Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Malware, probably a few ones

Started by lalex81 , Apr 21 2007 11:34 PM

  • Please log in to reply

#1
lalex81
Posted 21 April 2007 - 11:34 PM

lalex81

    Member

  • Member
  • PipPip
  • 46 posts
It doesn't let me use "Task Manager". Firefox starts by itself with Windows, and pop ups from Internet Explorer appear while I'm using firefox.


Logfile of HijackThis v1.99.1
Scan saved at 3:31:09 PM, on 22/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\Antivirus\hj\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qau10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: Protection Bar - {8aed5df3-6e0b-4930-b1a5-f8aa8d757497} - C:\Program Files\VideoCompressionCodec\iesplugin.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\HbTools\Bin\4.7.7.0\HbtWeatherOnTray.exe
O4 - HKLM\..\Run: [HbTools] C:\Program Files\HbTools\Bin\4.7.7.0\HbtOEAddOn.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [RunOnce1Upd] "C:\Program Files\Mozilla Firefox\firefox.exe"
O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\WINDOWS\system32\llfonrvm.dll",setvm
O4 - HKLM\..\Run: [pas_check] C:\Program Files\SystemDoctor 2006 Free\pasmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Alex\program files\Ares\chatServer.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\Owner\Desktop\Antivirus\cwshredder.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
  • 0

Advertisements

#2
handhfan
Posted 03 May 2007 - 02:59 PM

handhfan

    Trusted Helper

  • Expert
  • 13,659 posts
Hello, lalex81, and welcome to Geeks To Go. :whistling: Sorry about the delay, it's been pretty busy around here.

Let's start out with some general scans and see if we can't clean things up a little.

1. Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesn't work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

2. After that, I will need to see two different logs from HiJackThis. The first is the normal log like you posted here. To get the other one, follow these directions.

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Post back with those logs and we can continue from there.

If you have received help elsewhere or no longer need our assistance, please let us know.
  • 0

#3
lalex81
Posted 04 May 2007 - 11:49 PM

lalex81

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Normal one:

Logfile of HijackThis v1.99.1
Scan saved at 3:47:16 PM, on 5/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Documents and Settings\Owner\Desktop\Antivirus\hj\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qau10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {26FAFD75-1005-41F6-978D-178C00165C0B} - (no file)
O2 - BHO: (no name) - {68D7E82D-C296-4330-805F-2A9A5492CFDc} - C:\WINDOWS\system32\jyffrdsf.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A541C874-2343-4FAE-A390-15F311A784D7} - (no file)
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\


Other type:

µTorrent
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Photoshop 7.0
Adobe Reader 6.0
Adobe® Photoshop® Album Starter Edition 3.0
Agere Systems PCI Soft Modem
Apple Software Update
ArcSoft PhotoStudio 5.5
Ares 2.0.8
AVG Free Edition
Blackhawk Striker from Compaq (remove only)
Blasterball 2 from Compaq (remove only)
Bounce Symphony from Compaq (remove only)
Canon Camera Support Core Library
Canon Camera Window DS for ZoomBrowser EX
Canon Camera Window DVC for ZoomBrowser EX
Canon Camera Window for ZoomBrowser EX
Canon EOS Kiss_N REBEL_XT 350D WIA Driver
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities Digital Photo Professional 1.6.1
Canon Utilities EOS Capture 1.3
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX
Colin McRae Rally
Colin McRae Rally 2
Compaq Connections
Creative PC-CAM 350 Manual (English)
Creative PC-CAM Center
Creative WebCam Monitor
DAEMON Tools
D-Link DSL-302G USB Driver
EA SPORTS online 2005
Easy Internet Sign-up
Excavation from Compaq (remove only)
FIFA 2005
Five Card Frenzy from Compaq (remove only)
FLAC Installer 1.1.2a (remove only)
Ford Racing
Google Earth
GT Interactive - Driver
HijackThis 1.99.1
HP Deskjet Preloaded Printer Drivers
HP Image Zone 3.5
HP Photo & Imaging 3.5 - HP Devices
HP PSC & OfficeJet 3.5
HP Software Update
InterVideo WinDVD Creator 2
InterVideo WinDVD Player
iPod for Windows 2005-03-23
iPod for Windows 2006-03-23
iTunes
iTunes Art Importer
J2SE Runtime Environment 5.0 Update 7
KBD
Macromedia Flash Player 8
Macromedia Shockwave Player
Memories Disc Creator 2.0
Messenger Plus! 3
Microsoft .NET Framework 1.1
Microsoft Age of Empires II
Microsoft Encarta Encyclopedia Standard - WE 2004
Microsoft Office XP Professional con FrontPage
Microsoft Picture It! Photo Standard 9
Microsoft Works 2004 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
Momento v2-1-5
Mozilla Firefox (2.0.0.3)
MP3 Splitter & Joiner
MSXML 4.0 SP2 (KB927978)
Multimedia Card Reader
MUSICMATCH® Jukebox
Need for Speed Underground 2
Nero 6 Ultra Edition
Nokia Connectivity Cable Driver
Nokia PC Suite
Nokia PC Suite
NVIDIA Display Driver
NVIDIA Ethernet Driver
NVIDIA GART Driver
OptusNet DSL
Orbital from Compaq (remove only)
Otto from Compaq (remove only)
Overball from Compaq (remove only)
PC Connectivity Solution
PC-Doctor for Windows
Photosmart 140,240,7200,7600,7700,7900 Series
Polar Bowler from Compaq (remove only)
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
QuickTime
RealPlayer
SC Video Cut and Split 1.3.0.3
Script Genie v1.5
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Shockwave
Slyder from Compaq (remove only)
Sonic Update Manager
Springboard
SpywareBlaster v3.5.1
SUPERAntiSpyware Free Edition
Ulead Photo Express 4.0 My Custom Edition
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB931836)
Winamp (remove only)
Windows Driver Package - Nokia (WUDFRd) WPD (03/19/2007 6.83.31.1)
Windows Driver Package - Nokia Modem (02/15/2007 3.1)
Windows Driver Package - Nokia Modem (11/03/2006 6.82.0.1)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
Zoo Tycoon 2

And the bitdefender scan results have been attached

Attached Files

  • Attached File  bit.html   77.56KB   26 downloads

  • 0

#4
handhfan
Posted 05 May 2007 - 04:45 AM

handhfan

    Trusted Helper

  • Expert
  • 13,659 posts
1. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {26FAFD75-1005-41F6-978D-178C00165C0B} - (no file)
O2 - BHO: (no name) - {68D7E82D-C296-4330-805F-2A9A5492CFDc} - C:\WINDOWS\system32\jyffrdsf.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A541C874-2343-4FAE-A390-15F311A784D7} - (no file)
O20 - AppInit_DLLs:

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

µTorrent

Here at GeeksToGo, we strongly discourage the use of Peer-to-Peer networds such as µTorrent for two reasons. 1) It is illegal. 2) It can often lead to infection. However, it is your choice to uninstall it.

Please note any other programs that you dont recognize in that list in your next response

After that, Reboot.

2. Updating Java and Clearing Cache
  • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
  • It will say "Java Plug-in" under the icon.
    Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
  • If you are unable to update you can manually update by going here:
  • After the reboot, go back into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded Applets
    Downloaded Applications
    Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.
3. Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

4. Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report and a new HijackThis log.

  • 0

#5
lalex81
Posted 06 May 2007 - 02:35 AM

lalex81

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts

  • 0

#6
handhfan
Posted 06 May 2007 - 05:47 AM

handhfan

    Trusted Helper

  • Expert
  • 13,659 posts
Try wrapping your text in a quote box. This is due to some bug in the forum that has been there for a while. This should remedy it.
  • 0

#7
lalex81
Posted 06 May 2007 - 06:18 AM

lalex81

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Here's the hijack

Logfile of HijackThis v1.99.1
Scan saved at 10:09:22 PM, on 6/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\Antivirus\hj\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qau10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,,C:\WINDOWS\SERVICES.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: YA2GOOGLE - {89731480-D47D-4DC4-8A36-BAAE55E094C5} - (no file)
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe


The activescan report is just to large even to attach it (1mb) but it basically a loooong list of files followed by "Not desinfected", and there's one in between that was desinfected.

The other thing is that since updating Java my browser (firefox) isn't showing some pages, like this one, properly
  • 0

#8
handhfan
Posted 06 May 2007 - 06:40 PM

handhfan

    Trusted Helper

  • Expert
  • 13,659 posts

The activescan report is just to large even to attach it (1mb) but it basically a loooong list of files followed by "Not desinfected", and there's one in between that was desinfected.


That's okay, let's try this for now.

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

The other thing is that since updating Java my browser (firefox) isn't showing some pages, like this one, properly


That sounds like you may have run ATF Cleaner when Firefox was still running. Try this, make sure all of your Firefox windows are closed. Then, run ATF Cleaner again (along with the Firefox cleanup. Then, try running Firefox again. This should remedy your problem.
  • 0

#9
lalex81
Posted 07 May 2007 - 09:35 PM

lalex81

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
"Owner" - 2007-05-08 13:18:53 Service Pack 2
ComboFix 07-05.07.3.V - Running from: "C:\Program Files\Mozilla Firefox\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ltydpuci.dll
C:\WINDOWS\system32\icupdytl.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\1.txt
C:\WINDOWS\system32\2.txt
C:\DOCUME~1\Owner\APPLIC~1\Microsoft\classes.dat
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\WINDOWS\system32\imas3r
C:\WINDOWS\services.dll
C:\WINDOWS\system32.dll
C:\Documents and Settings\All Users.\documents\settings


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NWSAPAGENT
-------\NwSapAgent


((((((((((((((((((((((((((((((( Files Created from 2007-04-08 to 2007-05-08 ))))))))))))))))))))))))))))))))))


2007-05-06 16:44 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-05-05 12:51 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-05-05 11:12 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-03 21:29 343,040 --a------ C:\WINDOWS\system32\mspaint.exe
2007-05-03 21:29 0 --a------ C:\WINDOWS\ORUN32.EXE
2007-05-03 21:28 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2007-05-03 21:19 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-05-03 21:19 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\SUPERAntiSpyware.com
2007-05-03 21:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-03 21:18 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-03 20:34 609,653 ---hs---- C:\WINDOWS\system32\cccdd.ini2
2007-04-29 13:05 <DIR> d----c--- C:\9041e20f7b9138e20c
2007-04-29 11:31 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Nokia Multimedia Player
2007-04-29 11:13 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-04-29 11:13 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-04-29 11:06 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2007-04-29 11:04 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2007-04-29 11:04 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2007-04-29 11:04 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2007-04-29 11:04 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2007-04-29 11:04 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2007-04-29 11:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Installations
2007-04-27 21:24 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\AdobeAUM
2007-04-25 22:44 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-04-23 07:22 609,801 ---hs---- C:\WINDOWS\system32\cccdd.bak2
2007-04-21 00:32 <DIR> d--hs---- C:\DOCUME~1\Owner\Phone Browser
2007-04-20 21:13 1,040,384 --a------ C:\WINDOWS\system32\libeay32.dll
2007-04-20 21:08 196,608 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-04-19 21:46 7,206,509 --a------ C:\DOCUME~1\Owner\ie_updater.exe
2007-04-14 16:56 <DIR> d-------- C:\Program Files\DIFX
2007-04-14 16:56 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\PC Suite
2007-04-14 16:56 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Nokia
2007-04-14 16:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Suite
2007-04-14 16:54 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-04-14 16:54 <DIR> d-------- C:\Program Files\Nokia
2007-04-14 16:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Downloaded Installations


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-08 03:25:46 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1.\uTorrent
2007-05-06 07:48:27 -------- d-----w C:\Program Files\MSN Messenger
2007-05-06 07:38:06 -------- d-----w C:\Program Files\ewido anti-spyware 4.0
2007-05-03 11:29:16 -------- d-----w C:\Program Files\PC-Doctor for Windows
2007-05-03 11:19:07 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1.\SUPERAntiSpyware.com
2007-04-29 02:22:46 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1.\Nokia
2007-04-29 01:31:29 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1.\Nokia Multimedia Player
2007-04-27 11:24:01 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1.\AdobeAUM
2007-04-20 14:19:15 -------- d-----w C:\Program Files\SpywareBlaster
2007-04-14 06:56:11 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1.\PC Suite
2007-03-28 11:18:56 -------- d-----w C:\Program Files\iTunes
2007-03-28 11:18:46 -------- d-----w C:\Program Files\iPod
2007-03-28 11:17:42 -------- d-----w C:\Program Files\QuickTime
2007-03-28 11:16:04 -------- d-----w C:\Program Files\Apple Software Update
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-16 03:37:09 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1.\AdobeUM
2007-03-12 02:03:55 -------- d-----w C:\Program Files\Momento
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-08 07:51:24 19,959 ----a-w C:\WINDOWS\tmp.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx"
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"="C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"PCSuiteTrayApplication"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe -startup"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"Nokia.PCSync"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL"


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adobe photo downloader
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\agrsmmsg
AGRSMMSG.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\alcxmonitor
ALCXMNTR.EXE

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmonitor


HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\crvc32.exe
C:\WINDOWS\system32\crvc32.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe
C:\WINDOWS\System32\CTFMON.EXE

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dc6_check
C:\Program Files\SystemDoctor 2006 Free\dcmon.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hbtools
C:\Program Files\HbTools\Bin\4.7.7.0\HbtOEAddOn.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hp component manager
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hp software update
"C:\Program Files\HP\HP Software Update\HPWuSchd.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hphmon05
C:\WINDOWS\System32\hphmon05.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hphupd05
c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\imjpmig8.1
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ituneshelper
"C:\Program Files\iTunes\iTunesHelper.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagentexe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcupdateexe
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mfcyx.exe
C:\WINDOWS\system32\mfcyx.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmsgs
"C:\Program Files\Messenger\msmsgs.exe" /background

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mspy2002
C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\netrz.exe
C:\WINDOWS\netrz.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pas_check
C:\Program Files\SystemDoctor 2006 Free\pasmon.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pcsuitetrayapplication
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\phime2002a
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\phime2002async
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\printdrive
rundll32.exe "C:\WINDOWS\system32\llfonrvm.dll",setvm

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\psguard spyware remover
C:\Program Files\PSGuard\PSGuard.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task
"C:\Program Files\QuickTime\qttask.exe" -atboottime

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\recguard
C:\WINDOWS\SMINST\RECGUARD.EXE

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\reminder
"C:\Windows\Creator\Remind_XP.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runonce1upd
"C:\Program Files\Mozilla Firefox\firefox.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sunkist2k
C:\Program Files\Multimedia Card Reader\shwicon2k.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\systemdoctor 2006 free
C:\Program Files\SystemDoctor 2006 Free\sd2006.exe -scan

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\usdr6cw
C:\Program Files\SystemDoctor 2006 Free\USDR6cw.exe -c

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\weatherontray
C:\Program Files\HbTools\Bin\4.7.7.0\HbtWeatherOnTray.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winampagent
C:\Program Files\Winamp\winampa.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=dword:00000003
"PavPrSrv"=dword:00000002
"iPod Service"=dword:00000003
"CWShredder Service"=dword:00000002
"Pml Driver HPZ12"=dword:00000003
"Avg7UpdSvc"=dword:00000002
"Avg7Alrt"=dword:00000002
"AresChatServer"=dword:00000003
"ewido anti-spyware 4.0 guard"=dword:00000002
"ServiceLayer"=dword:00000003
"MsaSvc"=dword:00000002
"IDriverT"=dword:00000003
"NVSvc"=dword:00000002
"dmadmin"=dword:00000003

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
HTTPFilter HTTPFilter\0\0
DcomLaunch DcomLaunch\0TermService\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command D:\Info.exe folder.htt 480 480


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\McAfee.com Update Check (COMPUTIN-Owner).job
C:\WINDOWS\tasks\McAfee.com Update Check (YOUR-MXV0URM8HA-Owner).job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-08 13:28:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-08 13:32:19 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-08 13:32










Logfile of HijackThis v1.99.1
Scan saved at 1:35:01 PM, on 8/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\Antivirus\hj\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qau10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
  • 0

#10
handhfan
Posted 08 May 2007 - 02:24 PM

handhfan

    Trusted Helper

  • Expert
  • 13,659 posts
We'll need to dig into the registry to clean your computer up a bit. :whistling:

First, let's back up your registry.
  • Go to Start > Run
  • Type: regedit
  • Click OK.
  • On the leftside, click to highlight My Computer at the top.
  • Go up to "File > Export"
    • Make sure in that window there is a tick next to "All" under Export Branch.
    • Leave the "Save As Type" as "Registration Files".
    • Under "Filename" put backup
  • Choose to save it to C:\ or somewhere else safe so that you will remember where you put it (don't put it on the desktop!)
  • Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.

Next, we are going to create a .reg file that will change some settings tweaked by malware.
  • Please click on the Start menu, and click on All Programs.
  • Scroll to the folder that says Accessories and click on Notepad.
  • Copy the text in the code box below into Notepad, and save as fix.reg on your desktop.
Make sure that there is a blank line at the bottom of the copied text in Notepad!

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\crvc32.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dc6_check]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hbtools]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mfcyx.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\netrz.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pas_check]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\printdrive]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\psguard spyware remover]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\systemdoctor 2006 free]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\usdr6cw]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\weatherontray]

Finally, we need to merge this with the registry. To do this, simply double-click fix.reg on your desktop, and when it asks you if you want to merge with the registry, click OK.

When this is completed, restart, and give a new HijackThis log and ComboFix log.
  • 0

Advertisements

#11
lalex81
Posted 12 May 2007 - 11:56 PM

lalex81

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Logfile of HijackThis v1.99.1
Scan saved at 3:47:14 PM, on 13/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\Antivirus\hj\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qau10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe




"Owner" - 2007-05-13 15:47:48 Service Pack 2
ComboFix 07-05.07.3.V - Running from: "C:\Documents and Settings\Owner\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-13 ))))))))))))))))))))))))))))))))))


2007-05-13 15:37 109,258,022 --a--c--- C:\backup.reg
2007-05-08 13:32 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-06 16:44 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-05-05 12:51 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-05-05 11:12 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-03 21:29 343,040 --a------ C:\WINDOWS\system32\mspaint.exe
2007-05-03 21:29 0 --a------ C:\WINDOWS\ORUN32.EXE
2007-05-03 21:28 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2007-05-03 21:19 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-05-03 21:19 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\SUPERAntiSpyware.com
2007-05-03 21:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-03 21:18 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-03 20:34 609,653 ---hs---- C:\WINDOWS\system32\cccdd.ini2
2007-04-29 13:05 <DIR> d----c--- C:\9041e20f7b9138e20c
2007-04-29 11:31 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Nokia Multimedia Player
2007-04-29 11:13 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-04-29 11:13 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-04-29 11:06 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2007-04-29 11:04 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2007-04-29 11:04 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2007-04-29 11:04 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2007-04-29 11:04 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2007-04-29 11:04 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2007-04-29 11:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Installations
2007-04-27 21:24 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\AdobeAUM
2007-04-25 22:44 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-04-23 07:22 609,801 ---hs---- C:\WINDOWS\system32\cccdd.bak2
2007-04-21 00:32 <DIR> d--hs---- C:\DOCUME~1\Owner\Phone Browser
2007-04-20 21:13 1,040,384 --a------ C:\WINDOWS\system32\libeay32.dll
2007-04-20 21:08 196,608 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-04-19 21:46 7,206,509 --a------ C:\DOCUME~1\Owner\ie_updater.exe
2007-04-14 16:56 <DIR> d-------- C:\Program Files\DIFX
2007-04-14 16:56 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\PC Suite
2007-04-14 16:56 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Nokia
2007-04-14 16:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Suite
2007-04-14 16:54 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-04-14 16:54 <DIR> d-------- C:\Program Files\Nokia
2007-04-14 16:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Downloaded Installations


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-08 15:04:18 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1.\uTorrent
2007-05-06 07:48:27 -------- d-----w C:\Program Files\MSN Messenger
2007-05-06 07:38:06 -------- d-----w C:\Program Files\ewido anti-spyware 4.0
2007-05-03 11:29:16 -------- d-----w C:\Program Files\PC-Doctor for Windows
2007-05-03 11:19:07 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1.\SUPERAntiSpyware.com
2007-04-29 02:22:46 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1.\Nokia
2007-04-29 01:31:29 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1.\Nokia Multimedia Player
2007-04-27 11:24:01 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1.\AdobeAUM
2007-04-20 14:19:15 -------- d-----w C:\Program Files\SpywareBlaster
2007-04-14 06:56:11 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1.\PC Suite
2007-03-28 11:18:56 -------- d-----w C:\Program Files\iTunes
2007-03-28 11:18:46 -------- d-----w C:\Program Files\iPod
2007-03-28 11:17:42 -------- d-----w C:\Program Files\QuickTime
2007-03-28 11:16:04 -------- d-----w C:\Program Files\Apple Software Update
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-16 03:37:09 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1.\AdobeUM
2007-03-12 02:03:55 -------- d-----w C:\Program Files\Momento
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-05 01:34:09 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-02-08 07:51:24 19,959 ----a-w C:\WINDOWS\tmp.dat
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx"
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"="C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"PCSuiteTrayApplication"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe -startup"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"Nokia.PCSync"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL"


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adobe photo downloader
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\agrsmmsg
AGRSMMSG.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\alcxmonitor
ALCXMNTR.EXE

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmonitor


HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe
C:\WINDOWS\System32\CTFMON.EXE

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hp component manager
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hp software update
"C:\Program Files\HP\HP Software Update\HPWuSchd.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hphmon05
C:\WINDOWS\System32\hphmon05.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hphupd05
c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\imjpmig8.1
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ituneshelper
"C:\Program Files\iTunes\iTunesHelper.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagentexe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcupdateexe
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmsgs
"C:\Program Files\Messenger\msmsgs.exe" /background

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mspy2002
C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pcsuitetrayapplication
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\phime2002a
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\phime2002async
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task
"C:\Program Files\QuickTime\qttask.exe" -atboottime

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\recguard
C:\WINDOWS\SMINST\RECGUARD.EXE

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\reminder
"C:\Windows\Creator\Remind_XP.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runonce1upd
"C:\Program Files\Mozilla Firefox\firefox.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sunkist2k
C:\Program Files\Multimedia Card Reader\shwicon2k.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winampagent
C:\Program Files\Winamp\winampa.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=dword:00000003
"PavPrSrv"=dword:00000002
"iPod Service"=dword:00000003
"CWShredder Service"=dword:00000002
"Pml Driver HPZ12"=dword:00000003
"Avg7UpdSvc"=dword:00000002
"Avg7Alrt"=dword:00000002
"AresChatServer"=dword:00000003
"ewido anti-spyware 4.0 guard"=dword:00000002
"ServiceLayer"=dword:00000003
"MsaSvc"=dword:00000002
"IDriverT"=dword:00000003
"NVSvc"=dword:00000002
"dmadmin"=dword:00000003

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
HTTPFilter HTTPFilter\0\0
DcomLaunch DcomLaunch\0TermService\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command D:\Info.exe folder.htt 480 480


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\McAfee.com Update Check (COMPUTIN-Owner).job
C:\WINDOWS\tasks\McAfee.com Update Check (YOUR-MXV0URM8HA-Owner).job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-13 15:55:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-13 15:56:10
C:\ComboFix-quarantined-files.txt ... 2007-05-13 15:56
C:\ComboFix2.txt ... 2007-05-08 13:32
  • 0

#12
handhfan
Posted 13 May 2007 - 06:09 PM

handhfan

    Trusted Helper

  • Expert
  • 13,659 posts
Your log looks better. Are you having any other problems? Do you have any questions?
  • 0

#13
lalex81
Posted 14 May 2007 - 04:53 AM

lalex81

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
So far I haven't had any problems, so that seems to have fixed everything for now.

Thanks a lot for all the help and time.
  • 0

#14
jwbirdsong
Posted 15 May 2007 - 09:40 PM

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
just so you know, handhfan has had some issues come up and is unable to continue right now...I'll be stepping in and finishing this log with you.

Good job your log is clean.

You can delete the combofix folder/files now..also delete the fix.reg file from your desktop

I suggest you keep the ATF cleaner and make it part of your weekly maintenance routine

First, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free.

More info and download is available at links in the following article by TonyKlein

Make SURE to read How Did I Get Infected in the First Place??
  • 0

#15
lalex81
Posted 18 May 2007 - 07:05 PM

lalex81

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
DONE

Now the only "bug" that I still have and that I just found is with Quick Time, the files are working normal when it's a video inserted in a webpage, but not on the Quick time player itself, I only get sound and the picture is just white.

I'll give you an example so you get what I mean, on http://www.themovieb...ers/trailer.php i can click and watch the lo-res, mid-res and hi-res trailers, but if i click on the 480p trailer I only get sound, the image is white. This didn't use to happen before.

I've deleted and re-installed quicktime and this doesn't change, not sure you, or anybody here can help me with this, it's not a major issue, but bothers a lot.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP