Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

888bar removal


  • Please log in to reply

#1
Socaflex

Socaflex

    Member

  • Member
  • PipPip
  • 38 posts
pc running slow here is my log




Logfile of HijackThis v1.99.1
Scan saved at 3:12:19 PM, on 12/5/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\1126565435\ee\services\sscFirewallPlugin\ver1_205_1_1\aolavupd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\VTTimer.exe
C:\Program Files\Common Files\AOL\1126565435\ee\AOLSoftware.exe
C:\WINDOWS\System32\nordsys.exe
c:\program files\common files\aol\1126565435\ee\aolssc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\cmdoxuwd.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
C:\Documents and Settings\Errol\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.live.com/...=true&mkt=en-us
R3 - URLSearchHook: (no name) - {367CF7DA-186F-46C7-4096-44918FA28BCF} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSL encrypt - {0B6899B6-1564-43e0-BD93-F7CF930A5E5C} - C:\WINDOWS\System32\nsr6D.dll
O2 - BHO: RunBus Class - {4865F155-CE00-4E93-A414-147844D7C81A} - C:\WINDOWS\System32\tcblrben.dll (file missing)
O2 - BHO: (no name) - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - (no file)
O2 - BHO: SelasI Class - {59F4F380-01A0-4083-9FA4-E3B827319F7E} - C:\WINDOWS\System32\vcbhyhpt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: ComCap - {E1B2E864-8BFC-4072-AE11-924E0F8BBA96} - C:\WINDOWS\System32\comcap16.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1126565435\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1126565435\ee\services\sscFirewallPlugin\ver1_205_1_1\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [Nord] C:\WINDOWS\System32\nordsys.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [mlibsysmc] cmdoxuwd.exe
O4 - HKLM\..\RunServices: [SystemTools32] C:\WINDOWS\System32\inet.exe
O4 - HKLM\..\RunServices: [mlibsysmc] cmdoxuwd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ItalU] C:\WINDOWS\System32\italfds.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [Nord] C:\WINDOWS\System32\nordsys.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe
O4 - HKCU\..\Run: [imwinsrvc] C:\WINDOWS\system32\acpmonsrv.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - http://kl.bar.need2f...earch.html?p=KL
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CS1\Services\Tcpip\..\{010551BC-8008-48E6-BF95-9753F9AFF6C9}: NameServer = 205.188.146.145
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1126565435\ee\services\sscFirewallPlugin\ver1_205_1_1\aolavupd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

Advertisements


#2
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
Please run a scan with HijackThis and check the following lines for removal:

R3 - URLSearchHook: (no name) - {367CF7DA-186F-46C7-4096-44918FA28BCF} - (no file)

O2 - BHO: SSL encrypt - {0B6899B6-1564-43e0-BD93-F7CF930A5E5C} - C:\WINDOWS\System32\nsr6D.dll
O2 - BHO: RunBus Class - {4865F155-CE00-4E93-A414-147844D7C81A} - C:\WINDOWS\System32\tcblrben.dll (file missing)
O2 - BHO: (no name) - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - (no file)
O2 - BHO: SelasI Class - {59F4F380-01A0-4083-9FA4-E3B827319F7E} - C:\WINDOWS\System32\vcbhyhpt.dll
O4 - HKLM\..\Run: [Nord] C:\WINDOWS\System32\nordsys.exe
O4 - HKLM\..\Run: [mlibsysmc] cmdoxuwd.exe
O4 - HKLM\..\RunServices: [SystemTools32] C:\WINDOWS\System32\inet.exe
O4 - HKLM\..\RunServices: [mlibsysmc] cmdoxuwd.exe
O4 - HKCU\..\Run: [ItalU] C:\WINDOWS\System32\italfds.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [Nord] C:\WINDOWS\System32\nordsys.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe
O4 - HKCU\..\Run: [imwinsrvc] C:\WINDOWS\system32\acpmonsrv.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2f...earch.html?p=KL
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file)



Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.


Run killbox
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\System32\cmdoxuwd.exe
    C:\WINDOWS\System32\nordsys.exe
    C:\WINDOWS\System32\inet.exe
    C:\WINDOWS\System32\taskdir.exe

  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.


If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


After the reboot


Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply with a new hijack log.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • 0

#3
Socaflex

Socaflex

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
this is the high jack log and i did get the error at the end




Logfile of HijackThis v1.99.1
Scan saved at 4:30:23 PM, on 12/5/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\1126565435\ee\services\sscFirewallPlugin\ver1_205_1_1\aolavupd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\VTTimer.exe
C:\Program Files\Common Files\AOL\1126565435\ee\AOLSoftware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AIM95\aim.exe
c:\program files\common files\aol\1126565435\ee\aolssc.exe
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\Errol\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: ComCap - {E1B2E864-8BFC-4072-AE11-924E0F8BBA96} - C:\WINDOWS\System32\comcap16.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1126565435\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1126565435\ee\services\sscFirewallPlugin\ver1_205_1_1\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [mlibsysmc] cmdoxuwd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CS1\Services\Tcpip\..\{010551BC-8008-48E6-BF95-9753F9AFF6C9}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1126565435\ee\services\sscFirewallPlugin\ver1_205_1_1\aolavupd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe




this is the combofix
ComboFix 06.12.01W - Running from: "C:\Documents and Settings\Errol\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Errol\Application Data\Install.dat
C:\WINDOWS\whCC-GIANT.exe
C:\WINDOWS\system32\icon_mediamotor.exe
C:\WINDOWS\system32\ts_mediamotor.exe
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\aamd532.dll
C:\WINDOWS\emdat.tm
C:\WINDOWS\emdat.tmp
C:\WINDOWS\system32\w.exe
C:\WINDOWS\system32\1.txt
C:\WINDOWS\system32\2.txt
C:\Documents and Settings\All Users\Documents\Settings
C:\Program Files\Cowabanga
C:\Program Files\Inetget2
C:\Program Files\Common Files\{3C1766C9-07CF-1033-0103-050910040001}
C:\Program Files\Common Files\{BC1766C9-07CF-1033-0103-050910040001}


((((((((((((((((((((((((((((((( Files Created from 2006-11-05 to 2006-12-05 ))))))))))))))))))))))))))))))))))


2006-12-05 16:10 <DIR> d-------- C:\!KillBox
2006-12-04 22:29 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2006-12-04 22:27 420,632 --a------ C:\WINDOWS\system32\wuapi.dll
2006-12-04 22:27 39,704 --a------ C:\WINDOWS\system32\wups.dll
2006-12-04 22:27 186,136 --a------ C:\WINDOWS\system32\wuaueng1.dll
2006-12-04 22:27 167,704 --a------ C:\WINDOWS\system32\wuauclt1.exe
2006-12-04 22:27 120,288 --a------ C:\WINDOWS\system32\wuweb.dll
2006-12-04 22:27 118,552 --a------ C:\WINDOWS\system32\wucltui.dll
2006-12-04 22:20 310,272 --a------ C:\WINDOWS\system32\winhttp.dll
2006-12-04 22:19 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-12-04 16:30 75,235 --a------ C:\WINDOWS\kmvulmx.exe
2006-12-04 16:06 6,199 --a------ C:\Documents and Settings\Errol\IheG8m3.exe
2006-12-04 16:00 75,257 --a------ C:\WINDOWS\kmprojv.exe
2006-12-04 15:59 6,199 --a------ C:\Documents and Settings\Errol\F260p6E.exe
2006-12-04 15:52 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-04 15:52 21,760 --a------ C:\WINDOWS\system32\drivers\USBSTOR.SYS
2006-12-04 15:52 <DIR> d-------- C:\Program Files\Grisoft
2006-12-04 15:05 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2006-12-04 15:05 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2006-11-29 22:45 6,199 --a------ C:\Documents and Settings\Errol\lG8b260.exe
2006-11-29 21:55 6,199 --a------ C:\Documents and Settings\Errol\BW6bfJ4.exe
2006-11-29 21:51 6,199 --a------ C:\Documents and Settings\Errol\uqub8A7.exe
2006-11-29 21:43 56,320 --a------ C:\WINDOWS\system32\zkhxyef.dll
2006-11-29 21:41 6,199 --a------ C:\Documents and Settings\Errol\dm7Dg18.exe
2006-11-28 21:41 6,199 --a------ C:\WINDOWS\system32\se.exe.exe
2006-11-28 21:41 54,327 --a------ C:\WINDOWS\system32\google.png.exe
2006-11-28 21:41 46,592 --a------ C:\WINDOWS\system32\zlbw.dll
2006-11-28 21:41 16,896 --a------ C:\WINDOWS\system32\vxga4me1.exe
2006-11-28 21:41 15,927 --a------ C:\WINDOWS\system32\w.exe.exe
2006-11-28 21:41 128,567 --a------ C:\WINDOWS\system32\ss.exe.exe
2006-11-28 21:40 94,720 --a------ C:\WINDOWS\system32\vznmdgm.dll
2006-11-28 21:40 8,215 --a------ C:\WINDOWS\system32\kernels88.exe
2006-11-28 21:40 8,215 --a------ C:\syst.exe
2006-11-28 21:40 71,168 --a------ C:\WINDOWS\system32\yohnjdc.dll
2006-11-28 21:40 7,597 --a------ C:\WINDOWS\system32\dlh9jkd1q7.exe
2006-11-28 21:40 7,085 --a------ C:\WINDOWS\system32\dlh9jkd1q6.exe
2006-11-28 21:40 6,688 --a------ C:\WINDOWS\system32\qvx5gamet2.exe
2006-11-28 21:40 29,271 --a------ C:\WINDOWS\system32\vxga4m1et4.exe
2006-11-28 21:40 29,271 --a------ C:\WINDOWS\system32\spoolsvv.exe
2006-11-28 21:40 26,912 --a------ C:\exe.exe
2006-11-28 21:40 18,861 --a------ C:\WINDOWS\system32\dlh9jkd1q2.exe
2006-11-28 21:40 17,920 --a------ C:\WINDOWS\system32\tccpip.exe
2006-11-28 21:40 17 --a------ C:\WINDOWS\system32\dlh9jkd1q8.exe
2006-11-19 14:54 69 --a-s---- C:\WINDOWS\test.bat
2006-11-19 01:28 310,482 --a------ C:\tskmgr.exe
2006-11-19 01:28 <DIR> d-------- C:\Program Files\ądobe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-05 16:27 -------- d-------- C:\Program Files\Common Files
2006-12-04 22:28 -------- d--h----- C:\Program Files\WindowsUpdate
2006-12-04 16:28 -------- d-------- C:\Program Files\QuickTime
2006-11-29 22:38 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-29 22:38 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-11-29 21:43 -------- d---s---- C:\Documents and Settings\Errol\Application Data\Microsoft
2006-11-28 20:41 45056 --a------ C:\command.exe
2006-11-28 20:40 -------- d-------- C:\Program Files\ądobe
2006-10-14 18:48 -------- d-------- C:\Documents and Settings\Errol\Application Data\HP
2006-10-14 18:41 -------- d-------- C:\Program Files\Common Files\Sonic Shared
2006-10-14 18:40 -------- d-------- C:\Program Files\Common Files\HP
2006-10-14 18:38 -------- d-------- C:\Program Files\Hewlett-Packard
2006-10-14 18:36 -------- d-------- C:\Program Files\HP
2006-10-09 21:16 36864 --a------ C:\WINDOWS\system32\slimmhad.exe
2006-10-09 21:16 118784 --a------ C:\WINDOWS\system32\Netverchk.exe
2006-09-29 22:12 17250 --a------ C:\WINDOWS\popupwithcast.exe
2006-09-29 22:11 17249 --a------ C:\WINDOWS\snaper.exe
2006-09-28 05:16 59904 --a------ C:\WINDOWS\system32\comcap16.dll
2006-09-15 16:47 36864 --a------ C:\WINDOWS\system32\vismgxhd.exe
2006-09-15 16:47 118784 --a------ C:\WINDOWS\system32\italfds.exe
2006-09-15 16:46 24576 --a------ C:\WINDOWS\system32\msxml3a.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"AIM"="C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"VTTrayp"="VTtrayp.exe"
"VTTimer"="VTTimer.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1126565435\\ee\\AOLSoftware.exe"
"sscRun"="C:\\Program Files\\Common Files\\AOL\\1126565435\\ee\\services\\sscFirewallPlugin\\ver1_205_1_1\\SSCRun.exe"
"OASClnt"="C:\\Program Files\\mcafee.com\\antivirus\\oasclnt.exe"
"EmailScan"="C:\\Program Files\\mcafee.com\\antivirus\\mcvsescn.exe"
"MPFExe"="C:\\Program Files\\mcafee.com\\personal firewall\\MPfTray.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"mlibsysmc"="cmdoxuwd.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Wallpaper"="C:\\WINDOWS\\desktop.html"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgas"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BraveSentry]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BraveSentry"
"hkey"="HKCU"
"command"="C:\\Program Files\\BraveSentry\\BraveSentry.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Chckup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Netverchk"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\Netverchk.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iepp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wowexec"
"hkey"="HKCU"
"command"="\"C:\\PROGRA~1\\DOBE~1\\wowexec.exe\" -vt ndrv"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Key]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="228"
"hkey"="HKCU"
"command"="C:\\DOCUME~1\\Errol\\LOCALS~1\\Temp\\228.tmp"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mlibsysmc]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cmdoxuwd"
"hkey"="HKLM"
"command"="cmdoxuwd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SemanticInsight]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SemanticInsight"
"hkey"="HKLM"
"command"="C:\\Program Files\\RXToolBar\\Semantic Insight\\SemanticInsight.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="testtestt"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\testtestt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System64]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="inet"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\inet.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

Completion time: 06-12-05 16:27:55.87
C:\ComboFix.txt ... 06-12-05 16:27
  • 0

#4
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
:whistling: Hi again


Please save these directions to notepad, You will need to copy and paste from safemode

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop

Download this attached zip folder [attachment=12044:attachment] Extract the contents to your desktop

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
Run Smitfraud Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Clean out your Temporary Internet files. Proceed as follows:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.

Please double click and run the reg.bat you placed on your desktop earlier. It will only take a second.

Run killbox
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\kmvulmx.exe
    C:\Documents and Settings\Errol\IheG8m3.exe
    C:\WINDOWS\kmprojv.exe
    C:\Documents and Settings\Errol\F260p6E.exe
    C:\Documents and Settings\Errol\lG8b260.exe
    C:\Documents and Settings\Errol\BW6bfJ4.exe
    C:\Documents and Settings\Errol\uqub8A7.exe
    C:\WINDOWS\system32\zkhxyef.dll
    C:\Documents and Settings\Errol\dm7Dg18.exe
    C:\WINDOWS\system32\se.exe.exe
    C:\WINDOWS\system32\google.png.exe
    C:\WINDOWS\system32\zlbw.dll
    C:\WINDOWS\system32\vxga4me1.exe
    C:\WINDOWS\system32\w.exe.exe
    C:\WINDOWS\system32\ss.exe.exe
    C:\WINDOWS\system32\vznmdgm.dll
    C:\WINDOWS\system32\kernels88.exe
    C:\syst.exe
    C:\WINDOWS\system32\yohnjdc.dll
    C:\WINDOWS\system32\dlh9jkd1q7.exe
    C:\WINDOWS\system32\dlh9jkd1q6.exe
    C:\WINDOWS\system32\qvx5gamet2.exe
    C:\WINDOWS\system32\vxga4m1et4.exe
    C:\WINDOWS\system32\spoolsvv.exe
    C:\exe.exe
    C:\WINDOWS\system32\dlh9jkd1q2.exe
    C:\WINDOWS\system32\tccpip.exe
    C:\WINDOWS\system32\dlh9jkd1q8.exe
    C:\WINDOWS\test.bat
    C:\tskmgr.exe
    C:\WINDOWS\System32\comcap16.dll
    C:\WINDOWS\popupwithcast.exe
    C:\command.exe
    C:\WINDOWS\snaper.exe
    C:\WINDOWS\system32\vismgxhd.exe
    C:\WINDOWS\system32\italfds.exe



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


Back in normal windows, Please post a new combofix log and a new Hijack log :blink:
  • 0

#5
Socaflex

Socaflex

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
wow thanks this works like a beauty here are my logs




ComboFix 06.12.01W - Running from: "C:\Documents and Settings\Errol\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-11-05 to 2006-12-05 ))))))))))))))))))))))))))))))))))


2006-12-05 17:59 2,534 --a------ C:\WINDOWS\system32\tmp.reg
2006-12-05 17:56 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2006-12-05 17:56 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-12-05 17:56 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2006-12-05 17:56 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-12-05 17:56 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-12-05 17:56 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-12-05 16:28 <DIR> d-------- C:\WINDOWS\temp
2006-12-05 16:10 <DIR> d-------- C:\!KillBox
2006-12-04 22:29 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2006-12-04 22:27 420,632 --a------ C:\WINDOWS\system32\wuapi.dll
2006-12-04 22:27 39,704 --a------ C:\WINDOWS\system32\wups.dll
2006-12-04 22:27 186,136 --a------ C:\WINDOWS\system32\wuaueng1.dll
2006-12-04 22:27 167,704 --a------ C:\WINDOWS\system32\wuauclt1.exe
2006-12-04 22:27 120,288 --a------ C:\WINDOWS\system32\wuweb.dll
2006-12-04 22:27 118,552 --a------ C:\WINDOWS\system32\wucltui.dll
2006-12-04 22:20 310,272 --a------ C:\WINDOWS\system32\winhttp.dll
2006-12-04 22:19 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-12-04 15:52 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-04 15:52 21,760 --a------ C:\WINDOWS\system32\drivers\USBSTOR.SYS
2006-12-04 15:52 <DIR> d-------- C:\Program Files\Grisoft
2006-12-04 15:05 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2006-12-04 15:05 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2006-11-19 01:28 <DIR> d-------- C:\Program Files\ądobe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-05 16:27 -------- d-------- C:\Program Files\Common Files
2006-12-04 22:28 -------- d--h----- C:\Program Files\WindowsUpdate
2006-12-04 16:28 -------- d-------- C:\Program Files\QuickTime
2006-11-29 22:38 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-29 22:38 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-11-29 21:43 -------- d---s---- C:\Documents and Settings\Errol\Application Data\Microsoft
2006-11-28 20:40 -------- d-------- C:\Program Files\ądobe
2006-10-14 18:48 -------- d-------- C:\Documents and Settings\Errol\Application Data\HP
2006-10-14 18:41 -------- d-------- C:\Program Files\Common Files\Sonic Shared
2006-10-14 18:40 -------- d-------- C:\Program Files\Common Files\HP
2006-10-14 18:38 -------- d-------- C:\Program Files\Hewlett-Packard
2006-10-14 18:36 -------- d-------- C:\Program Files\HP
2006-10-09 21:16 36864 --a------ C:\WINDOWS\system32\slimmhad.exe
2006-10-09 21:16 118784 --a------ C:\WINDOWS\system32\Netverchk.exe
2006-09-15 16:46 24576 --a------ C:\WINDOWS\system32\msxml3a.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"AIM"="C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"VTTrayp"="VTtrayp.exe"
"VTTimer"="VTTimer.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1126565435\\ee\\AOLSoftware.exe"
"sscRun"="C:\\Program Files\\Common Files\\AOL\\1126565435\\ee\\services\\sscFirewallPlugin\\ver1_205_1_1\\SSCRun.exe"
"OASClnt"="C:\\Program Files\\mcafee.com\\antivirus\\oasclnt.exe"
"EmailScan"="C:\\Program Files\\mcafee.com\\antivirus\\mcvsescn.exe"
"MPFExe"="C:\\Program Files\\mcafee.com\\personal firewall\\MPfTray.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"mlibsysmc"="cmdoxuwd.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgas"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="testtestt"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\testtestt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System64]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="inet"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\inet.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

Completion time: 06-12-05 18:29:04.59
C:\ComboFix.txt ... 06-12-05 18:29
C:\ComboFix2.txt ... 06-12-05 16:30




hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 6:34:52 PM, on 12/5/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\1126565435\ee\services\sscFirewallPlugin\ver1_205_1_1\aolavupd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\VTTimer.exe
C:\Program Files\Common Files\AOL\1126565435\ee\AOLSoftware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
c:\program files\common files\aol\1126565435\ee\aolssc.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Documents and Settings\Errol\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: ComCap - {E1B2E864-8BFC-4072-AE11-924E0F8BBA96} - C:\WINDOWS\System32\comcap16.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1126565435\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1126565435\ee\services\sscFirewallPlugin\ver1_205_1_1\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [mlibsysmc] cmdoxuwd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CS1\Services\Tcpip\..\{010551BC-8008-48E6-BF95-9753F9AFF6C9}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1126565435\ee\services\sscFirewallPlugin\ver1_205_1_1\aolavupd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#6
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Almost there. How is it running??

Please run a scan with HijackThis and check the following lines for removal:

O2 - BHO: ComCap - {E1B2E864-8BFC-4072-AE11-924E0F8BBA96} - C:\WINDOWS\System32\comcap16.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

O4 - HKLM\..\RunServices: [mlibsysmc] cmdoxuwd.exe



Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.

  • 0

#7
Socaflex

Socaflex

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
pc is running much better thanks here are my logs

Logfile of HijackThis v1.99.1
Scan saved at 9:24:36 AM, on 12/6/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\1126565435\ee\services\sscFirewallPlugin\ver1_205_1_1\aolavupd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\VTTimer.exe
C:\Program Files\Common Files\AOL\1126565435\ee\AOLSoftware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\VIA\RAID\raid_tool.exe
c:\program files\common files\aol\1126565435\ee\aolssc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Errol\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1126565435\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1126565435\ee\services\sscFirewallPlugin\ver1_205_1_1\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CS1\Services\Tcpip\..\{010551BC-8008-48E6-BF95-9753F9AFF6C9}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1126565435\ee\services\sscFirewallPlugin\ver1_205_1_1\aolavupd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



