.exe"= UDP:c:\program files\curse\curseclient.exe:CurseClient
"UDP Query User{37889709-913F-4701-97FE-68F17B2FE26B}c:\\program files\\curse\\curseclient.exe"= TCP:c:\program files\curse\curseclient.exe:CurseClient
"TCP Query User{BD90144D-AD63-4337-91F0-B5F62988A704}c:\\users\\public\\games\\world of warcraft\\launcher.exe"= UDP:c:\users\public\games\world of warcraft\launcher.exe:Blizzard Launcher
"UDP Query User{6760BF8C-935D-4F54-955D-E08FE8F4BEC4}c:\\users\\public\\games\\world of warcraft\\launcher.exe"= TCP:c:\users\public\games\world of warcraft\launcher.exe:Blizzard Launcher

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
"c:\\Program Files\\NCsoft\\Exteel\\System\\Exteel.exe"= c:\program files\NCsoft\Exteel\System\Exteel.exe:*:Enabled:Exteel
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-12-17 24652]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{906d31cb-bf0e-11dc-839f-001b243b53d7}]
\shell\AutoRun\command - J:\Microsoft Points Adder 2.0.exe
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)


.
------- Supplementary Scan -------
.
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\TJ ARMSTRONG\AppData\Roaming\Mozilla\Firefox\Profiles\ih8vumjq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\users\TJ ARMSTRONG\Program Files\DNA\plugins\npbtdna.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-13 16:04:51
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3108)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\System32\rundll32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\progra~1\HEWLET~1\Shared\HPQTOA~1.EXE
c:\program files\iPod\bin\iPodService.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
c:\windows\System32\wbem\WMIADAP.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-02-13 16:10:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-13 21:09:56

Pre-Run: 40,611,225,600 bytes free
Post-Run: 40,596,295,680 bytes free

217 --- E O F --- 2009-02-10 02:36:26
Sillywheel
Active Member
 
Posts: 12
Joined: January 27th, 2009, 11:23 pm

Re: HJT log included, really need some help

Unread postby Odd dude » February 14th, 2009, 5:21 am

This is one bad stinger... it's still lurking...

Run CFScript
Open notepad and copy/paste the following to it:

Code: Select all
Folder::
C:\oddbox
c:\program files\DNA
c:\program files\BitTorrent
c:\program files\LimeWire
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire
Dirlook::
c:\users\TJ ARMSTRONG\AppData\Roaming\twain32
Rootkit::
c:\windows\System32\senekagepxjfxd.dat
c:\windows\System32\senekapop.dll
c:\windows\System32\drivers\seneka.sys
c:\windows\System32\drivers\senekactlyqdrl.sys
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000000
"InternetSettingsDisableNotify"=dword:00000000
"AutoUpdateDisableNotify"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{C8E802A6-243C-445D-B0CA-72BB0750FAB0}"=-
"{40B5B7D6-06BD-4BA6-8794-8878FDB6AC3A}"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=-
[-HKEY_CLASSES_ROOT\CLSID\{C8E802A6-243C-445D-B0CA-72BB0750FAB0}]
[-HKEY_CLASSES_ROOT\CLSID\{40B5B7D6-06BD-4BA6-8794-8878FDB6AC3A}]
[-HKEY_CLASSES_ROOT\CLSID\{906d31cb-bf0e-11dc-839f-001b243b53d7}]
[-HKEY_CLASSES_ROOT\CLSID\{C8E802A6-243C-445D-B0CA-72BB0750FAB0}]
[-HKEY_CLASSES_ROOT\CLSID\{40B5B7D6-06BD-4BA6-8794-8878FDB6AC3A}]
[-HKEY_CLASSES_ROOT\CLSID\{906d31cb-bf0e-11dc-839f-001b243b53d7}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{906d31cb-bf0e-11dc-839f-001b243b53d7}]


Save this to your desktop as "CFScript.txt".

Disconnect from the internet, disable your antimalware software like you did before, and drag CFScript into ComboFix

Image

ComboFix will run again, please be patient and post the log like usual.
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: HJT log included, really need some help

Unread postby Sillywheel » February 15th, 2009, 1:15 pm

i dont know if this means anything, but right before combofix rebooted my computer, a "this application failed to initialize" window popped up, and the application was "catchme.something" i didnt have time to read the file type. but anyway, heres the new log:


ComboFix 09-02-12.03 - TJ ARMSTRONG 2009-02-15 12:00:24.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1982.1396 [GMT -5:00]
Running from: c:\users\TJ ARMSTRONG\Desktop\combifax.exe
Command switches used :: c:\users\TJ ARMSTRONG\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\oddbox
c:\oddbox\Quarantine.txt
c:\program files\BitTorrent
c:\program files\BitTorrent\bittorrent.exe
c:\program files\BitTorrent\BitTorrentIE.2.dll
c:\program files\BitTorrent\uninst.exe
c:\program files\DNA
c:\program files\DNA\btdna.exe
c:\program files\DNA\DNAcpl.cpl
c:\program files\DNA\plugins\npbtdna.dll
c:\program files\LimeWire
c:\program files\LimeWire\lib\aopalliance.jar
c:\program files\LimeWire\lib\clink.jar
c:\program files\LimeWire\lib\commons-httpclient.jar
c:\program files\LimeWire\lib\commons-logging.jar
c:\program files\LimeWire\lib\commons-net.jar
c:\program files\LimeWire\lib\commons-pool.jar
c:\program files\LimeWire\lib\daap.jar
c:\program files\LimeWire\lib\forms.jar
c:\program files\LimeWire\lib\foxtrot.jar
c:\program files\LimeWire\lib\gettext-commons.jar
c:\program files\LimeWire\lib\guice-1.0.jar
c:\program files\LimeWire\lib\httpcore-nio.jar
c:\program files\LimeWire\lib\httpcore.jar
c:\program files\LimeWire\lib\icu4j.jar
c:\program files\LimeWire\lib\id3v2.jar
c:\program files\LimeWire\lib\jcraft.jar
c:\program files\LimeWire\lib\jdic.dll
c:\program files\LimeWire\lib\jdic.jar
c:\program files\LimeWire\lib\jdic_stub.jar
c:\program files\LimeWire\lib\jflac.jar
c:\program files\LimeWire\lib\jl.jar
c:\program files\LimeWire\lib\jmdns.jar
c:\program files\LimeWire\lib\jogg.jar
c:\program files\LimeWire\lib\jorbis.jar
c:\program files\LimeWire\lib\LimeWire.jar
c:\program files\LimeWire\lib\log4j.jar
c:\program files\LimeWire\lib\looks.jar
c:\program files\LimeWire\lib\messages.jar
c:\program files\LimeWire\lib\mp3spi.jar
c:\program files\LimeWire\lib\ProgressTabs.jar
c:\program files\LimeWire\lib\swt.jar
c:\program files\LimeWire\lib\SystemUtilities.dll
c:\program files\LimeWire\lib\themes.jar
c:\program files\LimeWire\lib\tray.dll
c:\program files\LimeWire\lib\tritonus.jar
c:\program files\LimeWire\lib\vorbisspi.jar
c:\program files\LimeWire\LimeWire.exe
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\.NetworkShare\LimeWireWin4.16.6.exe
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\.NetworkShare\teams.txt
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\414splashfree.png
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\createtimes.cache
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\fileurns.bak
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\fileurns.cache
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\filters.props
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\gnutella.net
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\installation.props
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\library.dat
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\limewire.props
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\mojito.props
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\questions.props
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\responses.cache
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\simpp.xml
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\spam.dat
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\tables.props
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\themes\windows_theme.lwtp
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\themes\windows_theme\01_star.gif
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\themes\windows_theme\02_star.gif
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\themes\windows_theme\03_star.gif
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\themes\windows_theme\04_star.gif
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\themes\windows_theme\05_star.gif
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\themes\windows_theme\chat.gif
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\themes\windows_theme\forward_dn.gif
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\themes\windows_theme\forward_up.gif
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\themes\windows_theme\kill.gif
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\themes\windows_theme\kill_on.gif
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\themes\windows_theme\logo.png
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\themes\windows_theme\notsearching.png
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\themes\windows_theme\pause_dn.gif
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\themes\windows_theme\pause_up.gif
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\themes\windows_theme\play_dn.gif
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\themes\windows_theme\play_up.gif
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\themes\windows_theme\question.gif
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\themes\windows_theme\rewind_dn.gif
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\themes\windows_theme\rewind_up.gif
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\themes\windows_theme\searching.gif
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\themes\windows_theme\splash.png
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\themes\windows_theme\splashpro.png
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\themes\windows_theme\stop_dn.gif
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\themes\windows_theme\stop_up.gif
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\themes\windows_theme\theme.txt
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\themes\windows_theme\version.txt
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\themes\windows_theme\warning.gif
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\ttree.cache
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\ttrees.cache
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\ttroot.cache
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\version.xml
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\xml\data\delete_me
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\xml\misc\application.gif
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\xml\misc\audio.gif
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\xml\misc\document.gif
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\xml\misc\image.gif
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\xml\misc\video.gif
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\xml\schemas\application.xsd
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\xml\schemas\audio.xsd
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\xml\schemas\document.xsd
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\xml\schemas\image.xsd
c:\users\TJ ARMSTRONG\AppData\Roaming\LimeWire\xml\schemas\video.xsd
c:\windows\system32\drivers\seneka.sys
c:\windows\System32\drivers\senekactlyqdrl.sys
c:\windows\System32\senekagepxjfxd.dat
c:\windows\system32\senekapop.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_seneka


((((((((((((((((((((((((( Files Created from 2009-01-15 to 2009-02-15 )))))))))))))))))))))))))))))))
.

2009-02-11 16:55 . 2009-01-14 22:36 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2009-02-11 16:55 . 2009-01-15 01:11 827,392 --a------ c:\windows\System32\wininet.dll
2009-02-01 01:06 . 2009-02-01 01:06 <DIR> d-------- c:\program files\Curse
2009-01-30 23:57 . 2009-01-30 23:57 <DIR> d-------- c:\users\All Users\WindowsSearch
2009-01-30 23:57 . 2009-01-30 23:57 <DIR> d-------- c:\programdata\WindowsSearch
2009-01-30 22:30 . 2009-01-31 12:23 <DIR> d-------- c:\users\Public\Games
2009-01-30 22:30 . 2009-01-30 22:30 <DIR> d-------- c:\users\All Users\Blizzard
2009-01-30 22:30 . 2009-01-30 22:30 <DIR> d-------- c:\programdata\Blizzard
2009-01-27 22:51 . 2009-01-27 22:51 <DIR> d-------- c:\users\All Users\Avira
2009-01-27 22:51 . 2009-01-27 22:51 <DIR> d-------- c:\programdata\Avira
2009-01-27 22:51 . 2009-01-27 22:51 <DIR> d-------- c:\program files\Avira
2009-01-27 21:56 . 2009-01-28 17:45 <DIR> d--hs---- c:\users\TJ ARMSTRONG\AppData\Roaming\twain32
2009-01-27 21:48 . 2009-02-03 07:32 97,802,174 --a------ c:\windows\MEMORY.DMP
2009-01-26 23:28 . 2009-01-26 23:28 <DIR> d-------- c:\users\TJ ARMSTRONG\Program Files
2009-01-26 19:32 . 2009-01-26 21:20 139,264 --a------ c:\windows\War3Unin.exe
2009-01-26 19:32 . 2009-01-26 21:20 55,187 --a------ c:\windows\War3Unin.dat
2009-01-26 19:32 . 2009-01-26 21:20 2,829 --a------ c:\windows\War3Unin.pif
2009-01-26 19:30 . 2009-02-09 23:43 <DIR> d-------- c:\program files\Warcraft III
2009-01-26 17:00 . 2009-01-27 21:58 <DIR> d-------- c:\users\TJ ARMSTRONG\AppData\Roaming\DNA
2009-01-22 07:44 . 2009-01-22 07:44 0 --ah----- c:\windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-01-19 20:24 . 2008-05-08 16:59 180,224 --a------ c:\windows\System32\scrobj.dll
2009-01-19 20:24 . 2008-05-08 16:59 172,032 --a------ c:\windows\System32\scrrun.dll
2009-01-19 20:24 . 2008-05-08 16:58 135,168 --a------ c:\windows\System32\cscript.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-15 08:00 --------- d-----w c:\program files\Windows Mail
2009-02-14 17:21 13,354 ----a-w c:\users\TJ ARMSTRONG\AppData\Roaming\nvModes.dat
2009-02-12 12:46 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-11 22:00 --------- d-----w c:\programdata\Symantec
2009-02-11 21:59 --------- d-----w c:\program files\Symantec
2009-01-31 11:00 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2009-01-31 06:22 --------- d-----w c:\program files\World of Warcraft
2009-01-31 03:03 --------- d-----w c:\program files\Common Files\Adobe
2009-01-31 01:47 --------- d-----w c:\program files\Silkroad
2009-01-31 01:29 --------- d-----w c:\program files\NCSoft
2009-01-27 00:39 --------- d-----w c:\programdata\Roxio
2009-01-17 09:09 174 --sha-w c:\program files\desktop.ini
2009-01-08 12:24 --------- d-----w c:\program files\Cheat Engine
2008-12-18 12:41 410,984 ----a-w c:\windows\System32\deploytk.dll
2008-12-18 12:41 --------- d-----w c:\program files\Java
2008-12-16 02:42 288,768 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-07 22:21 82,432 ----a-w c:\windows\System32\axaltocm.dll
2008-12-07 22:21 101,888 ----a-w c:\windows\System32\ifxcardm.dll
2008-04-20 21:59 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-04-20 21:59 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-04-20 21:59 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\users\TJ ARMSTRONG\AppData\Roaming\twain32 ----

2009-01-28 17:45 35150 --a------ c:\users\TJ ARMSTRONG\AppData\Roaming\twain32\local.ds
2009-01-27 21:57 0 --a------ c:\users\TJ ARMSTRONG\AppData\Roaming\twain32\user.ds


((((((((((((((((((((((((((((( SnapShot@2009-02-13_16.08.36.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-15 17:00:12 6,438,912 ----a-w c:\windows\ERDNT\Hiv-backup\SCHEMA.DAT
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-02-15 17:02:46 6,438,912 ----a-w c:\windows\ERDNT\subs\SCHEMA.DAT
- 2009-02-13 21:04:48 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-02-15 17:04:52 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2009-02-13 21:04:48 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-02-15 17:04:52 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2009-02-13 20:56:37 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-02-15 15:47:51 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-02-13 20:56:37 81,920 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-15 15:47:51 81,920 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-13 20:56:37 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-02-15 15:47:51 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-10-16 04:47:29 6,068,736 ----a-w c:\windows\System32\ieframe.dll
+ 2009-01-15 06:07:53 6,069,248 ----a-w c:\windows\System32\ieframe.dll
- 2008-10-16 04:47:29 270,336 ----a-w c:\windows\System32\iertutil.dll
+ 2009-01-15 06:07:53 270,336 ----a-w c:\windows\System32\iertutil.dll
- 2008-10-16 04:47:30 28,160 ----a-w c:\windows\System32\jsproxy.dll
+ 2009-01-15 06:08:05 28,160 ----a-w c:\windows\System32\jsproxy.dll
- 2009-01-09 22:35:30 20,853,704 ----a-w c:\windows\System32\mrt.exe
+ 2009-02-12 04:56:17 21,244,872 ----a-w c:\windows\System32\mrt.exe
- 2008-01-19 07:34:58 458,240 ----a-w c:\windows\System32\msfeeds.dll
+ 2009-01-15 06:08:34 458,240 ----a-w c:\windows\System32\msfeeds.dll
- 2008-12-12 05:52:52 3,578,880 ----a-w c:\windows\System32\mshtml.dll
+ 2009-01-15 06:08:35 3,580,416 ----a-w c:\windows\System32\mshtml.dll
- 2008-10-16 04:47:32 671,232 ----a-w c:\windows\System32\mstime.dll
+ 2009-01-15 06:08:50 671,232 ----a-w c:\windows\System32\mstime.dll
- 2009-02-13 21:03:35 101,350 ----a-w c:\windows\System32\perfc009.dat
+ 2009-02-15 08:14:51 101,350 ----a-w c:\windows\System32\perfc009.dat
- 2009-02-13 21:03:35 595,684 ----a-w c:\windows\System32\perfh009.dat
+ 2009-02-15 08:14:51 595,684 ----a-w c:\windows\System32\perfh009.dat
- 2009-02-11 22:00:54 6,553,600 ----a-w c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-02-15 17:02:46 6,438,912 ----a-w c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2008-10-16 04:47:34 1,166,336 ----a-w c:\windows\System32\urlmon.dll
+ 2009-01-15 06:11:05 1,166,336 ----a-w c:\windows\System32\urlmon.dll
- 2009-02-13 20:58:49 7,436 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3558910601-4160562679-851209434-1000_UserData.bin
+ 2009-02-13 21:06:26 7,656 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3558910601-4160562679-851209434-1000_UserData.bin
- 2009-02-13 20:58:48 58,314 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-02-13 21:06:14 58,386 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-02-13 21:03:28 2,470 ----a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2009-02-15 08:07:17 2,470 ----a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
- 2009-02-13 20:58:46 36,524 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-02-13 21:06:13 36,778 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-02-13 12:18:57 219,828 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-02-15 06:39:38 222,068 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2009-02-11 21:54:07 162,250,160 ----a-w c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2009-02-15 08:00:21 162,402,990 ----a-w c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2009-01-15 04:15:58 124,928 ----a-w c:\windows\winsxs\x86_microsoft-windows-advpack_31bf3856ad364e35_6.0.6000.16809_none_a9ee2d39f5a1db5c\advpack.dll
+ 2009-01-15 04:14:44 124,928 ----a-w c:\windows\winsxs\x86_microsoft-windows-advpack_31bf3856ad364e35_6.0.6000.20996_none_aa1379db0f0b2a9a\advpack.dll
+ 2009-01-15 04:16:02 44,544 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..ablenetworkgraphics_31bf3856ad364e35_6.0.6000.16809_none_ebe936e9163ac15b\pngfilt.dll
+ 2009-01-15 04:18:35 44,544 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..ablenetworkgraphics_31bf3856ad364e35_6.0.6000.20996_none_ec0e838a2fa41099\pngfilt.dll
+ 2009-01-15 04:16:03 1,160,192 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_6.0.6000.16809_none_b305df9bd99b38bf\urlmon.dll
+ 2009-01-15 04:19:06 1,163,264 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_6.0.6000.20996_none_b32b2c3cf30487fd\urlmon.dll
+ 2009-01-15 06:11:05 1,166,336 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_6.0.6001.18203_none_b4e61c85d6c731a6\urlmon.dll
+ 2009-01-16 04:59:50 1,166,848 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_6.0.6001.22355_none_b53baa48f00b8fd3\urlmon.dll
+ 2009-01-15 04:16:01 671,232 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..mlrenderingadvanced_31bf3856ad364e35_6.0.6000.16809_none_dee86e647f43f82e\mstime.dll
+ 2009-01-15 04:17:12 671,232 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..mlrenderingadvanced_31bf3856ad364e35_6.0.6000.20996_none_df0dbb0598ad476c\mstime.dll
+ 2009-01-15 06:08:50 671,232 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..mlrenderingadvanced_31bf3856ad364e35_6.0.6001.18203_none_e0c8ab4e7c6ff115\mstime.dll
+ 2009-01-16 04:57:07 671,232 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..mlrenderingadvanced_31bf3856ad364e35_6.0.6001.22355_none_e11e391195b44f42\mstime.dll
+ 2009-01-15 04:16:00 27,648 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6000.16809_none_000bbb3da4a45f52\jsproxy.dll
+ 2009-01-15 04:16:03 826,368 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6000.16809_none_000bbb3da4a45f52\wininet.dll
+ 2009-01-15 04:16:03 64,512 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6000.16809_none_000bbb3da4a45f52\WininetPlugin.dll
+ 2009-01-15 04:16:04 27,648 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6000.20996_none_003107debe0dae90\jsproxy.dll
+ 2009-01-15 04:19:13 827,904 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6000.20996_none_003107debe0dae90\wininet.dll
+ 2009-01-15 04:19:13 64,512 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6000.20996_none_003107debe0dae90\WininetPlugin.dll
+ 2009-01-15 06:08:05 28,160 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.18203_none_01ebf827a1d05839\jsproxy.dll
+ 2009-01-15 06:11:16 827,392 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.18203_none_01ebf827a1d05839\wininet.dll
+ 2009-01-16 04:56:01 28,160 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.22355_none_024185eabb14b666\jsproxy.dll
+ 2009-01-16 05:00:04 827,904 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.22355_none_024185eabb14b666\wininet.dll
+ 2009-01-16 05:00:04 64,512 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.22355_none_024185eabb14b666\WininetPlugin.dll
+ 2009-01-15 04:16:00 383,488 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_6.0.6000.16809_none_f9b4de176e8fd9a5\ieapfltr.dll
+ 2009-01-15 04:15:42 380,928 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_6.0.6000.20996_none_f9da2ab887f928e3\ieapfltr.dll
+ 2009-01-15 04:15:59 347,136 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-directxtransforms_31bf3856ad364e35_6.0.6000.16809_none_95e916cf84755fd3\dxtmsft.dll
+ 2009-01-15 04:15:59 214,528 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-directxtransforms_31bf3856ad364e35_6.0.6000.16809_none_95e916cf84755fd3\dxtrans.dll
+ 2009-01-15 04:15:22 347,136 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-directxtransforms_31bf3856ad364e35_6.0.6000.20996_none_960e63709ddeaf11\dxtmsft.dll
+ 2009-01-15 04:15:22 214,528 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-directxtransforms_31bf3856ad364e35_6.0.6000.20996_none_960e63709ddeaf11\dxtrans.dll
+ 2009-01-15 04:16:00 459,264 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-feeds-platform_31bf3856ad364e35_6.0.6000.16809_none_5e09520c3d47b20a\msfeeds.dll
+ 2009-01-15 04:16:41 459,264 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-feeds-platform_31bf3856ad364e35_6.0.6000.20996_none_5e2e9ead56b10148\msfeeds.dll
+ 2009-01-15 06:08:34 458,240 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-feeds-platform_31bf3856ad364e35_6.0.6001.18203_none_5fe98ef63a73aaf1\msfeeds.dll
+ 2009-01-16 04:56:39 458,240 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-feeds-platform_31bf3856ad364e35_6.0.6001.22355_none_603f1cb953b8091e\msfeeds.dll
+ 2009-01-15 04:16:00 477,696 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-htmlediting_31bf3856ad364e35_6.0.6000.16809_none_464bb12746361260\mshtmled.dll
+ 2009-01-15 04:16:46 477,696 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-htmlediting_31bf3856ad364e35_6.0.6000.20996_none_4670fdc85f9f619e\mshtmled.dll
+ 2009-01-15 04:16:00 3,594,752 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6000.16809_none_1165da5c24fac888\mshtml.dll
+ 2009-01-15 04:16:45 3,596,288 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6000.20996_none_118b26fd3e6417c6\mshtml.dll
+ 2009-01-15 06:08:35 3,580,416 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6001.18203_none_134617462226c16f\mshtml.dll
+ 2009-01-16 04:56:43 3,580,928 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6001.22355_none_139ba5093b6b1f9c\mshtml.dll
+ 2009-01-15 04:16:00 63,488 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-infocard_31bf3856ad364e35_6.0.6000.16809_none_58be4726670f5491\icardie.dll
+ 2009-01-15 04:15:42 63,488 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-infocard_31bf3856ad364e35_6.0.6000.20996_none_58e393c78078a3cf\icardie.dll
+ 2009-01-15 04:15:30 26,624 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16809_none_2d84c7c91ccfce35\ieUnatt.exe
+ 2009-01-15 04:14:36 634,024 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16809_none_2d84c7c91ccfce35\iexplore.exe
+ 2009-01-15 02:05:46 26,624 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20996_none_2daa146a36391d73\ieUnatt.exe
+ 2009-01-15 04:18:47 634,024 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20996_none_2daa146a36391d73\iexplore.exe
+ 2009-01-15 04:16:00 267,776 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6000.16809_none_45c672198f557daf\iertutil.dll
+ 2009-01-15 04:16:02 134,144 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6000.16809_none_45c672198f557daf\sqmapi.dll
+ 2009-01-15 04:15:44 267,776 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6000.20996_none_45ebbebaa8becced\iertutil.dll
+ 2009-01-15 04:18:57 134,144 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6000.20996_none_45ebbebaa8becced\sqmapi.dll
+ 2009-01-15 06:07:53 270,336 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6001.18203_none_47a6af038c817696\iertutil.dll
+ 2009-01-16 04:55:51 270,848 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6001.22355_none_47fc3cc6a5c5d4c3\iertutil.dll
+ 2009-01-16 04:59:31 129,536 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6001.22355_none_47fc3cc6a5c5d4c3\sqmapi.dll
+ 2009-01-15 04:15:30 70,656 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.16809_none_c3f37ce4614a96da\ie4uinit.exe
+ 2009-01-15 04:16:00 44,544 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.16809_none_c3f37ce4614a96da\iernonce.dll
+ 2009-01-15 04:16:00 56,320 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.16809_none_c3f37ce4614a96da\iesetup.dll
+ 2009-01-15 02:05:40 70,656 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.20996_none_c418c9857ab3e618\ie4uinit.exe
+ 2009-01-15 04:15:44 44,544 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.20996_none_c418c9857ab3e618\iernonce.dll
+ 2009-01-15 04:15:44 56,320 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.20996_none_c418c9857ab3e618\iesetup.dll
+ 2009-01-15 04:16:00 52,736 ----a-w c:\windows\winsxs\x86_microsoft-windows-iebrshim_31bf3856ad364e35_6.0.6000.16809_none_2a18935467fa6c37\iebrshim.dll
+ 2009-01-15 04:15:42 52,736 ----a-w c:\windows\winsxs\x86_microsoft-windows-iebrshim_31bf3856ad364e35_6.0.6000.20996_none_2a3ddff58163bb75\iebrshim.dll
+ 2009-01-15 04:16:00 6,066,688 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6000.16809_none_62c5345fb0f056b5\ieframe.dll
+ 2009-01-15 04:16:00 180,736 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6000.16809_none_62c5345fb0f056b5\ieui.dll
+ 2009-01-15 04:15:44 6,068,736 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6000.20996_none_62ea8100ca59a5f3\ieframe.dll
+ 2009-01-15 04:15:44 180,736 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6000.20996_none_62ea8100ca59a5f3\ieui.dll
+ 2009-01-15 06:07:53 6,069,248 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6001.18203_none_64a57149ae1c4f9c\ieframe.dll
+ 2009-01-16 04:55:51 6,070,784 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6001.22355_none_64faff0cc760adc9\ieframe.dll
+ 2009-01-16 04:55:51 180,736 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6001.22355_none_64faff0cc760adc9\ieui.dll
+ 2009-01-15 04:15:30 263,168 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieinstal_31bf3856ad364e35_6.0.6000.16809_none_e6bea0de9473aaed\ieinstal.exe
+ 2009-01-15 02:05:59 263,168 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieinstal_31bf3856ad364e35_6.0.6000.20996_none_e6e3ed7faddcfa2b\ieinstal.exe
+ 2009-01-15 04:15:30 301,568 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieuser_31bf3856ad364e35_6.0.6000.16809_none_0b66d5fad6ee6a9f\ieuser.exe
+ 2009-01-15 02:06:01 301,568 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieuser_31bf3856ad364e35_6.0.6000.20996_none_0b8c229bf057b9dd\ieuser.exe
+ 2009-01-09 23:21:31 2,410,800 ----a-w c:\windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.16808_none_f0a9e19a6e4c873c\OESpamFilter.dat
+ 2009-01-08 23:21:51 2,410,800 ----a-w c:\windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.20995_none_f0cf2e3b87b5d67a\OESpamFilter.dat
+ 2009-01-08 23:21:09 2,410,800 ----a-w c:\windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6001.18202_none_f28a1e846b788023\OESpamFilter.dat
+ 2009-01-08 23:21:04 2,410,800 ----a-w c:\windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6001.22353_none_f2deabfd84bdc4f9\OESpamFilter.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"EPSON Stylus CX7400 Series (Copy 1)"="c:\windows\system32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE" [2007-02-15 179200]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2008-10-10 4789760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 815104]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-12-02 167936]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-12-04 46704]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 317152]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-18 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-22 185896]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-11-27 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-11-27 7757824]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-11-27 81920]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-07 44128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"c:\\Program Files\\NCsoft\\Exteel\\System\\Exteel.exe"= c:\program files\NCsoft\Exteel\System\Exteel.exe:*:Enabled:Exteel

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{426245FF-FD86-44A1-808F-6C65F78EB0F6}"= UDP:c:\program files\HP\QuickPlay\QP.exe:QP
"{5102BC89-BB9B-476D-A72D-6D8C72515009}"= TCP:c:\program files\HP\QuickPlay\QP.exe:QP
"{298FAB4F-536D-4FC5-B474-71842BE4A921}"= c:\program files\Compaq Connections\3572475\Program\Compaq Connections:Compaq Connections
"{B5AED527-A53D-44EF-A5CB-5763FD79DC7C}"= UDP:c:\program files\Compaq Connections\3572475\Program\Compaq Connections.exe:Compaq Connections
"{8ED81263-017D-4E79-B622-77341D771807}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{9AC08782-A6FC-4B0E-8756-0D177BC4952A}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{DFE2EC3F-F81A-4A35-AAFD-B9588DE3AB14}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{96793B7B-DC7E-466E-A987-5C3C4AAAA853}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{0381F178-CC1A-43A4-AA5B-6F1B9AE9F9E2}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{E2E329B1-A53F-41CF-8394-1CD945620BFA}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{8D4F6724-D07D-4935-9327-FCB965266A1C}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{E2417725-34DC-4710-95EC-EEE2779AB801}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{4D148BDB-1523-4C24-9EF1-C06054061C22}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{54040D5F-7A35-400D-9CFA-E2591C3E5DF0}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{551D91B1-2CD1-459E-AA3B-E734958FB583}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{A109D7F6-9AC7-40EA-B8DD-D868323C2E47}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{47B38B73-354A-4290-9178-E9816961E4D2}"= UDP:c:\program files\Curse\CurseClient.exe:Curse Client
"{2199A966-BA74-499F-95E2-6F534EDC98B2}"= TCP:c:\program files\Curse\CurseClient.exe:Curse Client
"TCP Query User{11CD4A69-F24D-409F-AB97-D9DF3211C8BD}c:\\program files\\curse\\curseclient.exe"= UDP:c:\program files\curse\curseclient.exe:CurseClient
"UDP Query User{37889709-913F-4701-97FE-68F17B2FE26B}c:\\program files\\curse\\curseclient.exe"= TCP:c:\program files\curse\curseclient.exe:CurseClient
"TCP Query User{BD90144D-AD63-4337-91F0-B5F62988A704}c:\\users\\public\\games\\world of warcraft\\launcher.exe"= UDP:c:\users\public\games\world of warcraft\launcher.exe:Blizzard Launcher
"UDP Query User{6760BF8C-935D-4F54-955D-E08FE8F4BEC4}c:\\users\\public\\games\\world of warcraft\\launcher.exe"= TCP:c:\users\public\games\world of warcraft\launcher.exe:Blizzard Launcher

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
"c:\\Program Files\\NCsoft\\Exteel\\System\\Exteel.exe"= c:\program files\NCsoft\Exteel\System\Exteel.exe:*:Enabled:Exteel

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-12-17 24652]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\TJ ARMSTRONG\AppData\Roaming\Mozilla\Firefox\Profiles\ih8vumjq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
1 file(s) moved.
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\users\TJ ARMSTRONG\Program Files\DNA\plugins\npbtdna.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-15 12:04:55
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1084)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\System32\rundll32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\progra~1\HEWLET~1\Shared\HPQTOA~1.EXE
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\System32\wbem\WMIADAP.exe
c:\windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2009-02-15 12:09:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-15 17:09:45
ComboFix2.txt 2009-02-13 21:10:12

Pre-Run: 40,628,260,864 bytes free
Post-Run: 40,429,875,200 bytes free

430 --- E O F --- 2009-02-15 08:01:59
Sillywheel
Active Member
 
Posts: 12
Joined: January 27th, 2009, 11:23 pm

Re: HJT log included, really need some help

Unread postby Odd dude » February 15th, 2009, 2:52 pm

i dont know if this means anything, but right before combofix rebooted my computer, a "this application failed to initialize" window popped up, and the application was "catchme.something" i didnt have time to read the file type

Most likely a small hiccup in ComboFix, it must've tried to launch catchme while Windows was shutting down already - nothing to worry about.

I would like to double check anyway, maybe we're dealing with an infection which is more severe than I initially envisioned.

GMER
Do not touch the computer while GMER is running! If you do, it'll go completely unresponsive and you'll have to shut it down using the power switch. Just don't touch the PC while GMER is working.
Please download gmer.zip by GMER and save it to your desktop.

  • Right click the file you just downloaded and choose Extract all
  • Click Next
  • Click Browse
  • Click the + next to My Computer
  • Click Local Disk (C:)
  • Click Make new folder
  • Enter GMER
  • Click OK, then Next
  • Check Show extracted files and click Finish
  • Double click on GMER.exe to run it.
  • Select the Rootkit tab.
  • On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click on the Scan button.
  • When the scan is finished, click Copy to save the scan log to the Windows clipboard.
  • Open Notepad or a similar text editor.
  • Paste the clipboard contents into the text editor.
  • Save the GMER scan log and post it in your next reply.
  • Close GMER.

If GMER refuses to run please rename it to ggmmeerr.exe and try again.
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: HJT log included, really need some help

Unread postby Sillywheel » February 16th, 2009, 10:09 pm

Hey, heres the log and everything is running way better since running combofix.

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-16 21:07:26
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.14 ----

SSDT 95E2F79C ZwCreateThread
SSDT 95E2F788 ZwOpenProcess
SSDT 95E2F78D ZwOpenThread
SSDT 95E2F797 ZwTerminateProcess
SSDT 95E2F792 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!KeSetTimerEx + 454 81CBAA18 4 Bytes [ 9C, F7, E2, 95 ]
.text ntkrnlpa.exe!KeSetTimerEx + 624 81CBABE8 4 Bytes [ 88, F7, E2, 95 ]
.text ntkrnlpa.exe!KeSetTimerEx + 640 81CBAC04 4 Bytes [ 8D, F7, E2, 95 ]
.text ntkrnlpa.exe!KeSetTimerEx + 854 81CBAE18 4 Bytes [ 97, F7, E2, 95 ]
.text ntkrnlpa.exe!KeSetTimerEx + 8B4 81CBAE78 4 Bytes [ 92, F7, E2, 95 ]
? C:\combifax\catchme.sys The system cannot find the path specified. !
? C:\Windows\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.14 ----
Sillywheel
Active Member
 
Posts: 12
Joined: January 27th, 2009, 11:23 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 43 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware