XP antispyware 2009! help!

Welcome Guest ( Log In | Join )

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Want to ask a question, reply to a topic, or remove all advertising? It's easy, fast and free. Join today!
Spyware, virus, trojan, fake security or privacy alerts? Please start with our malware cleaning guide.

> Geeks to Go! » Security » Malware Removal - HijackThis™ Logs Go Here

XP antispyware 2009! help!

Options

jammy dodger View Member Profile	Oct 21 2008, 01:31 PM Post #1
Member Posts: 22 OS: Windows XP	Hi, I have a virus on my computer, xp antispyware 2009, I downloaded hijack this, spybot and malware bytes but none of them will run so I can't even attempt to fix it, please help!! Thanks

kahdah View Member Profile	Nov 9 2008, 11:32 AM Post #2
GeekU Teacher Posts: 10,074 From: Somewhere OS: Windows xp home	Hello jammy dodger Welcome to G2Go. ===================== Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners. Save it to the desktop. Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop. You will receive a prompt: Do you want to skip supplementary searches? click NO If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs. You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!) Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here. NOTE If you receive any warning message about scripts, please choose to allow the script to run.

jammy dodger View Member Profile	Nov 18 2008, 03:33 PM Post #3
Member Posts: 22 OS: Windows XP	Hi Kandah, Thanks so much for the reply, sorry about the delay in posting, here are the results "Silent Runners.vbs", revision 58, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "MsnMsgr" = ""C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background" [MS] "SVCHOST.EXE" = "C:\WINDOWS\system32\drivers\svchost.exe" [file not found] "SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"] "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "ehTray" = "C:\WINDOWS\ehome\ehtray.exe" [MS] "Recguard" = "C:\WINDOWS\SMINST\RECGUARD.EXE" [empty string] "(Default)" = "\\** (unwritable string)" [file not found] "High Definition Audio Property Page Shortcut" = "HDAShCut.exe" ["Windows ® Server 2003 DDK provider"] "SMSERIAL" = "sm56hlpr.exe" ["Motorola Inc."] "SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."] "igfxtray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"] "igfxhkcmd" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"] "igfxpers" = "C:\WINDOWS\system32\igfxpers.exe" ["Intel Corporation"] "IAAnotif" = "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" ["Intel Corporation"] "RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."] "Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."] "AVG8_TRAY" = "C:\PROGRA~1\AVG\AVG8\avgtray.exe" ["AVG Technologies CZ, s.r.o."] "XP Antispyware 2009" = ""C:\Program Files\XP_AntiSpyware\XP_AntiSpyware.exe" /hide" [file not found] "SpyHunter Security Suite" = "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {HKLM...CLSID} = "Spybot-S&D IE Protection" \InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> {HKLM...CLSID} = "Display Panning CPL Extension" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {HKLM...CLSID} = "Portable Media Devices Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\audiodev.dll" [MS] "{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "SampleView" -> {HKLM...CLSID} = "SampleView" \InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"] "{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."] "{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders" -> {HKLM...CLSID} = "My Sharing Folders" \InProcServer32\(Default) = "C:\Program Files\Windows Live\Messenger\fsshext.8.5.1302.1018.dll" [MS] "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG8 Shell Extension" -> {HKLM...CLSID} = "AVG8 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <<!>> dimsntfy\DLLName = "C:\WINDOWS\System32\dimsntfy.dll" [MS] <<!>> igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\SOFTWARE\Classes\\shellex\ContextMenuHandlers\ AVG8 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {HKLM...CLSID} = "AVG8 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ AVG8 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {HKLM...CLSID} = "AVG8 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."] MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}" -> {HKLM...CLSID} = "MBAMShlExt Class" \InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}" -> {HKLM...CLSID} = "MBAMShlExt Class" \InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ "ForceClassicControlPanel" = (REG_DWORD) dword:0x00000001 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration\|Windows Settings\|Security Settings\|Local Policies\|Security Options\| Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration\|Windows Settings\|Security Settings\|Local Policies\|Security Options\| Devices: Allow undock without having to log on} "InstallVisualStyle" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles {unrecognized setting} "InstallTheme" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale.theme {unrecognized setting} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Windows\wallpaper_1600x1200.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS] Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ EHomeMusicDropTarget\ "Provider" = "Media Center" "InvokeProgID" = "EHomeDropTarget.EHomeMusicDropTarget" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\EHomeDropTarget.EHomeMusicDropTarget\shell\play\DropTarget\CLSID = "{ED87EFF3-FF22-404E-B2BD-BC3841BDCB2C}" -> {HKLM...CLSID} = "EHomeMusicDropTarget Class" \InProcServer32\(Default) = "C:\WINDOWS\eHome\ehdrop.dll" [MS] EHomePhotosHandler\ "Provider" = "Media Center" "InvokeProgID" = "EHomeDropTarget.EHomePhotosHandler" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\EHomeDropTarget.EHomePhotosHandler\shell\play\DropTarget\CLSID = "{4b7601c1-d292-4902-89f4-583a5ce0c535}" -> {HKLM...CLSID} = "EHomePhotosHandler Class" \InProcServer32\(Default) = "C:\WINDOWS\eHome\ehdrop.dll" [MS] EHomeVideoDropTarget\ "Provider" = "Media Center" "InvokeProgID" = "EHomeDropTarget.EHomeVideoDropTarget" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\EHomeDropTarget.EHomeVideoDropTarget\shell\play\DropTarget\CLSID = "{A48E70A4-8E15-4465-9D85-CCE9E63F8AAB}" -> {HKLM...CLSID} = "EHomeVideoDropTarget Class" \InProcServer32\(Default) = "C:\WINDOWS\eHome\ehdrop.dll" [MS] EHomeVideosHandler\ "Provider" = "Media Center" "InvokeProgID" = "EHomeDropTarget.EHomeVideosHandler" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\EHomeDropTarget.EHomeVideosHandler\shell\play\DropTarget\CLSID = "{4f61ec50-acef-4ae7-b4c6-b19bddc0f745}" -> {HKLM...CLSID} = "EHomeVideosHandler Class" \InProcServer32\(Default) = "C:\WINDOWS\eHome\ehdrop.dll" [MS] NapsterMTPHandler\ "Provider" = "@C:\Program Files\Napster\napster.exe,-101" "ProgID" = "Shell.HWEventHandlerShellExecute" "InitCmdLine" = ""C:\Program Files\Napster\napster.exe" /devicesync" HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" -> {HKLM...CLSID} = "ShellExecute HW Event Handler" \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS] NapsterPlayCDHandler\ "Provider" = "@C:\Program Files\Napster\napster.exe,-101" "InvokeProgID" = "Napster.AutoplayHandler" "InvokeVerb" = "open" HKLM\SOFTWARE\Classes\Napster.AutoplayHandler\shell\open\command\(Default) = ""C:\Program Files\Napster\napster.exe" /playcd "%L"" ["Napster"] P2GCDBurningOnArrival\ "Provider" = "Power2Go" "InvokeProgID" = "Picture" "InvokeVerb" = "OpenWithPower2Go" HKLM\SOFTWARE\Classes\Picture\shell\OpenWithPower2Go\Command\(Default) = ""C:\Program Files\CyberLink\Power2Go\Power2Go.exe"" ["Cyberlink"] PDVDPlayCDAudioOnArrival\ "Provider" = "PowerDVD" "InvokeProgID" = "AudioCD" "InvokeVerb" = "PlayWithPowerDVD" HKLM\SOFTWARE\Classes\AudioCD\shell\PlayWithPowerDVD\Command\(Default) = ""C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe" "%L"" ["CyberLink Corp."] PDVDPlayDVDMovieOnArrival\ "Provider" = "PowerDVD" "InvokeProgID" = "DVD" "InvokeVerb" = "PlayWithPowerDVD" HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD\Command\(Default) = ""C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe" "%l"" ["CyberLink Corp."] PDVDPlayVCDMovieOnArrival\ "Provider" = "PowerDVD" "InvokeProgID" = "VCD" "InvokeVerb" = "PlayWithPowerDVD" HKLM\SOFTWARE\Classes\VCD\shell\PlayWithPowerDVD\Command\(Default) = ""C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe" "%l"" ["CyberLink Corp."] Startup items in "Owner" & "All Users" startup folders: ------------------------------------------------------- C:\Documents and Settings\All Users\Start Menu\Programs\Startup "FreeventsSchedule" -> shortcut to: "C:\Freevents\FreeventsSchedule.exe "Connected Planet.exe"" [null data] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\ "MenuText" = "Spybot - Search && Destroy Configuration" "CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}" -> {HKLM...CLSID} = "Spybot-S&D IE Protection" \InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"] {E2E2DD38-D088-4134-82B7-F2BA38496583}\ "MenuText" = "@xpsp3res.dll,-20001" "Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS] All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}): --------------------------------------------------------------------------- .NET Runtime Optimization Service v2.0.50727_X86, clr_optimization_v2.0.50727_32, "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe" [MS] ASP.NET State Service, aspnet_state, "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe" [MS] AVG Free8 E-mail Scanner, avg8emc, "C:\PROGRA~1\AVG\AVG8\avgemc.exe" ["AVG Technologies CZ, s.r.o."] AVG Free8 WatchDog, avg8wd, "C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe" ["AVG Technologies CZ, s.r.o."] Extensible Authentication Protocol Service, EapHost, "C:\WINDOWS\System32\svchost.exe -k eapsvcs" {"C:\WINDOWS\System32\eapsvc.dll" [MS]} Health Key and Certificate Management Service, hkmsvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\kmsvc.dll" [MS]} InstallDriver Table Manager, IDriverT, ""C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe"" ["Macrovision Corporation"] Intel® Matrix Storage Event Monitor, IAANTMON, "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe" ["Intel Corporation"] Intel® PROSet/Wireless Event Log, EvtEng, "C:\Program Files\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"] Intel® PROSet/Wireless Registry Service, RegSrvc, "C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"] Intel® PROSet/Wireless Service, S24EventMonitor, "C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "] Logical Disk Manager Administrative Service, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"] Media Center Extender Service, McrdSvc, "C:\WINDOWS\ehome\mcrdsvc.exe" [MS] Media Center Receiver Service, ehRecvr, "C:\WINDOWS\eHome\ehRecvr.exe" [MS] Media Center Scheduler Service, ehSched, "C:\WINDOWS\eHome\ehSched.exe" [MS] Messenger Sharing Folders USN Journal Reader service, usnjsvc, ""C:\Program Files\Windows Live\Messenger\usnsvc.exe"" [MS] MHN, MHN, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\mhn.dll" [MS]} Network Access Protection Agent, napagent, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\qagentrt.dll" [MS]} O2Micro Flash Memory, O2Flash, "C:\WINDOWS\system32\o2flash.exe" [null data] Portable Media Serial Number Service, WmdmPmSN, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\MsPMSNSv.dll" [MS]} Windows Live Setup Service, WLSetupSvc, ""C:\Program Files\Windows Live\installer\WLSetupSvc.exe"" [MS] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] Wired AutoConfig, Dot3svc, "C:\WINDOWS\System32\svchost.exe -k dot3svc" {"C:\WINDOWS\System32\dot3svc.dll" [MS]} WMI Performance Adapter, WmiApSrv, "C:\WINDOWS\system32\wbem\wmiapsrv.exe" [MS] ---------- (launch time: 2008-11-18 21:30:53) <<!>>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see everywhere* the script checks and everything it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 46 seconds. ---------- (total run time: 88 seconds)

kahdah View Member Profile	Nov 18 2008, 09:49 PM Post #4
GeekU Teacher Posts: 10,074 From: Somewhere OS: Windows xp home	Download SDFix and save it to your Desktop. Double click SDFix.exe and choose Install to extract it to its own folder on the C:\Drive. Please then reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, the Advanced Options Menu should appear; Select the first option, to run Windows in Safe Mode, then press Enter. Choose your usual account. Open the extracted SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt. Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

jammy dodger View Member Profile	Nov 22 2008, 07:11 AM Post #5
Member Posts: 22 OS: Windows XP	Hi Kandah, Here are the results attached Thanks, Attached File(s) report.txt ( 6.24K ) Number of downloads: 94

jammy dodger View Member Profile	Nov 22 2008, 07:13 AM Post #6
Member Posts: 22 OS: Windows XP	Here's hijack this Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:09:42, on 22/11/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\WINDOWS\system32\o2flash.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\sm56hlpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\WINDOWS\RTHDCPL.EXE C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - S-1-5-18 Startup: Philips Media Manager.lnk = C:\Program Files\Philips\Media Manager\Philips Media Manager.exe (User 'SYSTEM') O4 - .DEFAULT Startup: Philips Media Manager.lnk = C:\Program Files\Philips\Media Manager\Philips Media Manager.exe (User 'Default user') O4 - .DEFAULT User Startup: Philips Media Manager.lnk = C:\Program Files\Philips\Media Manager\Philips Media Manager.exe (User 'Default user') O4 - Global Startup: FreeventsSchedule.lnk = C:\Freevents\FreeventsSchedule.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: karna.dat O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- End of file - 6010 bytes

kahdah View Member Profile	Nov 22 2008, 07:43 AM Post #7
GeekU Teacher Posts: 10,074 From: Somewhere OS: Windows xp home	Download ComboFix from one of these locations: Link 1 Link 2 Link 3 * IMPORTANT !!! Save ComboFix.exe to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt** in your next reply.

jammy dodger View Member Profile	Nov 23 2008, 08:13 AM Post #8
Member Posts: 22 OS: Windows XP	Hi Kandah, I had a problem when running the combo fix as it would not open up so I reran the SD fix and then was able to run combo fix after SD fix. I have put in the results of both scans as well as a new hijack this log SD Fix SDFix: Version 1.240 Run by Owner on 23/11/2008 at 13:48 Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Name : tdssserv TDSSserv.sys) Path : \systemroot\system32\drivers\TDSSpxst.sys \systemroot\system32\drivers\TDSSpqxt.sys tdssserv - Deleted TDSSserv.sys) - Deleted Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : Trojan Files Found: C:\WINDOWS\system32\drivers\TDSSpxst.sys - Deleted C:\WINDOWS\system32\drivers\TDSSpqxt.sys - Deleted C:\WINDOWS\system32\TDSSriqp.dll - Deleted C:\WINDOWS\system32\TDSSpaxt.dat - Deleted C:\WINDOWS\system32\TDSSbubx.log - Deleted Could Not Remove C:\WINDOWS\system32\TDSSxbdr.dll Could Not Remove C:\WINDOWS\system32\TDSSoeqh.dll Could Not Remove C:\WINDOWS\system32\TDSSosvn.dll Could Not Remove C:\WINDOWS\system32\TDSSnrsr.dll Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-23 13:56:01 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden services & system hive ... disk error: C:\WINDOWS\system32\config\system, 0 scanning hidden registry entries ... disk error: C:\WINDOWS\system32\config\software, 0 disk error: C:\Documents and Settings\Owner\ntuser.dat, 0 scanning hidden files ... disk error: C:\WINDOWS\ please note that you need administrator rights to perform deep scan Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Philips\\Media Manager\\Philips Media Manager.exe"="C:\\Program Files\\Philips\\Media Manager\\Philips Media Manager.exe::Enabled:Philips Media Management for your Media Devices" "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe::Enabled:Windows Messenger" "C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe::Enabled:Skype" "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe::Enabled:avgemc.exe" "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe::Enabled:avgupd.exe" "C:\\WINDOWS\\system32\\drivers\\svchost.exe"="C:\\WINDOWS\\system32\\drivers\\svchost.exe::Disabled:svchost" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe::Enabled:Windows Live Messenger" "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe::Enabled:Windows Live Messenger (Phone)" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe::Enabled:Windows Live Messenger" "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe::Enabled:Windows Live Messenger (Phone)" Remaining Files : C:\WINDOWS\system32\TDSSxbdr.dll Found C:\WINDOWS\system32\TDSSoeqh.dll Found C:\WINDOWS\system32\TDSSosvn.dll Found C:\WINDOWS\system32\TDSSnrsr.dll Found File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Mon 15 Sep 2008 127 A..H. --- "C:\Documents and Settings\Owner\Application Data\lakerda1967.sys" Wed 10 Sep 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\BIT8.tmp" Sun 28 Sep 2008 444 ...HR --- "C:\Documents and Settings\Owner\Application Data\SecuROM\UserData\securom_v7_01.bak" Sat 12 Aug 2006 2,583 A.SH. --- "C:\Documents and Settings\Administrator\Application Data\Roxio\Dragon\DiscInfoCache\HL-DT-ST_DVDRAM_GSA-4083N_AS03_300_DICV018_DRGV2050108.TMP" Sat 12 Aug 2006 2,583 A.SH. --- "C:\Documents and Settings\Default User\Application Data\Roxio\Dragon\DiscInfoCache\HL-DT-ST_DVDRAM_GSA-4083N_AS03_300_DICV018_DRGV2050108.TMP" Sat 12 Aug 2006 2,583 A.SH. --- "C:\Documents and Settings\Owner\Application Data\Roxio\Dragon\DiscInfoCache\HL-DT-ST_DVDRAM_GSA-4083N_AS03_300_DICV018_DRGV2050108.TMP" Sat 12 Aug 2006 2,583 A.SH. --- "C:\WINDOWS\system32\config\systemprofile\Application Data\Roxio\Dragon\DiscInfoCache\HL-DT-ST_DVDRAM_GSA-4083N_AS03_300_DICV018_DRGV2050108.TMP" Finished! Combo Fix ComboFix 08-11-22.02 - Owner 2008-11-23 14:00:09.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.648 [GMT 0:00] . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Owner\Cookies\subawilawe.dat c:\documents and settings\Owner\Local Settings\Temporary Internet Files\ajypok.inf c:\documents and settings\Owner\Local Settings\Temporary Internet Files\maqotesuso.vbs c:\documents and settings\Owner\Local Settings\Temporary Internet Files\ujifu.exe c:\windows\system32\TDSSoeqh.dll D:\AUTORUN.INF . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_TDSSSERV.SYS -------\Legacy_TDSSSERV.SYS ((((((((((((((((((((((((( Files Created from 2008-10-23 to 2008-11-23 ))))))))))))))))))))))))))))))) . 2008-11-23 13:54 . 2008-11-23 13:54 73,728 --a------ c:\windows\system32\TDSSnrsr.dll 2008-11-23 13:54 . 2008-11-23 13:54 31,232 --a------ c:\windows\system32\TDSSosvn.dll 2008-11-23 13:53 . 2008-11-23 13:54 35,840 --a------ c:\windows\system32\TDSSxbdr.dll 2008-11-22 21:25 . 2008-11-22 21:25 <DIR> d-------- c:\program files\EA GAMES 2008-11-22 20:53 . 2008-11-22 20:53 268 --ah----- C:\sqmdata03.sqm 2008-11-22 20:53 . 2008-11-22 20:53 244 --ah----- C:\sqmnoopt03.sqm 2008-11-22 13:09 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys 2008-11-22 13:08 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll 2008-11-22 13:06 . 2008-11-22 13:06 73,728 --a------ c:\windows\system32\TDSSkcjp.dll 2008-11-22 13:06 . 2008-11-23 13:54 60,416 --a------ c:\windows\system32\drivers\TDSSoiqh.sys 2008-11-22 13:06 . 2008-11-22 13:06 31,232 --a------ c:\windows\system32\TDSSbivk.dll 2008-11-22 13:06 . 2008-11-22 13:06 29,696 --a------ c:\windows\system32\TDSSivvi.dll 2008-11-22 12:49 . 2008-11-22 12:49 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll 2008-11-22 12:45 . 2008-11-22 12:45 <DIR> d-------- c:\windows\ERUNT 2008-11-22 12:43 . 2008-11-23 13:56 <DIR> d-------- C:\SDFix 2008-11-22 12:32 . 2008-11-22 12:32 26,624 --a------ c:\windows\system32\TDSSdhym.dll 2008-11-18 21:28 . 2008-11-18 21:28 26,624 --a------ c:\windows\system32\TDSSsbhc.dll 2008-10-29 20:33 . 2008-10-29 20:33 26,624 --a------ c:\windows\system32\TDSSnmxh.dll 2008-10-29 19:45 . 2008-10-29 19:45 26,624 --a------ c:\windows\system32\TDSSfpmp.dll 2008-10-29 19:42 . 2008-10-29 19:42 26,624 --a------ c:\windows\system32\TDSSciou.dll 2008-10-29 19:41 . 2008-10-29 19:41 26,624 --a------ c:\windows\system32\TDSScbqp.dll 2008-10-29 19:40 . 2008-10-29 19:40 26,624 --a------ c:\windows\system32\TDSSnrse.dll 2008-10-26 16:29 . 2008-10-26 16:29 <DIR> d-------- c:\windows\system32\scripting 2008-10-26 16:29 . 2008-10-26 16:29 <DIR> d-------- c:\windows\system32\en 2008-10-26 16:29 . 2008-10-26 16:29 <DIR> d-------- c:\windows\system32\bits 2008-10-26 16:29 . 2008-10-26 16:29 <DIR> d-------- c:\windows\l2schemas 2008-10-26 16:27 . 2008-10-26 16:30 <DIR> d-------- c:\windows\ServicePackFiles 2008-10-26 14:32 . 2008-10-26 14:32 <DIR> d-------- c:\documents and settings\Owner\Application Data\DivX 2008-10-26 07:52 . 2008-09-16 00:14 129,784 --------- c:\windows\system32\pxafs.dll 2008-10-26 07:52 . 2008-09-16 00:14 120,056 --------- c:\windows\system32\pxcpyi64.exe 2008-10-26 07:52 . 2008-09-16 00:14 118,520 --------- c:\windows\system32\pxinsi64.exe 2008-10-24 22:13 . 2008-10-15 16:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-29 19:38 676 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat 2008-10-26 07:52 --------- d-----w c:\program files\DivX 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-21 19:08 --------- d-----w c:\program files\Malwarebytes' Anti-Malware 2008-10-21 19:08 --------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes 2008-10-21 19:08 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-10-21 19:08 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes 2008-10-21 18:49 --------- d-----w c:\program files\Trend Micro 2008-10-21 18:47 --------- d-----w c:\program files\Spybot - Search & Destroy 2008-10-21 18:18 --------- d-----w c:\program files\Enigma Software Group 2008-10-21 18:13 19,939 ----a-w c:\windows\pufubedy.vbs 2008-10-21 18:13 16,461 ----a-w c:\windows\tavis.com 2008-10-21 18:13 15,696 ----a-w c:\windows\rovixexag.exe 2008-10-21 18:13 15,632 ----a-w c:\documents and settings\Owner\Application Data\ubyb.reg 2008-10-21 18:13 13,750 ----a-w c:\windows\ikycunu.vbs 2008-10-21 18:13 11,994 ----a-w c:\program files\Common Files\ixyhany.pif 2008-10-21 18:13 11,293 ----a-w c:\documents and settings\Owner\Application Data\muwifu.pif 2008-10-21 18:13 10,451 ----a-w c:\documents and settings\All Users\Application Data\sohewuvaj.bat 2008-10-21 18:13 10,437 ----a-w c:\windows\axyfyr.com 2008-10-21 18:09 --------- d-----w c:\documents and settings\All Users\Application Data\avg8 2008-10-16 19:25 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2008-10-16 19:25 15,504 ----a-w c:\windows\system32\drivers\mbam.sys 2008-09-30 19:28 --------- d-----w c:\documents and settings\Owner\Application Data\AdobeUM 2008-09-28 12:17 --------- d-----w c:\documents and settings\Owner\Application Data\SPORE 2008-09-28 12:01 --------- d--h--w c:\program files\InstallShield Installation Information 2008-09-28 12:01 --------- d-----w c:\program files\Electronic Arts 2008-09-28 11:56 --------- d--h--r c:\documents and settings\Owner\Application Data\SecuROM 2008-09-28 11:17 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys 2008-09-28 11:17 76,040 ----a-w c:\windows\system32\drivers\avgtdix.sys 2008-09-28 11:17 --------- d-----w c:\program files\AVG 2008-09-25 20:08 --------- d-----w c:\program files\WinSCP 2008-09-23 21:54 319,488 ----a-w c:\windows\HideWin.exe 2008-09-23 21:54 --------- d-----w c:\program files\Realtek 2008-09-15 20:08 360,580 ----a-w c:\windows\eSellerateEngine.dll 2008-09-15 20:08 127 ---ha-w c:\documents and settings\Owner\Application Data\lakerda1967.sys 2008-09-09 17:39 16,851,968 ----a-w c:\windows\RTHDCPL.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-25 761946] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-04-25 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-04-25 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-04-25 118784] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-04-25 143360] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-09-30 1234712] "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe] "SMSERIAL"="sm56hlpr.exe" [2006-04-25 c:\windows\sm56hlpr.exe] "RTHDCPL"="RTHDCPL.EXE" [2008-09-09 c:\windows\RTHDCPL.EXE] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ Philips Media Manager.lnk - c:\program files\Philips\Media Manager\Philips Media Manager.exe [2006-08-12 136704] c:\documents and settings\Administrator\Start Menu\Programs\Startup\ Philips Media Manager.lnk - c:\program files\Philips\Media Manager\Philips Media Manager.exe [2006-08-12 136704] c:\documents and settings\All Users\Start Menu\Programs\Startup\ FreeventsSchedule.lnk - c:\freevents\FreeventsSchedule.exe [2006-08-12 16384] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^FreeventsSchedule.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\FreeventsSchedule.lnk backup=c:\windows\pss\FreeventsSchedule.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Philips Media Manager.lnk] path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Philips Media Manager.lnk backup=c:\windows\pss\Philips Media Manager.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL_Demo] --a------ 2006-03-01 07:54 177178 c:\applications\Tool\AOL Demo\DSGDemo.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell] --a------ 2006-06-29 13:17 319488 c:\program files\Napster\napster.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress] --a------ 2005-07-08 15:01 1953887 c:\program files\CyberLink\Power2Go\Power2GoExpress.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Philips\\Media Manager\\Philips Media Manager.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= R0 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2006-04-25 34176] R0 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2006-04-25 28800] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-09-28 97928] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-09-28 875288] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-09-28 231704] R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-09-28 76040] S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-10-21 38496] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{919a1391-9333-11da-bf07-806d6172696f}] \Shell\AutoRun\command - E:\Launch.exe . - - - - ORPHANS REMOVED - - - - HKLM-Run-SpyHunter Security Suite - c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe . ------- Supplementary Scan ------- . FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\tnt6hean.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - myzone.tcd.ie FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-23 14:04:09 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\windows\ehome\ehrecvr.exe c:\windows\ehome\ehSched.exe c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe c:\windows\system32\o2flash.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\windows\ehome\mcrdsvc.exe c:\progra~1\AVG\AVG8\avgrsx.exe c:\windows\system32\dllhost.exe c:\windows\system32\wscntfy.exe c:\windows\ehome\ehmsas.exe c:\program files\AVG\AVG8\avgtray.exe . ********************************************************************** . Completion time: 2008-11-23 14:05:54 - machine was rebooted ComboFix-quarantined-files.txt 2008-11-23 14:05:51 Pre-Run: 84,518,989,824 bytes free Post-Run: 84,563,939,328 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect 207 --- E O F --- 2008-11-22 22:13:49 Hijack this** Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 14:12:57, on 23/11/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\WINDOWS\system32\o2flash.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\sm56hlpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\WINDOWS\RTHDCPL.EXE C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - S-1-5-18 Startup: Philips Media Manager.lnk = C:\Program Files\Philips\Media Manager\Philips Media Manager.exe (User 'SYSTEM') O4 - .DEFAULT Startup: Philips Media Manager.lnk = C:\Program Files\Philips\Media Manager\Philips Media Manager.exe (User 'Default user') O4 - .DEFAULT User Startup: Philips Media Manager.lnk = C:\Program Files\Philips\Media Manager\Philips Media Manager.exe (User 'Default user') O4 - Global Startup: FreeventsSchedule.lnk = C:\Freevents\FreeventsSchedule.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- End of file - 6100 bytes

kahdah

Nov 23 2008, 10:50 AM

Post #9

GeekU Teacher
Group Icon

Posts: 10,074
From: Somewhere
OS: Windows xp home

Download this program:

submit files packer

Highlight the files listed below in bold and right-click and selecting copy.

c:\windows\tavis.com
c:\windows\rovixexag.exe
c:\windows\axyfyr.com

Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

I will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to yourmembername

Click Here and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button.
==================
1. Please open Notepad

Click Start , then Run
type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the No