panda report



Incident Status Location

Virus:trj/abwiz.a Disinfected Operating system
Adware:adware/adsmart Not disinfected c:\windows\system32\vx.tll
Potentially unwanted tool:application/bestoffer Not disinfected c:\windows\smdat32a.sys
Potentially unwanted tool:application/need2find Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\uninstall\Need2FindBar Uninstall
Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\classes\typelib\{676F6D1D-C559-42A9-860B-27C1477B7179}
Spyware:spyware/media-motor Not disinfected Windows Registry
Potentially unwanted tool:application/myway Not disinfected hkey_classes_root\clsid\{014DA6C9-189F-421a-88CD-07CFE51CFF10}
Adware:adware/sqwire Not disinfected Windows Registry
Adware:adware/adrotator Not disinfected Windows Registry
Adware:adware/rxtoolbar Not disinfected Windows Registry
Virus:Trj/Gagar.BL Disinfected C:\!KillBox\BW6bfJ4.exe
Adware:Adware/ATNetwork Not disinfected C:\!KillBox\comcap16.dll
Adware:Adware/WinAntivirus2006 Not disinfected C:\!KillBox\command.exe
Adware:Adware/BraveSentry Not disinfected C:\!KillBox\dlh9jkd1q2.exe
Virus:Trj/Downloader.LOM Disinfected C:\!KillBox\dlh9jkd1q6.exe
Virus:Trj/Downloader.LOM Disinfected C:\!KillBox\dlh9jkd1q7.exe
Virus:Trj/Gagar.BL Disinfected C:\!KillBox\dm7Dg18.exe
Virus:W32/Nuwar.A.worm Disinfected C:\!KillBox\exe.exe
Virus:Trj/Gagar.BL Disinfected C:\!KillBox\F260p6E.exe
Virus:Trj/Lager.CY Disinfected C:\!KillBox\google.png.exe
Virus:Trj/Gagar.BL Disinfected C:\!KillBox\IheG8m3.exe
Virus:Trj/Downloader.LOM Disinfected C:\!KillBox\inet.exe
Virus:W32/Sdbot.IXT.worm Disinfected C:\!KillBox\kmprojv.exe
Possible Virus. Not disinfected C:\!KillBox\kmvulmx.exe
Virus:Trj/Gagar.BL Disinfected C:\!KillBox\lG8b260.exe
Virus:W32/Nuwar.A.worm Disinfected C:\!KillBox\nordsys.exe
Virus:Trj/Downloader.LOM Disinfected C:\!KillBox\qvx5gamet2.exe
Virus:Trj/Spammer.H Disinfected C:\!KillBox\spoolsvv.exe
Virus:W32/Banwarum.H.worm Disinfected C:\!KillBox\ss.exe.exe
Virus:Trj/Gagar.BL Disinfected C:\!KillBox\uqub8A7.exe
Virus:Trj/Spammer.H Disinfected C:\!KillBox\vxga4m1et4.exe
Virus:W32/Nuwar.A.worm Disinfected C:\!KillBox\w.exe.exe
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Errol\Cookies\[email protected][1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Errol\Cookies\[email protected][1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Errol\Cookies\[email protected][1].txt
Adware:Adware/Mytoolbar Not disinfected C:\Documents and Settings\Errol\Desktop\backups\backup-20061204-151748-539.dll
Possible Virus. Not disinfected C:\Program Files\?dobe\wowexec.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
  • 0

#8
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi socaflex

Please do this

apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection.
Click here: http://www.microsoft...;DisplayLang=en
Apply the update, reboot, and post a fresh Hijack This log.
  • 0

#9
Socaflex

Socaflex

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
these are the logs got service pack 2 instead




Logfile of HijackThis v1.99.1
Scan saved at 08:34, on 06-12-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\1126565435\ee\services\sscFirewallPlugin\ver1_205_1_1\aolavupd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\AOL\1126565435\ee\AOLSoftware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\system32\wuauclt.exe
c:\program files\common files\aol\1126565435\ee\aolssc.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Documents and Settings\Errol\Desktop\HijackThis.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\System32\msiexec.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1126565435\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1126565435\ee\services\sscFirewallPlugin\ver1_205_1_1\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CS1\Services\Tcpip\..\{010551BC-8008-48E6-BF95-9753F9AFF6C9}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1126565435\ee\services\sscFirewallPlugin\ver1_205_1_1\aolavupd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#10
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Great, almost got it

Run killbox using the above directions for the two lines below

c:\windows\system32\vx.tll
c:\windows\smdat32a.sys



After the reboot, delete this folder C:\Killbox

Please open Notepad, and copy/paste the code in the white box below into a new text file. Save it as "prog.bat" WITH THE QUOTES and save it on your Desktop.

dir /x "c:\Program files" >> prog.txt
start prog.txt

Double click the prog.bat we created earlier, notepad will open with some txt in it . Please post it for me
  • 0

#11
Socaflex

Socaflex

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
ok kewl running good here is what u requested



Volume in drive C has no label.
Volume Serial Number is BC17-66C9

Directory of c:\Program files

06-12-10 17:39 <DIR> .
06-12-10 17:39 <DIR> ..
05-05-18 17:50 <DIR> Adobe
06-12-07 12:35 <DIR> AIM95
06-12-06 09:05 <DIR> AMERIC~2.0 America Online 9.0
05-09-12 17:49 <DIR> AOD
06-12-07 14:51 <DIR> AOL
06-12-06 09:06 <DIR> AOLCOM~1 AOL Companion
05-09-12 17:49 <DIR> AOLTOO~1 AOL Toolbar
06-12-07 15:48 <DIR> COMMON~1 Common Files
05-05-04 10:08 <DIR> COMPLU~1 ComPlus Applications
05-05-04 10:43 <DIR> directx
06-12-04 15:52 <DIR> Grisoft
06-10-14 18:38 <DIR> HEWLET~1 Hewlett-Packard
06-10-14 18:36 <DIR> HP
06-12-07 15:57 <DIR> INTERN~1 Internet Explorer
06-12-07 16:00 <DIR> MESSEN~1 Messenger
05-05-04 10:38 <DIR> MICROS~4 Microsoft ActiveSync
05-05-04 10:11 <DIR> MICROS~1 microsoft frontpage
05-05-04 10:37 <DIR> MICROS~2 Microsoft Office
05-05-04 10:38 <DIR> MICROS~3 Microsoft Visual Studio
06-12-06 15:04 <DIR> MOVIEM~1 Movie Maker
05-05-16 16:26 <DIR> MSN
05-05-16 22:34 <DIR> MSNAPP~1 MSN Apps
05-05-04 10:07 <DIR> MSNGAM~1 MSN Gaming Zone
06-12-06 09:13 <DIR> MSNMES~1 MSN Messenger
06-12-06 13:34 <DIR> MSXML4~1.0 MSXML 4.0
06-04-01 20:42 <DIR> Napster
06-12-06 14:59 <DIR> NETMEE~1 NetMeeting
05-05-04 10:10 <DIR> ONLINE~1 Online Services
06-12-07 15:57 <DIR> OUTLOO~1 Outlook Express
05-08-18 17:59 <DIR> PURENE~1 Pure Networks
06-12-04 16:28 <DIR> QUICKT~1 QuickTime
05-05-15 16:52 <DIR> Real
05-05-04 10:43 <DIR> Roxio
05-05-04 10:24 <DIR> S3
06-12-07 14:37 <DIR> VIA
06-12-07 16:00 <DIR> WINDOW~3 Windows Media Player
06-12-06 14:59 <DIR> WINDOW~1 Windows NT
06-05-06 17:38 <DIR> WinMX
05-05-04 10:11 <DIR> xerox
06-12-07 14:35 <DIR> Yahoo!
06-11-28 20:40 <DIR> DOBE~1 ądobe
0 File(s) 0 bytes
43 Dir(s) 31,293,636,608 bytes free



highjack log


Logfile of HijackThis v1.99.1
Scan saved at 17:42, on 06-12-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\AOL\1126565435\ee\AOLSoftware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Errol\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1126565435\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CS1\Services\Tcpip\..\{010551BC-8008-48E6-BF95-9753F9AFF6C9}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
  • 0

#12
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi and sorry for the delay, been under the weather

Please open Notepad, and copy/paste the code in the white box below into a new text file. Save it as "delete.bat" WITH THE QUOTES and save it on your Desktop.

attrib -s -r -h "C:\Program Files\DOBE~1\*.*"
rd /q /s "C:\Program Files\DOBE~1"
quit

after saving as instructed above, please close notepad. You will now have a file on your desktop called delete.bat. Please double click it to run it

How is everything running?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP