Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Attack! Attack! Computer keeps rebooting!

Started by lnijjar , Oct 18 2006 02:56 PM

Please log in to reply

#1
lnijjar

Posted 18 October 2006 - 02:56 PM

Member

Member
108 posts

First and foremost I want to say THANK YOU for having such an awesome service! For us mess-up-it-selfers I can tell you it's very much appreciated!

:help:

My drama started when I decided to be cheap and instead of paying a higher price for an MP3..I went to the cheapo site..and managed to bring buckets of spyware and viruses with it. Not sure how the [bleep] that happens - but next thing I know I'm slammed with pop-ups like nobodys business and an extremely high CPU% (locked out at 100%). :whistling:

I also wasted some money and bought System Mechanic 6 with a Kapersky Virus control - E($#)*$ #worthless in my opinion..but then again I'm the one stuck in safe mode.

I elected to end a few processes myself..next thing I know my machine is rebooting at will. Suspecting a virus I run a Panda scan and find 22+ virus and 440+ infected files :blink:

Great. Additionally on the reboot my IE opens up and shortly after that is when it all shuts down and reboots again.

Miraculously - I found your site and I went through the multilple downloads and instructions prior to coming in here. I hope you can help. As a side note somehow many of my files duplicated and I might need some guidance on how to clean those up (point me to a forum..that's fine!)

Here is the Hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 12:32:39 PM, on 10/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.6.0\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3909C938-088C-1033-0117-060507190001}\MyToolBar.dll (file missing)
O2 - BHO: (no name) - {C51BE282-2F1E-7CEB-41F0-73E29E7620C6} - C:\WINDOWS\system32\qhdetp.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.6.0\ViewBar.dll
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3909C938-088C-1033-0117-060507190001}\MyToolBar.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdateMgr.exe
O4 - HKLM\..\Run: [DMAScheduler] c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1148023627\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Samsung LBP SM] "C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [SvcManager] alg1.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [lxriwp] C:\WINDOWS\system32\lhnrwr.exe reg_run
O4 - HKLM\..\Run: [SystemGuardAlerter] SystemGuardAlerter.exe
O4 - HKLM\..\Run: [Explorer 2238] C:\WINDOWS\TEMP\18225\explorer.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.11.1.5\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [tunebite.exe] C:\Program Files\tunebite\tunebite.exe -hidden
O4 - HKCU\..\Run: [pngfilt] C:\WINDOWS\system32\pngfilt.exe
O4 - HKCU\..\Run: [wshbth] C:\WINDOWS\system32\wshbth.exe
O4 - HKCU\..\Run: [mciavi32] C:\WINDOWS\system32\mciavi32.exe
O4 - HKCU\..\Run: [dx7vb] C:\WINDOWS\system32\dx7vb.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [ipsmsnap] C:\WINDOWS\system32\ipsmsnap.exe
O4 - HKCU\..\Run: [cic] C:\WINDOWS\system32\cic.exe
O4 - HKCU\..\Run: [serwvdrv] C:\WINDOWS\system32\serwvdrv.exe
O4 - HKCU\..\Run: [Fpqqfdb] C:\Program Files\Common Files\?icrosoft.NET\w?auclt.exe
O4 - HKCU\..\Run: [System Mechanic Popup Blocker] "C:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe"
O4 - HKCU\..\Run: [iexplore] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKCU\..\Run: [rasmxs] C:\WINDOWS\system32\rasmxs.exe
O4 - HKCU\..\Run: [huyky] C:\WINDOWS\system32\lhnrwr.exe reg_run
O4 - HKCU\..\Run: [sonyhcy] C:\WINDOWS\system32\sonyhcy.exe
O4 - HKCU\..\Run: [explorer] C:\WINDOWS\explorer.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O4 - Global Startup: desktop(2).ini
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O8 - Extra context menu item: &Search -
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Popup Blocker - Add to Black List - C:\Program Files\iolo\Common\Lib\AddToPSBlackList.htm
O8 - Extra context menu item: Popup Blocker - Add to White List - C:\Program Files\iolo\Common\Lib\AddToPSWhiteList.htm
O8 - Extra context menu item: SnipeIt! eSnipe - http://www.esnipe.co...nipeItOpen3.asp
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {0645D7F3-C20E-4E0B-A545-557527497C0B} (NMInstall Control) - http://a14.g.akamai....GAPANEL_USA.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1160093392515
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....02/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: scsiusr4 - scsiusr4.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: xartcd5 - xartcd5.dll (file missing)
O21 - SSODL: SysRun - {D7FFD784-5276-42D1-887B-00267870A4C7} - C:\WINDOWS\system32\svshost.dll (file missing)
O21 - SSODL: DCOM Server 2238 - {2C1CD3D7-86AC-4068-93BC-A02304BB2238} - C:\WINDOWS\TEMP\18225\explorer.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Netscape Update Service (NCUpdateSvc) - Netscape Communications Corporation - C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)

********
Uninstall list from HJT
********
5 Card Slingo from Compaq (remove only)
Ace Poster
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Illustrator 7.0 Tryout
Adobe PhotoDeluxe 2.0
Adobe Photoshop 4.0 LE
Adobe Reader 7.0.7
Adobe Type Manager 4.0
AOL Uninstaller (Choose which Products to Remove)
AstroPop Deluxe from Compaq (remove only)
ATI Control Panel
ATI Display Driver
AVG Anti-Spyware 7.5
Barnyard Invasion from Compaq (remove only)
Bejeweled 2 Deluxe from Compaq (remove only)
Blackhawk Striker 2 from Compaq (remove only)
Blasterball 2 from Compaq (remove only)
Blasterball 2 Remix from Compaq (remove only)
Boggle Supreme from Compaq (remove only)
Bookworm Deluxe from Compaq (remove only)
Bounce Symphony from Compaq (remove only)
BUM
CCScore
Chuzzle Deluxe from Compaq (remove only)
Compaq Connections (remove only)
Crystal Maze from Compaq (remove only)
Customer Experience Enhancement
Data Fax SoftModem with SmartCP
DISCover
Droppix Label Maker Deluxe 2.0.0
DVD Clone Factory v5.5
Easy Internet Sign-up
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
essvcpt
Family Feud
FATE from Compaq (remove only)
GemMaster Mystic
Google Earth
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB888111
HijackThis 1.99.1
HLPPDOCK
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB914440)
HP Boot Optimizer
HP DigitalMedia Archive
HP DVD Play 1.0
HP Game Console and games
HP Imaging Device Functions 6.0
HP Photosmart Premier Software 6.0
HP Rhapsody
HP Software Update
HP Support Overview
HP Web Helper
Insaniquarium Deluxe from Compaq (remove only)
iolo technologies' System Mechanic Professional 6
iTunes
J2SE Runtime Environment 5.0 Update 5
Kaspersky Anti-Hacker
kgcbase
Kodak EasyShare software
KSU
Languages of the World
Lemonade Tycoon 2 from Compaq (remove only)
Lexibox Deluxe from Compaq (remove only)
LightScribe Applications
Macromedia Shockwave Player
Mah Jong Quest from Compaq (remove only)
MediaTickets by OIN
Micrografx Picture Publisher 7
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft FrontPage 2000
Microsoft Money 2006
Microsoft Works
ML-1710 Series
Netscape Browser (remove only)
Netscape Internet Service
Netscape Web Accelerator
Nielsen//NetRatings
Notifier
OfotoXMI
OTtBP
OTtBPSDK
Otto
Panda ActiveScan
Panda Antivirus 2007
PC-Doctor 5 for Windows
Plaxo Toolbar for Outlook and Outlook Express
Polar Bowler from Compaq (remove only)
Polar Golfer from Compaq (remove only)
Puzzle Express from Compaq (remove only)
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
Quicken 2006
QuickTime
RealPlayer
Remove WeatherBug Installer
Ricochet Lost Worlds from Compaq (remove only)
Samsung Printer Status Monitor
SCRABBLE from Compaq (remove only)
Search Bar
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB925486)
SFR
SHASTA
Shooting Stars Pool from Compaq (remove only)
Shrek 2 Ogre Bowler from Compaq (remove only)
SKIN0001
SKINXSDK
Slingo Deluxe from Compaq (remove only)
Snowboard SuperJam from Compaq (remove only)
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sony Picture Utility
Sony USB Driver
staticcr
Super Granny from Compaq (remove only)
SWiSHmax
Symantec Technical Support Web Controls
ToolBar888
Tradewinds from Compaq (remove only)
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Viewpoint Toolbar
VPRINTOL
Webshots Desktop
WildTangent Web Driver
Windows Defender
Windows Defender Signatures
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892050
Windows XP Hotfix - KB893066
Windows XP Media Center Edition 2005 KB908250
WIRELESS
Yahoo! Anti-Spy
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar
Zuma Deluxe from Compaq (remove only)

#2
Buckeye_Sam

Posted 18 October 2006 - 05:00 PM

Malware Expert

Member
10,019 posts

Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :whistling:

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

#3
lnijjar

Posted 18 October 2006 - 05:22 PM

Member

Topic Starter
Member
108 posts

Voila!

Compaq_Administrator - 06-10-18 15:18:08.37 Service Pack 2
ComboFix 06.10.16 - Running from: "C:\Documents and Settings\Compaq_Administrator\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-18 to 2006-10-18 ))))))))))))))))))))))))))))))))))

2006-10-17 19:45 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-17 08:42 45,056 --a------ C:\WINDOWS\system32\avldr.dll
2006-10-17 07:44 45,056 --a------ C:\Documents and Settings\Compaq_Administrator\LARG.exe
2006-10-17 07:41 45,056 --a------ C:\Documents and Settings\Compaq_Administrator\LCGT.exe
2006-10-17 05:00 45,056 --a------ C:\Documents and Settings\Compaq_Administrator\DBQO.exe
2006-10-17 04:59 45,056 --a------ C:\Documents and Settings\Compaq_Administrator\JBKK.exe
2006-10-17 04:57 45,056 --a------ C:\Documents and Settings\Compaq_Administrator\NNLD.exe
2006-10-16 03:05 45,056 --a------ C:\Documents and Settings\Compaq_Administrator\JBNM.exe
2006-10-16 03:02 45,056 --a------ C:\Documents and Settings\Compaq_Administrator\HDMR.exe
2006-10-15 21:22 0 --a------ C:\tcqw.exe
2006-10-15 21:19 0 --a------ C:\ltgfco.exe
2006-10-15 21:17 0 --a------ C:\wlhhfi.exe
2006-10-15 21:14 0 --a------ C:\jvynwhms.exe
2006-10-15 21:09 76,288 --a------ C:\jwilsaf.exe
2006-10-15 20:53 45,056 --a------ C:\Documents and Settings\Compaq_Administrator\GSDQ.exe
2006-10-11 13:07 252,752 --a------ C:\WINDOWS\system32\odc.dll
2006-10-11 08:45 24,576 --a------ C:\WINDOWS\system32\dinput8.exe
2006-10-11 08:45 24,576 --a------ C:\WINDOWS\system32\dinput8(2).exe
2006-10-09 19:43 0 --a------ C:\WINDOWS\system32\kbdkyr.exe
2006-10-09 19:40 48,128 --a------ C:\WINDOWS\system32\8(2).exe
2006-10-09 09:37 2 --a------ C:\WINDOWS\system32\wnscpit.exe
2006-10-09 07:38 24,576 --a------ C:\WINDOWS\system32\comdlg32.exe
2006-10-09 07:38 24,576 --a------ C:\WINDOWS\system32\comdlg32(2).exe
2006-10-09 07:33 0 --a------ C:\WINDOWS\system32\dpnet.exe
2006-10-09 07:30 24,576 --a------ C:\WINDOWS\system32\lz32.exe
2006-10-09 07:30 24,576 --a------ C:\WINDOWS\system32\lz32(2).exe
2006-10-08 10:26 0 --a------ C:\WINDOWS\system32\wsnmp32.exe
2006-10-08 10:22 71,370 --a------ C:\WINDOWS\system32\lzx32.sys
2006-10-08 10:22 71,370 --a------ C:\WINDOWS\system32\lzx32(2).sys
2006-10-07 22:37 356 --a------ C:\WINDOWS\kcuxo(2).dll
2006-10-07 21:20 0 --a------ C:\WINDOWS\system32\ezimg25.exe
2006-10-07 21:18 77,312 --a------ C:\dfytht.exe
2006-10-07 21:18 77,312 --a------ C:\dfytht(2).exe
2006-10-07 21:17 24,576 --a------ C:\WINDOWS\system32\btpanui.exe
2006-10-07 21:17 24,576 --a------ C:\WINDOWS\system32\btpanui(2).exe
2006-10-06 20:38 64,512 --a------ C:\WINDOWS\system32\PTPITCP.dll
2006-10-06 20:38 64,512 --a------ C:\WINDOWS\system32\PTPITCP(2).dll
2006-10-06 20:38 307,200 --a------ C:\WINDOWS\system32\KPDPM.dll
2006-10-06 20:38 307,200 --a------ C:\WINDOWS\system32\KPDPM(2).dll
2006-10-06 20:38 229,376 --a------ C:\WINDOWS\system32\KPDPMUI.dll
2006-10-06 20:38 229,376 --a------ C:\WINDOWS\system32\KPDPMUI(2).dll
2006-10-06 18:13 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2006-10-06 18:13 5,632 --a------ C:\WINDOWS\system32\ptpusb(2).dll
2006-10-06 18:13 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2006-10-06 18:13 159,232 --a------ C:\WINDOWS\system32\ptpusd(2).dll
2006-10-06 07:37 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2006-10-05 18:57 9,341 --a------ C:\WINDOWS\system32\drivers\filedisk.sys
2006-10-05 18:56 41,472 --a------ C:\WINDOWS\system32\iolobtdfg.exe
2006-10-05 18:56 25,264 --a------ C:\WINDOWS\system32\smrgdf.exe
2006-10-05 18:56 1,212,928 --a------ C:\WINDOWS\system32\Incinerator.dll
2006-10-05 18:56 1,212,928 --a------ C:\WINDOWS\system32\Incinerator(2).dll
2006-10-04 14:50 69 --a------ C:\xwjpagn.bat
2006-10-04 14:50 69 --a------ C:\xwjpagn(2).bat
2006-09-28 07:38 7,680 --a------ C:\Documents and Settings\Compaq_Administrator\loadadv559.exe
2006-09-28 07:38 7,680 --a------ C:\Documents and Settings\Compaq_Administrator\loadadv559(2).exe
2006-09-28 07:38 15,872 --a------ C:\Documents and Settings\Compaq_Administrator\NKNC.exe
2006-09-28 07:38 15,872 --a------ C:\Documents and Settings\Compaq_Administrator\NKNC(2).exe
2006-09-25 09:56 32,573 --a------ C:\WINDOWS\system32\adrot-uninst(2).exe
2006-09-25 08:41 1,233 --a------ C:\WINDOWS\system32\fixe5f4d.sys
2006-09-25 08:41 1,233 --a------ C:\WINDOWS\system32\fixe5f4d(2).sys
2006-09-25 07:49 0 --a------ C:\msaove.exe
2006-09-24 08:46 390,000 -r-hs---- C:\WINDOWS\reyqasl.exe
2006-09-24 08:44 7,680 --a------ C:\WINDOWS\system32\loadadv559(2).exe
2006-09-24 08:43 15,360 --a------ C:\WINDOWS\system32\inst.exe
2006-09-24 08:43 15,360 --a------ C:\WINDOWS\system32\inst(2).exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-10-18 15:15 -------- d-------- C:\Program Files\Internet Explorer
2006-10-18 15:13 -------- d-------- C:\Program Files\Plaxo
2006-10-18 15:07 -------- d-------- C:\Program Files\Common Files
2006-10-17 22:50 -------- d-------- C:\Program Files\Windows Defender
2006-10-17 19:45 -------- d-------- C:\Program Files\Grisoft
2006-10-17 10:57 -------- d-a------ C:\Program Files\Common Files\LightScribe
2006-10-17 10:57 -------- d-------- C:\Program Files\Netscape Internet Service
2006-10-17 10:57 -------- d-------- C:\Program Files\Microsoft IntelliType Pro
2006-10-17 10:57 -------- d-------- C:\Program Files\Messenger
2006-10-17 10:57 -------- d-------- C:\Program Files\Google
2006-10-17 10:57 -------- d-------- C:\Program Files\DISC
2006-10-17 09:31 -------- d-------- C:\Program Files\PSDream
2006-10-17 08:42 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-17 08:42 -------- d-------- C:\Program Files\Panda Software
2006-10-17 04:57 -------- d-------- C:\Program Files\MSXML 4.0
2006-10-15 18:17 -------- d-------- C:\Program Files\Lavasoft
2006-10-15 18:17 -------- d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Lavasoft
2006-10-12 14:16 -------- d-------- C:\Program Files\Windows NT
2006-10-12 14:16 -------- d-------- C:\Program Files\Windows Messaging
2006-10-12 14:16 -------- d-------- C:\Program Files\Windows Media Player
2006-10-12 14:16 -------- d-------- C:\Program Files\Webshots
2006-10-12 14:16 -------- d-------- C:\Program Files\tunebite
2006-10-12 14:16 -------- d-------- C:\Program Files\SWiSHmax
2006-10-12 14:16 -------- d-------- C:\Program Files\ScanSuite
2006-10-12 14:15 -------- d-------- C:\Program Files\QuickTime
2006-10-12 14:15 -------- d-------- C:\Program Files\Quicken
2006-10-12 14:15 -------- d-------- C:\Program Files\PhotoDeluxe 2.0
2006-10-12 14:15 -------- d-------- C:\Program Files\PC-Doctor 5 for Windows
2006-10-12 14:15 -------- d-------- C:\Program Files\Outlook Express
2006-10-12 14:15 -------- d-------- C:\Program Files\Online Services
2006-10-12 14:15 -------- d-------- C:\Program Files\NetMeeting
2006-10-12 14:15 -------- d-------- C:\Program Files\music_now
2006-10-12 14:15 -------- d-------- C:\Program Files\MSN Encarta Standard
2006-10-12 14:15 -------- d-------- C:\Program Files\Movie Maker
2006-10-12 14:15 -------- d-------- C:\Program Files\Microsoft Works
2006-10-12 14:15 -------- d-------- C:\Program Files\Microsoft Office
2006-10-12 14:14 -------- d-------- C:\Program Files\Microsoft Money 2006
2006-10-12 14:14 -------- d-------- C:\Program Files\Micrografx
2006-10-12 14:14 -------- d-------- C:\Program Files\iTunes
2006-10-12 14:14 -------- d-------- C:\Program Files\HP Rhapsody
2006-10-12 14:14 -------- d-------- C:\Program Files\GemMaster
2006-10-12 14:14 -------- d-------- C:\Program Files\EnglishOtto
2006-10-12 14:14 -------- d-------- C:\Program Files\DVD Clone Factory
2006-10-12 14:14 -------- d-------- C:\Program Files\Common Files\System
2006-10-12 14:14 -------- d-------- C:\Program Files\Common Files\SureThing Shared
2006-10-12 14:14 -------- d-------- C:\Program Files\Common Files\Sonic Shared
2006-10-12 14:14 -------- d-------- C:\Program Files\Common Files\Scanner
2006-10-12 14:14 -------- d-------- C:\Program Files\Common Files\Palo Alto Software
2006-10-12 14:13 -------- d-------- C:\Program Files\Common Files\Kaspersky Lab
2006-10-12 14:13 -------- d-------- C:\Program Files\Common Files\Funk Software
2006-10-12 14:13 -------- d-------- C:\Program Files\Common Files\Droppix
2006-10-12 14:13 -------- d-------- C:\Program Files\Common Files\Designer
2006-10-12 14:13 -------- d-------- C:\Program Files\Common Files\aolshare
2006-10-12 14:13 -------- d-------- C:\Program Files\Common Files\AOL
2006-10-12 14:13 -------- d-------- C:\Program Files\AOL
2006-10-12 14:13 -------- d-------- C:\Program Files\AOD
2006-10-12 14:13 -------- d-------- C:\Program Files\Animate Me! 1.4
2006-10-12 14:13 -------- d-------- C:\Program Files\Adobe Type Manager
2006-10-12 10:08 -------- d-------- C:\Program Files\Kaspersky Lab
2006-10-12 03:03 -------- d---s---- C:\Documents and Settings\Compaq_Administrator\Application Data\Microsoft
2006-10-11 00:49 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-10-07 20:59 -------- d-------- C:\Program Files\Symantec Technical Support
2006-10-06 20:23 -------- d-------- C:\Program Files\Kodak
2006-10-06 18:12 -------- d-------- C:\Program Files\Common Files\Kodak
2006-10-06 14:39 1672336 --a------ C:\Program Files\install_easyshare.exe
2006-10-06 14:39 1672336 --a------ C:\Program Files\install_easyshare(2).exe
2006-10-06 14:14 -------- d-------- C:\Program Files\Viewpoint
2006-10-06 14:11 -------- d-------- C:\Program Files\Common Files\Viewpoint
2006-10-06 09:19 -------- d-------- C:\Program Files\STOPzilla!
2006-10-05 18:56 -------- d-------- C:\Program Files\iolo
2006-10-05 15:34 -------- d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Netscape
2006-09-25 17:48 -------- d-------- C:\Program Files\Common Files\iS3
2006-09-24 15:14 0 --a------ C:\Program Files\yvgcq.exe
2006-09-24 12:35 -------- d-------- C:\Program Files\Yahoo!
2006-09-19 21:57 -------- d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Google
2006-09-19 21:50 14405024 --a------ C:\Program Files\GoogleEarthWin.exe
2006-09-19 21:50 14405024 --a------ C:\Program Files\GoogleEarthWin(2).exe
2006-09-18 07:39 -------- d-------- C:\Program Files\LightScribe
2006-09-14 13:41 -------- d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\HP
2006-09-12 17:51 1245184 --a------ C:\WINDOWS\system32\msxml4.dll
2006-09-09 13:51 17587587 --a------ C:\Program Files\SetupDxLabelMaker5Star.exe
2006-09-09 13:51 17587587 --a------ C:\Program Files\SetupDxLabelMaker5Star(2).exe
2006-09-09 13:44 -------- d-------- C:\Program Files\Droppix
2006-09-07 19:03 -------- d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\tunebite
2006-08-29 16:15 2873048 --a------ C:\Program Files\LS_Update_1.4.109.1_.exe
2006-08-29 16:15 2873048 --a------ C:\Program Files\LS_Update_1.4.109.1_(2).exe
2006-08-29 15:46 5473359 --a------ C:\Program Files\LightScribe Applications 1.0.exe
2006-08-29 15:46 5473359 --a------ C:\Program Files\LightScribe Applications 1.0(2).exe
2006-08-21 04:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 01:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 01:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-15 12:43 8037624 --a------ C:\Program Files\tunebite.exe
2006-08-15 12:43 8037624 --a------ C:\Program Files\tunebite(2).exe
2006-07-27 05:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-25 12:42 615424 --a------ C:\WINDOWS\system32\urlmon(2).dll
2006-07-24 02:08 4 --ah----- C:\WINDOWS\uccspecb.sys
2006-07-21 00:24 72704 --------- C:\WINDOWS\system32\hlink.dll
2006-07-07 21:34 1681072 --a------ C:\Program Files\KODAK EASYSHARE Gallery Upload Software, V2.0.exe
2006-07-07 21:34 1681072 --a------ C:\Program Files\KODAK EASYSHARE Gallery Upload Software, V2.0(2).exe
2006-07-06 14:44 3586063 --a------ C:\Program Files\5star-dcf.exe
2006-07-06 14:44 3586063 --a------ C:\Program Files\5star-dcf(2).exe
2006-07-01 10:32 433496 --a------ C:\Program Files\ExpediaFareAlertSetup.exe
2006-07-01 10:32 433496 --a------ C:\Program Files\ExpediaFareAlertSetup(2).exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Aim6"=""
"PlaxoUpdate"="C:\\Program Files\\Plaxo\\2.11.1.5\\PlaxoHelper.exe -a"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7 -reboot 1"
"tunebite.exe"="C:\\Program Files\\tunebite\\tunebite.exe -hidden"
"pngfilt"="C:\\WINDOWS\\system32\\pngfilt.exe"
"wshbth"="C:\\WINDOWS\\system32\\wshbth.exe"
"mciavi32"="C:\\WINDOWS\\system32\\mciavi32.exe"
"dx7vb"="C:\\WINDOWS\\system32\\dx7vb.exe"
"SMSystemAnalyzer"="\"C:\\Program Files\\iolo\\System Mechanic Professional 6\\SMSystemAnalyzer.exe\""
"ipsmsnap"="C:\\WINDOWS\\system32\\ipsmsnap.exe"
"cic"="C:\\WINDOWS\\system32\\cic.exe"
"serwvdrv"="C:\\WINDOWS\\system32\\serwvdrv.exe"
"Fpqqfdb"="C:\\Program Files\\Common Files\\?icrosoft.NET\\w?auclt.exe"
"System Mechanic Popup Blocker"="\"C:\\Program Files\\iolo\\System Mechanic Professional 6\\PopupBlocker.exe\""
"iexplore"="C:\\Program Files\\Internet Explorer\\iexplore.exe"
"rasmxs"="C:\\WINDOWS\\system32\\rasmxs.exe"
"sonyhcy"="C:\\WINDOWS\\system32\\sonyhcy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"AlwaysReady Power Message APP"="ARPWRMSG.EXE"
"DiscUpdateManager"="C:\\Program Files\\DISC\\DiscUpdateMgr.exe"
"DMAScheduler"="c:\\Program Files\\Sonic\\DigitalMedia Plus\\DigitalMedia Archive\\DMAScheduler.exe"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
@=""
"PCDrProfiler"=""
"HPBootOp"="\"C:\\Program Files\\Hewlett-Packard\\HP Boot Optimizer\\HPBootOp.exe\" /run"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1148023627\\ee\\AOLSoftware.exe"
"Samsung LBP SM"="\"C:\\WINDOWS\\Samsung\\LaserSMMgr\\ssmmgr.exe\" /autorun"
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"My Web Search Bar"="rundll32 C:\\PROGRA~1\\MYWEBS~1\\bar\\2.bin\\MWSBAR.DLL,S"
"SvcManager"="alg1.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"SystemGuardAlerter"="SystemGuardAlerter.exe"
"Explorer 2238"="C:\\WINDOWS\\TEMP\\18225\\explorer.exe"
"APVXDWIN"="\"C:\\Program Files\\Panda Software\\Panda Antivirus 2007\\APVXDWIN.EXE\" /s"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
@=""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,30,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,df,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,df,03,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"_mzu_stonedrv2"="c:\\windows\\system32\\_mzu_stonedrv2.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"_mzu_stonedrv2"="c:\\windows\\system32\\_mzu_stonedrv2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304BB2238}"="DCOM Server 2238"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"SysRun"="{D7FFD784-5276-42D1-887B-00267870A4C7}"
"DCOM Server 2238"="{2C1CD3D7-86AC-4068-93BC-A02304BB2238}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\scsiusr4
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xartcd5

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 06-10-18 15:19:03.25
C:\ComboFix.txt ... 06-10-18 15:19
C:\ComboFix2.txt ... 06-10-18 15:15
C:\ComboFix3.txt ... 06-10-18 15:11

#4
Buckeye_Sam

Posted 19 October 2006 - 08:39 AM

Malware Expert

Member
10,019 posts

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

Save it to your desktop.
Please double-click Killbox.exe to run it.
Select:
- Delete on Reboot
- then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\Compaq_Administrator\LARG.exe
C:\Documents and Settings\Compaq_Administrator\LCGT.exe
C:\Documents and Settings\Compaq_Administrator\DBQO.exe
C:\Documents and Settings\Compaq_Administrator\JBKK.exe
C:\Documents and Settings\Compaq_Administrator\NNLD.exe
C:\Documents and Settings\Compaq_Administrator\JBNM.exe
C:\Documents and Settings\Compaq_Administrator\HDMR.exe
C:\tcqw.exe
C:\ltgfco.exe
C:\wlhhfi.exe
C:\jvynwhms.exe
C:\jwilsaf.exe
C:\Documents and Settings\Compaq_Administrator\GSDQ.exe
C:\WINDOWS\system32\dinput8.exe
C:\WINDOWS\system32\dinput8(2).exe
C:\WINDOWS\system32\kbdkyr.exe
C:\WINDOWS\system32\8(2).exe
C:\WINDOWS\system32\wnscpit.exe
C:\WINDOWS\system32\comdlg32.exe
C:\WINDOWS\system32\comdlg32(2).exe
C:\WINDOWS\system32\dpnet.exe
C:\WINDOWS\system32\lz32.exe
C:\WINDOWS\system32\lz32(2).exe
C:\WINDOWS\system32\wsnmp32.exe
C:\WINDOWS\system32\lzx32.sys
C:\WINDOWS\system32\lzx32(2).sys
C:\WINDOWS\kcuxo(2).dll
C:\WINDOWS\system32\ezimg25.exe
C:\dfytht.exe
C:\dfytht(2).exe
C:\WINDOWS\system32\btpanui.exe
C:\WINDOWS\system32\btpanui(2).exe
Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.
After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
Post this log in your next reply.

================

Download GMER from here:
http://www.gmer.net/gmer.zip

Unzip it to the desktop and start GMER.exe
Click the Rootkit tab and click the Scan button.

Warning! Please do not select the "Show all" checkbox during the scan.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results here in your next reply.

#5
lnijjar

Posted 19 October 2006 - 09:43 AM

Member

Topic Starter
Member
108 posts

Ok here's the log :whistling:

Does this mess seem to be from a result of a virus?

Pocket Killbox version 2.0.0.881
Running on Windows XP as Compaq_Administrator(Administrator)
was started @ Thursday, October 19, 2006, 7:32 AM

# 1 [Delete on Reboot]
Path = C:\Documents and Settings\Compaq_Administrator\LARG.exe

# 2 [Delete on Reboot]
Path = C:\Documents and Settings\Compaq_Administrator\LCGT.exe

# 3 [Delete on Reboot]
Path = C:\Documents and Settings\Compaq_Administrator\DBQO.exe

# 4 [Delete on Reboot]
Path = C:\Documents and Settings\Compaq_Administrator\JBKK.exe

# 5 [Delete on Reboot]
Path = C:\Documents and Settings\Compaq_Administrator\NNLD.exe

# 6 [Delete on Reboot]
Path = C:\Documents and Settings\Compaq_Administrator\JBNM.exe

# 7 [Delete on Reboot]
Path = C:\Documents and Settings\Compaq_Administrator\HDMR.exe

# 8 [Delete on Reboot]
Path = C:\tcqw.exe

# 9 [Delete on Reboot]
Path = C:\ltgfco.exe

# 10 [Delete on Reboot]
Path = C:\wlhhfi.exe

# 11 [Delete on Reboot]
Path = C:\jvynwhms.exe

# 12 [Delete on Reboot]
Path = C:\jwilsaf.exe

# 13 [Delete on Reboot]
Path = C:\Documents and Settings\Compaq_Administrator\GSDQ.exe

# 14 [Delete on Reboot]
Path = C:\WINDOWS\system32\dinput8.exe

# 15 [Delete on Reboot]
Path = C:\WINDOWS\system32\dinput8(2).exe

# 16 [Delete on Reboot]
Path = C:\WINDOWS\system32\kbdkyr.exe

# 17 [Delete on Reboot]
Path = C:\WINDOWS\system32\8(2).exe

# 18 [Delete on Reboot]
Path = C:\WINDOWS\system32\wnscpit.exe

# 19 [Delete on Reboot]
Path = C:\WINDOWS\system32\comdlg32.exe

# 20 [Delete on Reboot]
Path = C:\WINDOWS\system32\comdlg32(2).exe

# 21 [Delete on Reboot]
Path = C:\WINDOWS\system32\dpnet.exe

# 22 [Delete on Reboot]
Path = C:\WINDOWS\system32\lz32.exe

# 23 [Delete on Reboot]
Path = C:\WINDOWS\system32\lz32(2).exe

# 24 [Delete on Reboot]
Path = C:\WINDOWS\system32\wsnmp32.exe

# 25 [Delete on Reboot]
Path = C:\WINDOWS\system32\lzx32.sys

# 26 [Delete on Reboot]
Path = C:\WINDOWS\system32\lzx32(2).sys

# 27 [Delete on Reboot]
Path = C:\WINDOWS\kcuxo(2).dll

# 28 [Delete on Reboot]
Path = C:\WINDOWS\system32\ezimg25.exe

# 29 [Delete on Reboot]
Path = C:\dfytht.exe

# 30 [Delete on Reboot]
Path = C:\dfytht(2).exe

# 31 [Delete on Reboot]
Path = C:\WINDOWS\system32\btpanui.exe

# 32 [Delete on Reboot]
Path = C:\WINDOWS\system32\btpanui(2).exe

I Rebooted @ 7:36:36 AM
Killbox Closed(Exit) @ 7:36:42 AM
__________________________________________________

Pocket Killbox version 2.0.0.881
Running on Windows XP as Compaq_Administrator(Administrator)
was started @ Thursday, October 19, 2006, 7:39 AM

#6
Buckeye_Sam

Posted 19 October 2006 - 07:08 PM

Malware Expert

Member
10,019 posts

You have several instances of malware that are causing you problems.

Did you run the Gmer scan yet?

#7
lnijjar

Posted 19 October 2006 - 09:56 PM

Member

Topic Starter
Member
108 posts

oops didn't see that in the post..

I've run it several times now..and when it seems to be at the end..it shuts down before I can copy it.. here is says when it starts..

GMER 1.0.11.11390 - http://www.gmer.net
Rootkit 2006-10-19 19:53:42
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.11 ----

SYSENTER ? F711433A

---- Services - GMER 1.0.11 ----

Service C:\WINDOWS\system32:lzx32.sys (*** hidden *** ) [SYSTEM] pe386 <-- ROOTKIT !!!

---- EOF - GMER 1.0.11 ----

#8
Buckeye_Sam

Posted 20 October 2006 - 06:19 AM

Malware Expert

Member
10,019 posts

That's enough info for us to act on it.

1. Please download The Avenger by Swandog46 to your Desktop.

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to unload:
pe386

Files to delete:
C:\WINDOWS\system32\lzx32.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

Edited by Buckeye_Sam, 20 October 2006 - 06:19 AM.

#9
lnijjar

Posted 20 October 2006 - 09:48 AM

Member

Topic Starter
Member
108 posts

Your amazing! Why are there several instances of the C:\WINDOWS\system32\svchost.exe is that part of the duplicate files mess that I have going on?

Here's the Avenger log

Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\omknmedj

*******************

Script file located at: \??\C:\hfpoqodr.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver pe386 unloaded successfully.

File C:\WINDOWS\system32\lzx32.sys not found!
Deletion of file C:\WINDOWS\system32\lzx32.sys failed!

Could not process line:
C:\WINDOWS\system32\lzx32.sys
Status: 0xc0000034

Completed script processing.

*******************

~*~*~HJT LOG~*~*~*

Logfile of HijackThis v1.99.1
Scan saved at 7:44:17 AM, on 10/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.6.0\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3909C938-088C-1033-0117-060507190001}\MyToolBar.dll (file missing)
O2 - BHO: (no name) - {C51BE282-2F1E-7CEB-41F0-73E29E7620C6} - C:\WINDOWS\system32\qhdetp.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.6.0\ViewBar.dll
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3909C938-088C-1033-0117-060507190001}\MyToolBar.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdateMgr.exe
O4 - HKLM\..\Run: [DMAScheduler] c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1148023627\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Samsung LBP SM] "C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [SvcManager] alg1.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SystemGuardAlerter] SystemGuardAlerter.exe
O4 - HKLM\..\Run: [Explorer 2238] C:\WINDOWS\TEMP\18225\explorer.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.11.1.5\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [tunebite.exe] C:\Program Files\tunebite\tunebite.exe -hidden
O4 - HKCU\..\Run: [pngfilt] C:\WINDOWS\system32\pngfilt.exe
O4 - HKCU\..\Run: [wshbth] C:\WINDOWS\system32\wshbth.exe
O4 - HKCU\..\Run: [mciavi32] C:\WINDOWS\system32\mciavi32.exe
O4 - HKCU\..\Run: [dx7vb] C:\WINDOWS\system32\dx7vb.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [ipsmsnap] C:\WINDOWS\system32\ipsmsnap.exe
O4 - HKCU\..\Run: [cic] C:\WINDOWS\system32\cic.exe
O4 - HKCU\..\Run: [serwvdrv] C:\WINDOWS\system32\serwvdrv.exe
O4 - HKCU\..\Run: [Fpqqfdb] C:\Program Files\Common Files\?icrosoft.NET\w?auclt.exe
O4 - HKCU\..\Run: [System Mechanic Popup Blocker] "C:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe"
O4 - HKCU\..\Run: [iexplore] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKCU\..\Run: [rasmxs] C:\WINDOWS\system32\rasmxs.exe
O4 - HKCU\..\Run: [sonyhcy] C:\WINDOWS\system32\sonyhcy.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O4 - Global Startup: desktop(2).ini
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O8 - Extra context menu item: &Search -
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Popup Blocker - Add to Black List - C:\Program Files\iolo\Common\Lib\AddToPSBlackList.htm
O8 - Extra context menu item: Popup Blocker - Add to White List - C:\Program Files\iolo\Common\Lib\AddToPSWhiteList.htm
O8 - Extra context menu item: SnipeIt! eSnipe - http://www.esnipe.co...nipeItOpen3.asp
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {0645D7F3-C20E-4E0B-A545-557527497C0B} (NMInstall Control) - http://a14.g.akamai....GAPANEL_USA.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1160093392515
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....02/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: scsiusr4 - scsiusr4.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: xartcd5 - xartcd5.dll (file missing)
O21 - SSODL: SysRun - {D7FFD784-5276-42D1-887B-00267870A4C7} - C:\WINDOWS\system32\svshost.dll (file missing)
O21 - SSODL: DCOM Server 2238 - {2C1CD3D7-86AC-4068-93BC-A02304BB2238} - C:\WINDOWS\TEMP\18225\explorer.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Netscape Update Service (NCUpdateSvc) - Netscape Communications Corporation - C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)

#10
Buckeye_Sam

Posted 21 October 2006 - 03:45 PM

Malware Expert

Member
10,019 posts

Why are there several instances of the C:\WINDOWS\system32\svchost.exe is that part of the duplicate files mess that I have going on?

Those are perfectly normal. Here's some info on that file.

svchost.exe is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs. This program is important for the stable and secure running of your computer and should not be terminated.

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.6.0\ViewBarBHO.dll
O2 - BHO: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3909C938-088C-1033-0117-060507190001}\MyToolBar.dll (file missing)
O2 - BHO: (no name) - {C51BE282-2F1E-7CEB-41F0-73E29E7620C6} - C:\WINDOWS\system32\qhdetp.dll (file missing)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.6.0\ViewBar.dll
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3909C938-088C-1033-0117-060507190001}\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [SvcManager] alg1.exe
O4 - HKLM\..\Run: [Explorer 2238] C:\WINDOWS\TEMP\18225\explorer.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [pngfilt] C:\WINDOWS\system32\pngfilt.exe
O4 - HKCU\..\Run: [wshbth] C:\WINDOWS\system32\wshbth.exe
O4 - HKCU\..\Run: [mciavi32] C:\WINDOWS\system32\mciavi32.exe
O4 - HKCU\..\Run: [dx7vb] C:\WINDOWS\system32\dx7vb.exe
O4 - HKCU\..\Run: [ipsmsnap] C:\WINDOWS\system32\ipsmsnap.exe
O4 - HKCU\..\Run: [cic] C:\WINDOWS\system32\cic.exe
O4 - HKCU\..\Run: [serwvdrv] C:\WINDOWS\system32\serwvdrv.exe
O4 - HKCU\..\Run: [Fpqqfdb] C:\Program Files\Common Files\?icrosoft.NET\w?auclt.exe
O4 - HKCU\..\Run: [iexplore] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKCU\..\Run: [rasmxs] C:\WINDOWS\system32\rasmxs.exe
O4 - HKCU\..\Run: [sonyhcy] C:\WINDOWS\system32\sonyhcy.exe
O4 - Global Startup: desktop(2).ini
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O20 - Winlogon Notify: scsiusr4 - scsiusr4.dll (file missing)
O20 - Winlogon Notify: xartcd5 - xartcd5.dll (file missing)
O21 - SSODL: SysRun - {D7FFD784-5276-42D1-887B-00267870A4C7} - C:\WINDOWS\system32\svshost.dll (file missing)
O21 - SSODL: DCOM Server 2238 - {2C1CD3D7-86AC-4068-93BC-A02304BB2238} - C:\WINDOWS\TEMP\18225\explorer.exe (file missing)

Reboot your computer.

==============

Please click Start -> Control Panel -> Add/Remove Programs and uninstall these programs:

MediaTickets by OIN
Search Bar
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Viewpoint Toolbar
WildTangent Web Driver

===============

Please go HERE to run Panda's ActiveScan

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.

#11
lnijjar

Posted 22 October 2006 - 11:03 AM

Member

Topic Starter
Member
108 posts

Thanks for the great info on that one file!

Wouldn't let me delete O4 - Global Startup: desktop(2).ini
I also couldn't find Search Bar On the add/remove list
I didn't delete the WildTanget thing since I'm certain that it goes with the game package that came on my computer..since I play them regularly..figured it would cause problem.

I'm :whistling:

happy to report that I've gone to a full start..and the computer is not shutting down now...nor do I get popups... Still having interenet connectivity issues..but That will come later. My system guard (Sys Mechanic 6 pro)is alerting me to files that are trying to connect starting with HKEY are these safe to allow?

Looking at the HJT I see some Party poker crap too..I'd be happy to get rid of this upon your direction :blink:

New HJT

Logfile of HijackThis v1.99.1
Scan saved at 8:56:10 AM, on 10/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdateMgr.exe
O4 - HKLM\..\Run: [DMAScheduler] c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1148023627\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Samsung LBP SM] "C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SystemGuardAlerter] SystemGuardAlerter.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.11.1.5\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [tunebite.exe] C:\Program Files\tunebite\tunebite.exe -hidden
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [System Mechanic Popup Blocker] "C:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe"
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O4 - Global Startup: desktop(2).ini
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O8 - Extra context menu item: &Search -
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Popup Blocker - Add to Black List - C:\Program Files\iolo\Common\Lib\AddToPSBlackList.htm
O8 - Extra context menu item: Popup Blocker - Add to White List - C:\Program Files\iolo\Common\Lib\AddToPSWhiteList.htm
O8 - Extra context menu item: SnipeIt! eSnipe - http://www.esnipe.co...nipeItOpen3.asp
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0645D7F3-C20E-4E0B-A545-557527497C0B} (NMInstall Control) - http://a14.g.akamai....GAPANEL_USA.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1160093392515
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....02/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Netscape Update Service (NCUpdateSvc) - Netscape Communications Corporation - C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)

PANDA Log

Panda Antivirus 2007 incident report

EVENT DATE RESULTS ADDITIONAL INFORMATION
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Spyware detected: Cookie/Statcounter 10/19/06 17:55:20 Eliminated Location: c:\documents and settings\compaq_administrator\cookies\compaq_administrator@statcounter[2].txt
Spyware detected: Cookie/WUpd 10/19/06 17:55:20 Eliminated Location: c:\documents and settings\compaq_administrator\cookies\compaq_administrator@revenue[1].txt
Spyware detected: Cookie/RealMedia 10/19/06 17:55:20 Eliminated Location: c:\documents and settings\compaq_administrator\cookies\compaq_administrator@realmedia[1].txt
Spyware detected: Cookie/QuestionMarket 10/19/06 17:55:20 Eliminated Location: c:\documents and settings\compaq_administrator\cookies\compaq_administrator@questionmarket[2].txt
Spyware detected: Cookie/Traffic Marketplace 10/19/06 17:55:20 Eliminated Location: c:\documents and settings\compaq_administrator\cookies\compaq_administrator@trafficmp[1].txt
Spyware detected: Cookie/Zedo 10/19/06 17:55:20 Eliminated Location: c:\documents and settings\compaq_administrator\cookies\compaq_administrator@zedo[1].txt
Spyware detected: Cookie/Tribalfusion 10/19/06 17:55:20 Eliminated Location: c:\documents and settings\compaq_administrator\cookies\compaq_administrator@tribalfusion[1].txt
Spyware detected: Cookie/BurstBeacon 10/19/06 17:55:20 Eliminated Location: c:\documents and settings\compaq_administrator\cookies\[email protected][1].txt
Spyware detected: Cookie/Seeq 10/19/06 17:55:20 Eliminated Location: c:\documents and settings\compaq_administrator\cookies\[email protected][1].txt
Spyware detected: Cookie/Falkag 10/19/06 17:55:19 Eliminated Location: c:\documents and settings\compaq_administrator\cookies\[email protected][2].txt
Spyware detected: Cookie/Falkag 10/19/06 17:55:19 Eliminated Location: c:\documents and settings\compaq_administrator\cookies\[email protected][2].txt
Spyware detected: Cookie/Advertising 10/19/06 17:55:19 Eliminated Location: c:\documents and settings\compaq_administrator\cookies\compaq_administrator@advertising[1].txt
Spyware detected: Cookie/PointRoll 10/19/06 17:55:19 Eliminated Location: c:\documents and settings\compaq_administrator\cookies\[email protected][2].txt
Spyware detected: Cookie/Adrevolver 10/19/06 17:55:19 Eliminated Location: c:\documents and settings\compaq_administrator\cookies\compaq_administrator@adrevolver[2].txt
Spyware detected: Cookie/Adrevolver 10/19/06 17:55:19 Eliminated Location: c:\documents and settings\compaq_administrator\cookies\compaq_administrator@adrevolver[3].txt
Spyware detected: Cookie/DomainSponsor 10/19/06 17:55:19 Eliminated Location: c:\documents and settings\compaq_administrator\cookies\[email protected][1].txt
Spyware detected: Cookie/Belnk 10/19/06 17:55:19 Eliminated Location: c:\documents and settings\compaq_administrator\cookies\compaq_administrator@belnk[1].txt
Spyware detected: Cookie/Mediaplex 10/19/06 17:55:19 Eliminated Location: c:\documents and settings\compaq_administrator\cookies\compaq_administrator@mediaplex[1].txt
Spyware detected: Cookie/Atlas DMT 10/19/06 17:55:19 Eliminated Location: c:\documents and settings\compaq_administrator\cookies\compaq_administrator@atdmt[2].txt
Spyware detected: Cookie/Atwola 10/19/06 17:55:19 Eliminated Location: c:\documents and settings\compaq_administrator\cookies\compaq_administrator@atwola[1].txt
Spyware detected: Cookie/FastClick 10/19/06 17:55:19 Eliminated Location: c:\documents and settings\compaq_administrator\cookies\compaq_administrator@fastclick[1].txt
Spyware detected: Cookie/Doubleclick 10/19/06 17:55:19 Eliminated Location: c:\documents and settings\compaq_administrator\cookies\compaq_administrator@doubleclick[1].txt
Spyware detected: Cookie/Belnk 10/19/06 17:55:19 Eliminated Location: c:\documents and settings\compaq_administrator\cookies\[email protected][2].txt
Spyware detected: Cookie/Coremetrics 10/19/06 17:55:19 Eliminated Location: c:\documents and settings\compaq_administrator\cookies\[email protected][1].txt
Spyware detected: Cookie/Casalemedia 10/19/06 17:55:19 Eliminated Location: c:\documents and settings\compaq_administrator\cookies\compaq_administrator@casalemedia[1].txt
Spyware detected: Cookie/BurstNet 10/19/06 17:55:19 Eliminated Location: c:\documents and settings\compaq_administrator\cookies\compaq_administrator@burstnet[2].txt
Spyware detected: Cookie/2o7 10/19/06 17:55:19 Eliminated Location: c:\documents and settings\compaq_administrator\cookies\compaq_administrator@2o7[1].txt
Adware detected: Adware/DeluxeComunications 10/17/06 13:56:18 Eliminated Location: c:\program files\deluxecommunications\dxc.exe
Adware detected: Adware/DeluxeComunications 10/17/06 10:57:45 Eliminated Location: C:\WINDOWS\system32\dxclib303562752.dll
Scan started 10/17/06 10:57:32 Scan: All My Computer
Update 10/17/06 08:49:49 OK Identifiers of alteration of archives
Update 10/17/06 08:49:43 OK New threat signatures: 42182

#12
Buckeye_Sam

Posted 23 October 2006 - 03:33 PM

Malware Expert

Member
10,019 posts

We are definitely making some progress. :whistling:

You can fix those Party Poker lines with Hijackthis as well as this line.

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....02/cpbrkpie.cab

Please run Combofix once again and post the resulting log.

#13
lnijjar

Posted 23 October 2006 - 05:57 PM

Member

Topic Starter
Member
108 posts

Ok here we go... :whistling:

Fixed those two files.

HJT log

Logfile of HijackThis v1.99.1
Scan saved at 3:55:45 PM, on 10/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdateMgr.exe
O4 - HKLM\..\Run: [DMAScheduler] c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1148023627\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Samsung LBP SM] "C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SystemGuardAlerter] SystemGuardAlerter.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.11.1.5\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [tunebite.exe] C:\Program Files\tunebite\tunebite.exe -hidden
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [System Mechanic Popup Blocker] "C:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe"
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O4 - Global Startup: desktop(2).ini
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O8 - Extra context menu item: &Search -
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Popup Blocker - Add to Black List - C:\Program Files\iolo\Common\Lib\AddToPSBlackList.htm
O8 - Extra context menu item: Popup Blocker - Add to White List - C:\Program Files\iolo\Common\Lib\AddToPSWhiteList.htm
O8 - Extra context menu item: SnipeIt! eSnipe - http://www.esnipe.co...nipeItOpen3.asp
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0645D7F3-C20E-4E0B-A545-557527497C0B} (NMInstall Control) - http://a14.g.akamai....GAPANEL_USA.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1160093392515
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Netscape Update Service (NCUpdateSvc) - Netscape Communications Corporation - C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)

ComboFix

Compaq_Administrator - 06-10-23 15:31:13.14 Service Pack 2
ComboFix 06.10.16 - Running from: "C:\Documents and Settings\Compaq_Administrator\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-23 to 2006-10-23 ))))))))))))))))))))))))))))))))))

2006-10-17 19:45 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-17 08:42 45,056 --a------ C:\WINDOWS\system32\avldr.dll
2006-10-11 13:07 252,752 --a------ C:\WINDOWS\system32\odc.dll
2006-10-06 20:38 64,512 --a------ C:\WINDOWS\system32\PTPITCP.dll
2006-10-06 20:38 64,512 --a------ C:\WINDOWS\system32\PTPITCP(2).dll
2006-10-06 20:38 307,200 --a------ C:\WINDOWS\system32\KPDPM.dll
2006-10-06 20:38 307,200 --a------ C:\WINDOWS\system32\KPDPM(2).dll
2006-10-06 20:38 229,376 --a------ C:\WINDOWS\system32\KPDPMUI.dll
2006-10-06 20:38 229,376 --a------ C:\WINDOWS\system32\KPDPMUI(2).dll
2006-10-06 18:13 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2006-10-06 18:13 5,632 --a------ C:\WINDOWS\system32\ptpusb(2).dll
2006-10-06 18:13 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2006-10-06 18:13 159,232 --a------ C:\WINDOWS\system32\ptpusd(2).dll
2006-10-06 07:37 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2006-10-05 18:57 9,341 --a------ C:\WINDOWS\system32\drivers\filedisk.sys
2006-10-05 18:56 41,472 --a------ C:\WINDOWS\system32\iolobtdfg.exe
2006-10-05 18:56 25,264 --a------ C:\WINDOWS\system32\smrgdf.exe
2006-10-05 18:56 1,212,928 --a------ C:\WINDOWS\system32\Incinerator.dll
2006-10-05 18:56 1,212,928 --a------ C:\WINDOWS\system32\Incinerator(2).dll
2006-10-04 14:50 69 --a------ C:\xwjpagn.bat
2006-10-04 14:50 69 --a------ C:\xwjpagn(2).bat
2006-09-28 07:38 7,680 --a------ C:\Documents and Settings\Compaq_Administrator\loadadv559.exe
2006-09-28 07:38 7,680 --a------ C:\Documents and Settings\Compaq_Administrator\loadadv559(2).exe
2006-09-28 07:38 15,872 --a------ C:\Documents and Settings\Compaq_Administrator\NKNC.exe
2006-09-28 07:38 15,872 --a------ C:\Documents and Settings\Compaq_Administrator\NKNC(2).exe
2006-09-25 09:56 32,573 --a------ C:\WINDOWS\system32\adrot-uninst(2).exe
2006-09-25 08:41 1,233 --a------ C:\WINDOWS\system32\fixe5f4d.sys
2006-09-25 08:41 1,233 --a------ C:\WINDOWS\system32\fixe5f4d(2).sys
2006-09-25 07:49 0 --a------ C:\msaove.exe
2006-09-24 08:46 390,000 -r-hs---- C:\WINDOWS\reyqasl.exe
2006-09-24 08:44 7,680 --a------ C:\WINDOWS\system32\loadadv559(2).exe
2006-09-24 08:43 15,360 --a------ C:\WINDOWS\system32\inst.exe
2006-09-24 08:43 15,360 --a------ C:\WINDOWS\system32\inst(2).exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-22 08:35 -------- d-------- C:\Program Files\Windows Defender
2006-10-22 08:30 -------- d-------- C:\Program Files\Internet Explorer
2006-10-22 08:19 -------- d-------- C:\Program Files\Viewpoint
2006-10-22 08:08 -------- d-------- C:\Program Files\Plaxo
2006-10-18 15:07 -------- d-------- C:\Program Files\Common Files
2006-10-17 19:45 -------- d-------- C:\Program Files\Grisoft
2006-10-17 10:57 -------- d-a------ C:\Program Files\Common Files\LightScribe
2006-10-17 10:57 -------- d-------- C:\Program Files\Netscape Internet Service
2006-10-17 10:57 -------- d-------- C:\Program Files\Microsoft IntelliType Pro
2006-10-17 10:57 -------- d-------- C:\Program Files\Messenger
2006-10-17 10:57 -------- d-------- C:\Program Files\Google
2006-10-17 10:57 -------- d-------- C:\Program Files\DISC
2006-10-17 09:31 -------- d-------- C:\Program Files\PSDream
2006-10-17 08:42 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-17 08:42 -------- d-------- C:\Program Files\Panda Software
2006-10-17 04:57 -------- d-------- C:\Program Files\MSXML 4.0
2006-10-15 18:17 -------- d-------- C:\Program Files\Lavasoft
2006-10-15 18:17 -------- d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Lavasoft
2006-10-12 14:16 -------- d-------- C:\Program Files\Windows NT
2006-10-12 14:16 -------- d-------- C:\Program Files\Windows Messaging
2006-10-12 14:16 -------- d-------- C:\Program Files\Windows Media Player
2006-10-12 14:16 -------- d-------- C:\Program Files\Webshots
2006-10-12 14:16 -------- d-------- C:\Program Files\tunebite
2006-10-12 14:16 -------- d-------- C:\Program Files\SWiSHmax
2006-10-12 14:16 -------- d-------- C:\Program Files\ScanSuite
2006-10-12 14:15 -------- d-------- C:\Program Files\QuickTime
2006-10-12 14:15 -------- d-------- C:\Program Files\Quicken
2006-10-12 14:15 -------- d-------- C:\Program Files\PhotoDeluxe 2.0
2006-10-12 14:15 -------- d-------- C:\Program Files\PC-Doctor 5 for Windows
2006-10-12 14:15 -------- d-------- C:\Program Files\Outlook Express
2006-10-12 14:15 -------- d-------- C:\Program Files\Online Services
2006-10-12 14:15 -------- d-------- C:\Program Files\NetMeeting
2006-10-12 14:15 -------- d-------- C:\Program Files\music_now
2006-10-12 14:15 -------- d-------- C:\Program Files\MSN Encarta Standard
2006-10-12 14:15 -------- d-------- C:\Program Files\Movie Maker
2006-10-12 14:15 -------- d-------- C:\Program Files\Microsoft Works
2006-10-12 14:15 -------- d-------- C:\Program Files\Microsoft Office
2006-10-12 14:14 -------- d-------- C:\Program Files\Microsoft Money 2006
2006-10-12 14:14 -------- d-------- C:\Program Files\Micrografx
2006-10-12 14:14 -------- d-------- C:\Program Files\iTunes
2006-10-12 14:14 -------- d-------- C:\Program Files\HP Rhapsody
2006-10-12 14:14 -------- d-------- C:\Program Files\GemMaster
2006-10-12 14:14 -------- d-------- C:\Program Files\EnglishOtto
2006-10-12 14:14 -------- d-------- C:\Program Files\DVD Clone Factory
2006-10-12 14:14 -------- d-------- C:\Program Files\Common Files\System
2006-10-12 14:14 -------- d-------- C:\Program Files\Common Files\SureThing Shared
2006-10-12 14:14 -------- d-------- C:\Program Files\Common Files\Sonic Shared
2006-10-12 14:14 -------- d-------- C:\Program Files\Common Files\Scanner
2006-10-12 14:14 -------- d-------- C:\Program Files\Common Files\Palo Alto Software
2006-10-12 14:13 -------- d-------- C:\Program Files\Common Files\Kaspersky Lab
2006-10-12 14:13 -------- d-------- C:\Program Files\Common Files\Funk Software
2006-10-12 14:13 -------- d-------- C:\Program Files\Common Files\Droppix
2006-10-12 14:13 -------- d-------- C:\Program Files\Common Files\Designer
2006-10-12 14:13 -------- d-------- C:\Program Files\Common Files\aolshare
2006-10-12 14:13 -------- d-------- C:\Program Files\Common Files\AOL
2006-10-12 14:13 -------- d-------- C:\Program Files\AOL
2006-10-12 14:13 -------- d-------- C:\Program Files\AOD
2006-10-12 14:13 -------- d-------- C:\Program Files\Animate Me! 1.4
2006-10-12 14:13 -------- d-------- C:\Program Files\Adobe Type Manager
2006-10-12 10:08 -------- d-------- C:\Program Files\Kaspersky Lab
2006-10-12 03:03 -------- d---s---- C:\Documents and Settings\Compaq_Administrator\Application Data\Microsoft
2006-10-11 00:49 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-10-07 20:59 -------- d-------- C:\Program Files\Symantec Technical Support
2006-10-06 20:23 -------- d-------- C:\Program Files\Kodak
2006-10-06 18:12 -------- d-------- C:\Program Files\Common Files\Kodak
2006-10-06 14:39 1672336 --a------ C:\Program Files\install_easyshare.exe
2006-10-06 14:39 1672336 --a------ C:\Program Files\install_easyshare(2).exe
2006-10-06 14:11 -------- d-------- C:\Program Files\Common Files\Viewpoint
2006-10-06 09:19 -------- d-------- C:\Program Files\STOPzilla!
2006-10-05 18:56 -------- d-------- C:\Program Files\iolo
2006-10-05 15:34 -------- d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Netscape
2006-09-25 17:48 -------- d-------- C:\Program Files\Common Files\iS3
2006-09-24 15:14 0 --a------ C:\Program Files\yvgcq.exe
2006-09-24 12:35 -------- d-------- C:\Program Files\Yahoo!
2006-09-19 21:57 -------- d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\Google
2006-09-19 21:50 14405024 --a------ C:\Program Files\GoogleEarthWin.exe
2006-09-19 21:50 14405024 --a------ C:\Program Files\GoogleEarthWin(2).exe
2006-09-18 07:39 -------- d-------- C:\Program Files\LightScribe
2006-09-14 13:41 -------- d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\HP
2006-09-12 21:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-12 17:51 1245184 --a------ C:\WINDOWS\system32\msxml4.dll
2006-09-09 13:51 17587587 --a------ C:\Program Files\SetupDxLabelMaker5Star.exe
2006-09-09 13:51 17587587 --a------ C:\Program Files\SetupDxLabelMaker5Star(2).exe
2006-09-09 13:44 -------- d-------- C:\Program Files\Droppix
2006-09-07 19:03 -------- d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\tunebite
2006-08-29 16:15 2873048 --a------ C:\Program Files\LS_Update_1.4.109.1_.exe
2006-08-29 16:15 2873048 --a------ C:\Program Files\LS_Update_1.4.109.1_(2).exe
2006-08-29 15:46 5473359 --a------ C:\Program Files\LightScribe Applications 1.0.exe
2006-08-29 15:46 5473359 --a------ C:\Program Files\LightScribe Applications 1.0(2).exe
2006-08-25 07:45 617472 --------- C:\WINDOWS\system32\comctl32.dll
2006-08-21 04:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 01:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 03:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-08-15 12:43 8037624 --a------ C:\Program Files\tunebite.exe
2006-08-15 12:43 8037624 --a------ C:\Program Files\tunebite(2).exe
2006-07-27 05:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-25 12:42 615424 --a------ C:\WINDOWS\system32\urlmon(2).dll
2006-07-24 02:08 4 --ah----- C:\WINDOWS\uccspecb.sys
2006-07-07 21:34 1681072 --a------ C:\Program Files\KODAK EASYSHARE Gallery Upload Software, V2.0.exe
2006-07-07 21:34 1681072 --a------ C:\Program Files\KODAK EASYSHARE Gallery Upload Software, V2.0(2).exe
2006-07-06 14:44 3586063 --a------ C:\Program Files\5star-dcf.exe
2006-07-06 14:44 3586063 --a------ C:\Program Files\5star-dcf(2).exe
2006-07-01 10:32 433496 --a------ C:\Program Files\ExpediaFareAlertSetup.exe
2006-07-01 10:32 433496 --a------ C:\Program Files\ExpediaFareAlertSetup(2).exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Aim6"=""
"PlaxoUpdate"="C:\\Program Files\\Plaxo\\2.11.1.5\\PlaxoHelper.exe -a"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7 -reboot 1"
"tunebite.exe"="C:\\Program Files\\tunebite\\tunebite.exe -hidden"
"SMSystemAnalyzer"="\"C:\\Program Files\\iolo\\System Mechanic Professional 6\\SMSystemAnalyzer.exe\""
"System Mechanic Popup Blocker"="\"C:\\Program Files\\iolo\\System Mechanic Professional 6\\PopupBlocker.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"AlwaysReady Power Message APP"="ARPWRMSG.EXE"
"DiscUpdateManager"="C:\\Program Files\\DISC\\DiscUpdateMgr.exe"
"DMAScheduler"="c:\\Program Files\\Sonic\\DigitalMedia Plus\\DigitalMedia Archive\\DMAScheduler.exe"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
@=""
"PCDrProfiler"=""
"HPBootOp"="\"C:\\Program Files\\Hewlett-Packard\\HP Boot Optimizer\\HPBootOp.exe\" /run"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1148023627\\ee\\AOLSoftware.exe"
"Samsung LBP SM"="\"C:\\WINDOWS\\Samsung\\LaserSMMgr\\ssmmgr.exe\" /autorun"
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"SystemGuardAlerter"="SystemGuardAlerter.exe"
"APVXDWIN"="\"C:\\Program Files\\Panda Software\\Panda Antivirus 2007\\APVXDWIN.EXE\" /s"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
@=""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,30,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,df,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,df,03,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"_mzu_stonedrv2"="c:\\windows\\system32\\_mzu_stonedrv2.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"_mzu_stonedrv2"="c:\\windows\\system32\\_mzu_stonedrv2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304BB2238}"="DCOM Server 2238"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 06-10-23 15:32:02.03
C:\ComboFix.txt ... 06-10-23 15:32
C:\ComboFix2.txt ... 06-10-18 15:19
C:\ComboFix3.txt ... 06-10-18 15:15

#14
Buckeye_Sam

Posted 24 October 2006 - 05:55 AM

Malware Expert

Member
10,019 posts

There's still some funny business going on here.

Open Notepad, and copy everything in the code box below and paste it into a new notepad file. Change the "Save As Type" to "All Files". Save it as fixme.reg on your Desktop. Make sure there is NO blank line above "REGEDIT4"!

REGEDIT4

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"_mzu_stonedrv2"=-

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"_mzu_stonedrv2"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB2238}"=-

Locate fixme.reg on your Desktop and double-click on it. When it asks if you want to merge with the registry, click YES.

==============

Use Killbox as you did before to delete these files.

C:\WINDOWS\system32\ntos.exe
C:\xwjpagn.bat
C:\xwjpagn(2).bat
C:\Documents and Settings\Compaq_Administrator\loadadv559.exe
C:\Documents and Settings\Compaq_Administrator\loadadv559(2).exe
C:\Documents and Settings\Compaq_Administrator\NKNC.exe
C:\Documents and Settings\Compaq_Administrator\NKNC(2).exe
C:\WINDOWS\system32\adrot-uninst(2).exe
C:\WINDOWS\system32\fixe5f4d.sys
C:\WINDOWS\system32\fixe5f4d(2).sys
C:\msaove.exe
C:\WINDOWS\reyqasl.exe
C:\WINDOWS\system32\loadadv559(2).exe
C:\WINDOWS\system32\inst.exe
C:\WINDOWS\system32\inst(2).exe

=================

Once you've rebooted, delete these folders.

C:\Program Files\PSDream
C:\Program Files\Viewpoint

=================

Now let's get a look at a log that should show us any lingering problems.

Download WinPFind2.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind2 on your desktop.

Open the folder and double-click on winpfind2.exe to start the program.
Click on the Configuration tab.
Keep the standard settings and then in the AddOn-Options box click the checkboxes for
- HKCU_IEDesktop.def
- Policies.def
- SID_Run_Policies.def
to select them.
Under File Options click Select All
Please maximize the window in order to be able to view the Status Bar where you can see the progress of the scan.
Now click the Run All Scans button on the toolbar.
When the scans are complete click the Simple Report button in the lower right-hand corner to create a report file. Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is, click on it to uncheck it and then please post that report into this topic. After posting please check if the whole report fit into the post. If it did fit, it should say <End of Report> at the end. If not, please post the section that was cut off in a second post.

#15
lnijjar

Posted 24 October 2006 - 09:51 AM

Member

Topic Starter
Member
108 posts

Can't get the prompt to merge the fixme.reg with the registry. When I double click on it..it just opens ? I'll continue on with the other processes - the WinPFind2.exe until I hear back :whistling:

Edited by lnijjar, 24 October 2006 - 10:02 AM.