Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Win32 and more?


  • Please log in to reply

#1
mandy_1803

mandy_1803

    New Member

  • Member
  • Pip
  • 5 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:47:28 PM, on 10/6/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\npdutful.exe
C:\Program Files\Dynex Wireless G Adapter\WLService.exe
C:\Program Files\Dynex Wireless G Adapter\WLanCfgG.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\system32\ljdsrngk.exe
C:\WINDOWS\System32\twinkmdt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\?asks\r?gedit.exe
C:\Documents and Settings\James\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\James\Application Data\Microsoft\Windows\msnpk.exe
C:\WINDOWS\System32\PPPATC~1\winword.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\James\Desktop\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://store.presari...t...c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presari...t...c02&lc=0409
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\System32\lsasss.exe
O4 - HKLM\..\Run: [{6E-EF-F7-78-ZN}] C:\windows\system32\ljdsrngk.exe CHD003
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\twinkmdt.exe CHD003
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\System32\aqibiatb.dll",forkonce
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Tza] C:\WINDOWS\?asks\r?gedit.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\James\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\James\Application Data\Microsoft\Windows\msnpk.exe
O4 - HKCU\..\Run: [Aaou] "C:\WINDOWS\System32\PPPATC~1\winword.exe" -vt ndrv
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\ljdsrngk.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\twinkmdt.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Advisor - {2516874A-8BF8-4FF9-865A-D7D5C67FFADE} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O15 - Trusted Zone: *.drivecleaner.com
O15 - Trusted Zone: *.errorprotector.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantispyware.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantispyware.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: Yahoo! Pool 2 - http://download2.gam...ts/y/poti_x.cab
O16 - DPF: Yahoo! Pyramids - http://download2.gam...ts/y/pyt1_x.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab46479.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/...dy.cab32846.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/...bGameLoader.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab32846.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/...of.cab40641.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab53083.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab41227.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://zone.msn.com/...sh.1.0.0.89.cab
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtnet.net/c...::/xpreload.ocx
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O20 - AppInit_DLLs:
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmFtZXM\command.exe (file missing)
O23 - Service: DomainService - - C:\WINDOWS\System32\npdutful.exe
O23 - Service: Dynex DX-WGNBC Service (Dynex DX-WGNBC WLService) - Unknown owner - C:\Program Files\Dynex Wireless G Adapter\WLService.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\rtekehd.html

--
End of file - 9295 bytes
  • 0

Advertisements


#2
sari

sari

    GeekU Admin

  • Community Leader
  • 21,805 posts
  • MVP
We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft...&DisplayLang=en
Apply the update, reboot, and post a fresh Hijack This log.
  • 0

#3
mandy_1803

mandy_1803

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thank you... here is the newest log. It takes forever to do things on this computer!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:49:58 PM, on 10/9/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\npdutful.exe
C:\Program Files\Dynex Wireless G Adapter\WLService.exe
C:\Program Files\Dynex Wireless G Adapter\WLanCfgG.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system32\ljdsrngk.exe
C:\WINDOWS\System32\twinkmds.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\?asks\r?gedit.exe
C:\Documents and Settings\James\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\James\Application Data\Microsoft\Windows\msnpk.exe
C:\WINDOWS\System32\PPPATC~1\winword.exe
C:\Program Files\ISM\ISMModule6.exe
C:\Program Files\ISM2\ISMPack6.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\James\Desktop\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\James\Desktop\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://store.presari...t...c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presari...t...c02&lc=0409
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [{6E-EF-F7-78-ZN}] C:\windows\system32\ljdsrngk.exe CHD003
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\twinkmds.exe CHD003
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\System32\tkgpwpyh.dll",sitypnow
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Tza] C:\WINDOWS\?asks\r?gedit.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\James\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\James\Application Data\Microsoft\Windows\msnpk.exe
O4 - HKCU\..\Run: [Aaou] "C:\WINDOWS\System32\PPPATC~1\winword.exe" -vt yazb
O4 - HKCU\..\Run: [ISMModule6] "C:\Program Files\ISM\ISMModule6.exe"
O4 - HKCU\..\Run: [ISMPack6] "C:\Program Files\ISM2\ISMPack6.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\ljdsrngk.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\twinkmds.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Advisor - {2516874A-8BF8-4FF9-865A-D7D5C67FFADE} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O15 - Trusted Zone: *.drivecleaner.com
O15 - Trusted Zone: *.errorprotector.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantispyware.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantispyware.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: Yahoo! Pool 2 - http://download2.gam...ts/y/poti_x.cab
O16 - DPF: Yahoo! Pyramids - http://download2.gam...ts/y/pyt1_x.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab46479.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.driveclea...leanerstart.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/...dy.cab32846.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/...bGameLoader.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab32846.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/...of.cab40641.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab53083.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab41227.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://zone.msn.com/...sh.1.0.0.89.cab
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtnet.net/c...::/xpreload.ocx
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O20 - AppInit_DLLs:
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmFtZXM\command.exe (file missing)
O23 - Service: DomainService - - C:\WINDOWS\System32\npdutful.exe
O23 - Service: Dynex DX-WGNBC Service (Dynex DX-WGNBC WLService) - Unknown owner - C:\Program Files\Dynex Wireless G Adapter\WLService.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\rtekehd.html

--
End of file - 8811 bytes
  • 0

#4
sari

sari

    GeekU Admin

  • Community Leader
  • 21,805 posts
  • MVP
mandy_1803,

I'm going to have you run a scanner that should clean up quite a few of your issues, and hopefully get you to the point where you're running faster.

1. Download ComboFix.exe using either of these links:

* bleepingcomputer.com

* techsupportforum.com

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Thanks,

sari
  • 0

#5
mandy_1803

mandy_1803

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Here are the two logs... I will put combo fixes first, than Hijack this! My Computer froze halfway through a first combofix run, so I had to do a second one. This is the log from the second, so more couldve been deleted, or whatever else combofix does!!!!

ComboFix 07-10-12.4 - James 2007-10-12 13:11:21.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.24 [GMT -4:00]
Running from: C:\Documents and Settings\James\Local Settings\Temporary Internet Files\Content.IE5\W56FGHQV\ComboFix[1].exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\James\Application Data\WinTouch\config.cfg.04acfdb6317b640d7b7e685ccec82542
C:\Documents and Settings\James\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\James\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\James\Application Data\WinTouch\WTUninstaller.exe
C:\Documents and Settings\James\Start Menu\Programs\Outerinfo
C:\Documents and Settings\James\Start Menu\Programs\Startup\ta_start.lnk
C:\Documents and Settings\James\Start Menu\Programs\Startup\TA_Start.lnk
C:\Documents and Settings\James\Start Menu\Programs\Startup\think-adz.lnk
C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.89
C:\WINDOWS\system32\accfe.bak2
C:\WINDOWS\system32\accfe.ini
C:\WINDOWS\system32\cbxwtrr.dll
C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\system32\efcca.dll
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\nwinomds.exe
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\Z1
C:\WINDOWS\system32\zxdnt3d.cfg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\DomainService
-------\Network Monitor


((((((((((((((((((((((((( Files Created from 2007-09-12 to 2007-10-12 )))))))))))))))))))))))))))))))
.

2007-10-12 12:36 52,782 --a------ C:\WINDOWS\system32\lndsrngs.exe
2007-10-11 21:55 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-11 14:15 <DIR> d-------- C:\Program Files\Temporary
2007-10-11 12:18 <DIR> d-------- C:\WINDOWS\system32\vMW02a
2007-10-11 12:18 <DIR> d-------- C:\Temp\xOe
2007-10-09 22:37 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-10-09 22:37 <DIR> d-------- C:\WINDOWS\ehome
2007-10-09 22:30 5,504 --a------ C:\WINDOWS\system32\drivers\smbali.sys
2007-10-09 22:25 891,711 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-10-09 22:24 3,494,303 --a------ C:\WINDOWS\system32\nv4_disp.dll
2007-10-09 22:20 13,056 --a------ C:\WINDOWS\system32\drivers\wacompen.sys
2007-10-09 22:19 18,944 --a------ C:\WINDOWS\system32\faxpatch.exe
2007-10-09 22:19 11,904 --a------ C:\WINDOWS\system32\drivers\mutohpen.sys
2007-10-09 22:19 6,912 --a------ C:\WINDOWS\system32\drivers\hidir.sys
2007-10-09 22:18 63,663 --a------ C:\WINDOWS\system32\drivers\atinrvxx.sys
2007-10-09 22:18 36,463 --a------ C:\WINDOWS\system32\drivers\atintuxx.sys
2007-10-09 22:18 34,735 --a------ C:\WINDOWS\system32\drivers\atinxsxx.sys
2007-10-09 22:18 30,671 --a------ C:\WINDOWS\system32\drivers\atinraxx.sys
2007-10-09 22:18 29,455 --a------ C:\WINDOWS\system32\drivers\atinxbxx.sys
2007-10-09 22:18 26,367 --a------ C:\WINDOWS\system32\drivers\atinsnxx.sys
2007-10-09 22:18 21,343 --a------ C:\WINDOWS\system32\drivers\atinttxx.sys
2007-10-09 22:18 12,047 --a------ C:\WINDOWS\system32\drivers\atinpdxx.sys
2007-10-09 22:17 56,591 --a------ C:\WINDOWS\system32\drivers\atinbtxx.sys
2007-10-09 22:17 11,615 --a------ C:\WINDOWS\system32\drivers\atinmdxx.sys
2007-10-09 22:16 377,984 --a------ C:\WINDOWS\system32\ati2dvaa.dll
2007-10-09 22:16 327,040 --a------ C:\WINDOWS\system32\drivers\ati2mtaa.sys
2007-10-09 15:47 <DIR> d--hs---- C:\found.001
2007-10-08 23:22 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2007-10-08 23:22 171,280 --a------ C:\WINDOWS\system32\jit.dll
2007-10-08 23:22 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2007-10-08 23:22 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-10-08 23:22 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-10-08 20:23 184,320 --a------ C:\WINDOWS\system32\0x2mbgOG.dll
2007-10-08 16:51 <DIR> d-------- C:\Program Files\ISM2
2007-10-08 10:29 7,395 --a------ C:\sysbxzg.exe
2007-10-07 16:44 35,840 --a------ C:\WINDOWS\tsitra72.exe
2007-10-07 14:46 <DIR> d-------- C:\Documents and Settings\James\Contacts
2007-10-07 14:45 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-07 14:43 184,320 --a------ C:\WINDOWS\system32\Nd264IaK.dll
2007-10-07 12:36 184,320 --a------ C:\WINDOWS\system32\0od7yJIt.dll
2007-10-07 11:08 184,320 --a------ C:\WINDOWS\system32\3A41O046.dll
2007-10-06 22:09 463,168 -ra------ C:\WINDOWS\system32\drivers\ar5211.sys
2007-10-06 22:08 <DIR> d-------- C:\Program Files\Dynex Wireless G Adapter
2007-10-06 22:08 40,960 --a------ C:\WINDOWS\system32\WGNBC.dll
2007-10-06 22:08 17,801 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2007-10-06 17:55 94,208 --a------ C:\WINDOWS\system32\GTW32N50.dll
2007-10-06 17:55 15,872 --a------ C:\WINDOWS\system32\GTNDIS5.sys
2007-09-18 15:37 <DIR> d-------- C:\Program Files\Google
2007-09-18 15:36 <DIR> d-------- C:\Program Files\Picasa2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-12 01:59 246 ----a-w C:\Program Files\Common Files\qubas
2007-10-09 03:25 --------- d-----w C:\Program Files\QuickTime
2007-10-07 18:46 --------- d-----w C:\Program Files\MSN Messenger
2007-10-07 14:36 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-06 22:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-01 02:59 --------- d-----w C:\Program Files\MSN Games
2007-09-01 02:30 --------- d-----w C:\Documents and Settings\LocalService\Application Data\NetMon
2006-12-05 02:47 42,264 ----a-w C:\Documents and Settings\Timmy\Application Data\GDIPFONTCACHEV1.DAT
2006-08-07 05:00 42,264 ----a-w C:\Documents and Settings\James\Application Data\GDIPFONTCACHEV1.DAT
2005-07-29 20:24:26 472 --sha-r C:\WINDOWS\SmFtZXM\mAIQtrg.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E6BD8DE-4415-0FBB-6554-4E71B6769192}]
C:\WINDOWS\System32\nbhzbzs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13822A64-B4F2-857B-A73D-E82B5A9682CD}]
C:\WINDOWS\System32\acccd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7923B4D4-31F5-4996-9F4A-0CD1D4DA4881}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
2007-10-08 20:23 184320 --a------ C:\WINDOWS\System32\0x2mbgOG.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8C6D5A56-791E-4fe8-9D64-81781FA15D68}]
C:\Program Files\ISM\BndDrive6.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{99C5FE5B-349C-2460-EC2C-3976166F56C9}]
C:\WINDOWS\System32\kxggeeot.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D52E4F35-EE1D-4086-4088-C729525854B8}]
C:\Program Files\Common Files\qubas.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"PreloadApp"="c:\hp\drivers\printers\photosmart\hphprld.exe" [2001-12-12 11:05]
"{6E-EF-F7-78-ZN}"="c:\windows\system32\dwdsrngt.exe" [2007-10-12 13:23]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"Tza"="C:\WINDOWS\?asks\r?gedit.exe" []
"Aaou"="C:\WINDOWS\System32\PPPATC~1\winword.exe" []
"ISMModule6"="C:\Program Files\ISM\ISMModule6.exe" []
"ISMPack6"="C:\Program Files\ISM2\ISMPack6.exe" [2007-09-28 09:27]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-11-15 16:18]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"<NO NAME>"=

C:\Documents and Settings\James\Start Menu\Programs\Startup\
TA_Start.lnk - C:\WINDOWS\system32\dwdsrngt.exe [2007-10-12 13:23:23]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Common Files\rtekehd.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=C:\WINDOWS\pss\Quicken Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet

R1 cdudf_xp;cdudf_xp;C:\WINDOWS\System32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\System32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\System32\drivers\UdfReadr_xp.sys
R2 CdaD10BA;CdaD10BA;\??\C:\WINDOWS\System32\drivers\CdaD10BA.SYS
R2 Dynex DX-WGNBC WLService;Dynex DX-WGNBC Service;C:\Program Files\Dynex Wireless G Adapter\WLService.exe
R2 StreamDispatcher;StreamDispatcher;C:\WINDOWS\System32\DRIVERS\strmdisp.sys
R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;C:\WINDOWS\System32\drivers\caliaud.sys
R3 CALIHALA;CALIHALA;C:\WINDOWS\System32\drivers\calihal.sys
R3 DKbFltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\System32\Drivers\DKbFltr.SYS
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;C:\WINDOWS\System32\DRIVERS\DP83815.SYS
R3 mmc_2K;mmc_2K;C:\WINDOWS\System32\drivers\mmc_2K.sys
S3 ALiIRDA;ALi Infrared Device Driver;C:\WINDOWS\System32\DRIVERS\aliirda.sys
S3 allegro;ESS Allegro Audio Driver (WDM);C:\WINDOWS\System32\drivers\es198x.sys
S3 CE3;Xircom Ethernet Adapter 10/100 Service;C:\WINDOWS\System32\DRIVERS\ce3n5.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\System32\drivers\dvd_2K.sys
S3 ICAM5USB;Intel® PC Camera CS110;C:\WINDOWS\System32\Drivers\Icam5USB.sys
S3 LEX_NIC_SERVICE;IEEE 802.11 Wireless NIC Win2000 Driver;C:\WINDOWS\System32\DRIVERS\Express.sys

*Newly Created Service* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
"2007-08-15 21:17:04 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exe
"2005-04-15 03:29:09 C:\WINDOWS\Tasks\Registration reminder 1.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2005-04-15 03:29:10 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2005-04-15 03:29:10 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2005-08-29 01:01:23 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-12 13:22:15
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\owinolds.exe
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\zxdnt3d.cfg

scan completed successfully
hidden files: 5

**************************************************************************
.
Completion time: 2007-10-12 13:24:52 - machine was rebooted
.
--- E O F ---



=========================================================


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:26:27 PM, on 10/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dynex Wireless G Adapter\WLService.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\Dynex Wireless G Adapter\WLanCfgG.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ISM2\ISMPack6.exe
C:\Program Files\Messenger\MSMSGS.EXE
c:\windows\system32\dwdsrngt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\owinolds.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\James\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presari...t...c02&lc=0409
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0E6BD8DE-4415-0FBB-6554-4E71B6769192} - C:\WINDOWS\System32\nbhzbzs.dll (file missing)
O2 - BHO: (no name) - {13822A64-B4F2-857B-A73D-E82B5A9682CD} - C:\WINDOWS\System32\acccd.dll (file missing)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {7923B4D4-31F5-4996-9F4A-0CD1D4DA4881} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\System32\0x2mbgOG.dll
O2 - BHO: BndDrive2 BHO Class - {8C6D5A56-791E-4fe8-9D64-81781FA15D68} - C:\Program Files\ISM\BndDrive6.dll (file missing)
O2 - BHO: (no name) - {99C5FE5B-349C-2460-EC2C-3976166F56C9} - C:\WINDOWS\System32\kxggeeot.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: 0 - {D52E4F35-EE1D-4086-4088-C729525854B8} - C:\Program Files\Common Files\qubas.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [{6E-EF-F7-78-ZN}] c:\windows\system32\dwdsrngt.exe CHD003
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Tza] C:\WINDOWS\?asks\r?gedit.exe
O4 - HKCU\..\Run: [Aaou] "C:\WINDOWS\System32\PPPATC~1\winword.exe" -vt yazb
O4 - HKCU\..\Run: [ISMModule6] "C:\Program Files\ISM\ISMModule6.exe"
O4 - HKCU\..\Run: [ISMPack6] "C:\Program Files\ISM2\ISMPack6.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsrngt.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\owinolds.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Advisor - {2516874A-8BF8-4FF9-865A-D7D5C67FFADE} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O15 - Trusted Zone: *.drivecleaner.com
O15 - Trusted Zone: *.errorprotector.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantispyware.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantispyware.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: Yahoo! Pool 2 - http://download2.gam...ts/y/poti_x.cab
O16 - DPF: Yahoo! Pyramids - http://download2.gam...ts/y/pyt1_x.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab46479.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.driveclea...leanerstart.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/...dy.cab32846.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/...bGameLoader.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab32846.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/...of.cab40641.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab53083.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab41227.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://zone.msn.com/...sh.1.0.0.89.cab
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtnet.net/c...::/xpreload.ocx
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O20 - AppInit_DLLs:
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Dynex DX-WGNBC Service (Dynex DX-WGNBC WLService) - Unknown owner - C:\Program Files\Dynex Wireless G Adapter\WLService.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\rtekehd.html

--
End of file - 9319 bytes


Thank you for your continuing help!!!

Edited by mandy_1803, 12 October 2007 - 08:31 PM.

  • 0

#6
sari

sari

    GeekU Admin

  • Community Leader
  • 21,805 posts
  • MVP
mandy_1803,

We're making progress, but we still have some things to do.

Please remove these entries from Add/Remove Programs in the Control Panel(if present):

ISM Module
ISM Pack



A. Please RUN HijackThis
  • Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    O2 - BHO: (no name) - {0E6BD8DE-4415-0FBB-6554-4E71B6769192} - C:\WINDOWS\System32\nbhzbzs.dll (file missing)
    O2 - BHO: (no name) - {13822A64-B4F2-857B-A73D-E82B5A9682CD} - C:\WINDOWS\System32\acccd.dll (file missing)
    O2 - BHO: (no name) - {7923B4D4-31F5-4996-9F4A-0CD1D4DA4881} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\System32\0x2mbgOG.dll
    O2 - BHO: BndDrive2 BHO Class - {8C6D5A56-791E-4fe8-9D64-81781FA15D68} - C:\Program Files\ISM\BndDrive6.dll (file missing)
    O2 - BHO: (no name) - {99C5FE5B-349C-2460-EC2C-3976166F56C9} - C:\WINDOWS\System32\kxggeeot.dll (file missing)
    O2 - BHO: 0 - {D52E4F35-EE1D-4086-4088-C729525854B8} - C:\Program Files\Common Files\qubas.dll (file missing)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O4 - HKCU\..\Run: [Tza] C:\WINDOWS\?asks\r?gedit.exe
    O4 - HKCU\..\Run: [Aaou] "C:\WINDOWS\System32\PPPATC~1\winword.exe" -vt yazb
    O4 - HKCU\..\Run: [ISMModule6] "C:\Program Files\ISM\ISMModule6.exe"
    O4 - HKCU\..\Run: [ISMPack6] "C:\Program Files\ISM2\ISMPack6.exe"
    O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsrngt.exe
    O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\owinolds.exe
  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.
B. 1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\0x2mbgOG.dll
C:\Program Files\Common Files\rtekehd.html
C:\sysbxzg.exe
C:\WINDOWS\tsitra72.exe
C:\WINDOWS\system32\Nd264IaK.dll
C:\WINDOWS\system32\0od7yJIt.dll
C:\WINDOWS\system32\3A41O046.dll

Folder::
C:\WINDOWS\SmFtZXM
C:\Program Files\ISM2
C:\Program Files\Common Files\qubas

Driver::

ADS::

Registry::



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
First Approach:

You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups then restore them.

Download FindAWF.exe from here or here, and save it to your desktop.
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders
    2. Press 2 then Enter to restore files from bak folders
    3. Press 3 then Enter to remove bak folders
    4. Press 4 then Enter to reset domain zones
    5. Press E then Enter to EXIT

  • Press 1, then press Enter
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.
In your next post, I need the combofix log, a new hijackthis log, and the AWF.txt file.

Thanks,

sari
  • 0

#7
mandy_1803

mandy_1803

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Mon 10/15/2007
The current time is: 18:31:22.09


bak folders found
~~~~~~~~~~~


Directory of C:\CPQS\SCOM\BAK

07/24/2001 05:34 PM 36,864 srmclean.exe
1 File(s) 36,864 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\NORTON~1\BAK

02/27/2002 11:27 AM 75,384 navapw32.exe
1 File(s) 75,384 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

12/26/2005 09:42 PM 155,648 qttask.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

08/14/2002 09:29 PM 290,816 atiptaxx.exe
1 File(s) 290,816 bytes

Directory of C:\PROGRA~1\HPQ\DEFAUL~1\BAK

10/23/2002 05:19 PM 176,197 cpqset.exe
1 File(s) 176,197 bytes

Directory of C:\PROGRA~1\HPQ\NOTEBO~1\BAK

08/15/2002 10:26 AM 45,056 hptasks.exe
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\HPQ\ONE-TO~1\BAK

01/30/2003 06:53 PM 106,496 OneTouch.EXE
1 File(s) 106,496 bytes

Directory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

01/03/2003 09:11 AM 577,536 SynTPEnh.exe
01/03/2003 09:12 AM 126,976 SynTPLpr.exe
2 File(s) 704,512 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

03/07/2003 12:57 PM 151,597 realsched.exe
1 File(s) 151,597 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

07/26/2006 03:03 AM 49,263 jusched.exe
1 File(s) 49,263 bytes


12/17/2002 04:28 PM 684,032 DirectCD.exe
1 File(s) 684,032 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

36864 Jul 24 2001 "C:\cpqs\scom\bak\srmclean.exe"
75384 Feb 27 2002 "C:\Program Files\Norton AntiVirus\bak\navapw32.exe"
155648 Dec 26 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
290816 Aug 14 2002 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
176197 Oct 23 2002 "C:\SWSETUP\Default\Cpqset.exe"
176197 Oct 23 2002 "C:\Program Files\HPQ\Default Settings\bak\cpqset.exe"
45056 Aug 15 2002 "C:\Program Files\HPQ\Notebook Utilities\bak\hptasks.exe"
106496 Jan 30 2003 "C:\SWSETUP\OneTouch\ONETOUCH.EXE"
106496 Jan 30 2003 "C:\Program Files\HPQ\One-Touch\bak\OneTouch.EXE"
577536 Jan 3 2003 "C:\SWSETUP\Touchpad\SynTPEnh.exe"
577536 Jan 3 2003 "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
126976 Jan 3 2003 "C:\SWSETUP\Touchpad\SynTPLpr.exe"
126976 Jan 3 2003 "C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
151597 Mar 7 2003 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
49263 Jul 26 2006 "C:\Program Files\Java\jre1.5.0_08\bin\bak\jusched.exe"
684032 Dec 17 2002 "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe"


end of report


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:41:08 PM, on 10/15/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\James\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presari...t...c02&lc=0409
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_6_2_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [{6E-EF-F7-78-ZN}] C:\windows\system32\dwdsrngt.exe CHD003
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Tza] C:\WINDOWS\?asks\r?gedit.exe
O4 - HKCU\..\Run: [Aaou] "C:\WINDOWS\System32\PPPATC~1\winword.exe" -vt yazb
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Advisor - {2516874A-8BF8-4FF9-865A-D7D5C67FFADE} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: Yahoo! Pool 2 - http://download2.gam...ts/y/poti_x.cab
O16 - DPF: Yahoo! Pyramids - http://download2.gam...ts/y/pyt1_x.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab46479.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.driveclea...leanerstart.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/...dy.cab32846.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/...bGameLoader.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab32846.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1192240963212
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/...of.cab40641.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab53083.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab41227.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://zone.msn.com/...sh.1.0.0.89.cab
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtnet.net/c...::/xpreload.ocx
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O20 - AppInit_DLLs:
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\rtekehd.html

--
End of file - 7513 bytes

Attached Files


Edited by mandy_1803, 15 October 2007 - 05:37 PM.

  • 0

#8
sari

sari

    GeekU Admin

  • Community Leader
  • 21,805 posts
  • MVP
mandy_1803,

I apologize for the long delay - I've just been very busy in real life. You're looking better, but we still need a bit more clean up.

A. Please RUN HijackThis
  • Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    O4 - HKLM\..\Run: [{6E-EF-F7-78-ZN}] C:\windows\system32\dwdsrngt.exe CHD003
    O4 - HKCU\..\Run: [Tza] C:\WINDOWS\?asks\r?gedit.exe
    O4 - HKCU\..\Run: [Aaou] "C:\WINDOWS\System32\PPPATC~1\winword.exe" -vt yazb
    O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.driveclea...leanerstart.cab
    O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtnet.net/c...::/xpreload.ocx
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
    O20 - AppInit_DLLs:
    O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\rtekehd.html

  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

B. 1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\kndsrngn.exe
C:\WINDOWS\system32\lndsrngs.exe
C:\Program Files\Common Files\rtekehd.html

Folder::
C:\WINDOWS\system32\vMW02a
C:\Temp\xOe

Driver::

ADS::

Registry::



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
Please don't attach the combofix log - if you copy and paste it into your reply it's much easier for me to analyze!

Thanks,

sari
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP