Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Outer Info and Internet Speed Monitor Malaware [RESOLVED]

Started by Compz , Feb 06 2008 08:27 PM

This topic is locked

#1
Compz

Posted 06 February 2008 - 08:27 PM

Member

Member
14 posts

Hi

I have tried your suggestions and still have a slow computer a few lingering Spyware and Adware viruses. I was looking through some free layouts from my myspace page on hotfreelayouts.com website when I noticed the next day that my computer was running extremely slow and the Internet was turning on by itself and I was getting outerinfo and internet speed monitor pop ups. I have already uninstalled internet speed monitor and outer info. I have run superantispyware, malaware, panda scan and the highjack scan which you can see the logs below. I would appreciate any help you can provide so my computer can get rid of these viruses soon.

Thanks,
Compz

Superantispyware Log:
SUPERAntiSpyware Scan Log
Generated 02/06/2008 at 02:58 AM

Application Version : 3.6.1000

Core Rules Database Version : 3396
Trace Rules Database Version: 1388

Scan type : Complete Scan
Total Scan Time : 03:57:40

Memory items scanned : 338
Memory threats detected : 8
Registry items scanned : 4233
Registry threats detected : 34
File items scanned : 144506
File threats detected : 117

Trojan.Vundo/Variant-Installer/A
C:\WINDOWS\SYSTEM32\KHHFC.DLL
C:\WINDOWS\SYSTEM32\KHHFC.DLL
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\PROGRAM FILES\ROXIO\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\ROXIO\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\ADOBE\PHOTOSHOP ALBUM STARTER EDITION\3.2\APPS\APDPROXY.EXE
C:\PROGRAM FILES\ADOBE\PHOTOSHOP ALBUM STARTER EDITION\3.2\APPS\APDPROXY.EXE
C:\PROGRAM FILES\QUICKTIME\QTTASK .EXE
C:\PROGRAM FILES\QUICKTIME\QTTASK .EXE
C:\PROGRAM FILES\ITUNES\ITUNESHELPER.EXE
C:\PROGRAM FILES\ITUNES\ITUNESHELPER.EXE
[ATIPTA] C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
[TV Now] C:\PROGRAM FILES\HPQ\NOTEBOOK UTILITIES\TVNOW.EXE
C:\PROGRAM FILES\HPQ\NOTEBOOK UTILITIES\TVNOW.EXE
[Display Settings] C:\PROGRAM FILES\HPQ\NOTEBOOK UTILITIES\HPTASKS.EXE
C:\PROGRAM FILES\HPQ\NOTEBOOK UTILITIES\HPTASKS.EXE
[SynTPLpr] C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
[SynTPEnh] C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
[AdaptecDirectCD] C:\PROGRAM FILES\ROXIO\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
[RealTray] C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
[Adobe Photo Downloader] C:\PROGRAM FILES\ADOBE\PHOTOSHOP ALBUM STARTER EDITION\3.2\APPS\APDPROXY.EXE
[Adobe Reader Speed Launcher] C:\PROGRAM FILES\ADOBE\READER 8.0\READER\READER_SL.EXE
C:\PROGRAM FILES\ADOBE\READER 8.0\READER\READER_SL.EXE
[QuickTime Task] C:\PROGRAM FILES\QUICKTIME\QTTASK .EXE
[iTunesHelper] C:\PROGRAM FILES\ITUNES\ITUNESHELPER.EXE
[MSMSGS] C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\Directcd.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\Directcd.exe#Path
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\MSMSGS.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\MSMSGS.EXE#Path
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\RealPlay.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\RealPlay.exe#Path
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\TvNow.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\TvNow.exe#Path
C:\DOCUMENTS AND SETTINGS\MAGDA ZAPATA\LOCAL SETTINGS\TEMP\RCX1C.TMP
C:\DOCUMENTS AND SETTINGS\MAGDA ZAPATA\LOCAL SETTINGS\TEMP\RCX1F.TMP
C:\DOCUMENTS AND SETTINGS\MAGDA ZAPATA\LOCAL SETTINGS\TEMP\RCX22.TMP
C:\DOCUMENTS AND SETTINGS\MAGDA ZAPATA\LOCAL SETTINGS\TEMP\RCX25.TMP
C:\DOCUMENTS AND SETTINGS\MAGDA ZAPATA\LOCAL SETTINGS\TEMP\RCX29.TMP
C:\DOCUMENTS AND SETTINGS\MAGDA ZAPATA\LOCAL SETTINGS\TEMP\RCX2C.TMP
C:\DOCUMENTS AND SETTINGS\MAGDA ZAPATA\LOCAL SETTINGS\TEMP\RCX32.TMP
C:\PROGRAM FILES\QUICKTIME\QTTASK .EXE
C:\PROGRAM FILES\QUICKTIME\QTTASK .EXE
C:\PROGRAM FILES\QUICKTIME\QTTASK .EXE
C:\PROGRAM FILES\QUICKTIME\QTTASK .EXE
C:\PROGRAM FILES\QUICKTIME\QTTASK .EXE
C:\PROGRAM FILES\QUICKTIME\QTTASK .EXE
C:\PROGRAM FILES\QUICKTIME\QTTASK .EXE
C:\PROGRAM FILES\QUICKTIME\QTTASK .EXE
C:\PROGRAM FILES\QUICKTIME\QTTASK.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017623.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017627.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017631.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017634.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017635.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017636.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017637.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017638.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017639.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017640.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017641.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017643.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017897.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017901.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017904.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017905.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017906.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017907.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017908.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017909.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017910.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017911.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017912.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017913.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017914.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017940.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017948.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP91\A0017979.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP91\A0017985.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP91\A0017990.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP91\A0017991.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP91\A0017994.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP91\A0017995.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP91\A0017998.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP91\A0017999.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP91\A0018000.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP91\A0018001.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP91\A0018003.EXE
C:\WINDOWS\MROFINU72.EXE.TMP
C:\WINDOWS\Prefetch\ITUNESHELPER.EXE-15823303.pf

Trojan.Vundo/Variant-Installer
[Cpqset] C:\PROGRAM FILES\HPQ\DEFAULT SETTINGS\CPQSET.EXE
C:\PROGRAM FILES\HPQ\DEFAULT SETTINGS\CPQSET.EXE
[PreloadApp] C:\HP\DRIVERS\PRINTERS\PHOTOSMART\HPHPRLD.EXE
C:\HP\DRIVERS\PRINTERS\PHOTOSMART\HPHPRLD.EXE
[srmclean] C:\CPQS\SCOM\SRMCLEAN.EXE
C:\CPQS\SCOM\SRMCLEAN.EXE
[Aaou] C:\PROGRA~1\COMMON~1\CROSOF~1\WINSPOOL.EXE
C:\PROGRA~1\COMMON~1\CROSOF~1\WINSPOOL.EXE
[load] C:\WINDOWS\SYSTEM32\KHHFC.EXE
C:\WINDOWS\SYSTEM32\KHHFC.EXE
C:\DOCUMENTS AND SETTINGS\MAGDA ZAPATA\APPLICATION DATA\ICROSO~1\REGEDIT.EXE
C:\DOCUMENTS AND SETTINGS\MAGDA ZAPATA\LOCAL SETTINGS\TEMP\TMP3B.TMP
C:\PROGRAM FILES\COMMON FILES\CROSOF~1\WINSPOOL.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017628.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017629.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017632.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017633.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017645.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017899.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017900.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017902.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017903.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017935.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP91\A0017982.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP91\A0017984.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP91\A0017987.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP91\A0017988.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP91\A0018004.EXE
C:\WINDOWS\SYSTEM32\RCX34.TMP
C:\WINDOWS\SYSTEM32\RCX37.TMP
C:\WINDOWS\Prefetch\WINSPOOL.EXE-17017B16.pf

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\RQRSSRS.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}

Adware.Tracking Cookie
C:\Documents and Settings\Magda Zapata\Cookies\magda [email protected][1].txt
C:\Documents and Settings\Magda Zapata\Cookies\magda zapata@doubleclick[1].txt
C:\Documents and Settings\Magda Zapata\Cookies\magda zapata@2o7[1].txt
C:\Documents and Settings\Magda Zapata\Cookies\magda zapata@directtrack[1].txt
C:\Documents and Settings\Magda Zapata\Cookies\magda [email protected][1].txt
C:\Documents and Settings\Magda Zapata\Cookies\magda [email protected][1].txt

Adware.ClickSpring
HKLM\Software\ClickSpring
HKLM\Software\ClickSpring#UBWKR
C:\DOCUMENTS AND SETTINGS\MAGDA ZAPATA\LOCAL SETTINGS\TEMP\!UPDATE.EXE
C:\DOCUMENTS AND SETTINGS\MAGDA ZAPATA\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\WTQBC14B\!UPDATE-4495[1].0000

Adware.ClickSpring-Variant
C:\DOCUMENTS AND SETTINGS\MAGDA ZAPATA\APPLICATION DATA\ICROSO~1\REGEDIT .EXE
C:\DOCUMENTS AND SETTINGS\MAGDA ZAPATA\LOCAL SETTINGS\TEMP\TMP27.TMP
C:\DOCUMENTS AND SETTINGS\MAGDA ZAPATA\LOCAL SETTINGS\TEMP\TMP4.TMP
C:\DOCUMENTS AND SETTINGS\MAGDA ZAPATA\LOCAL SETTINGS\TEMP\TMP5.TMP
C:\PROGRAM FILES\COMMON FILES\CROSOF~1\WINSPOOL .EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017567.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017661.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017930.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP90\A0017954.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP91\A0017964.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP91\A0017997.EXE

Adware.OuterInfo-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP90\A0017956.EXE

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\NUYQEXS.DLL

Panda Scan Log:

Incident Status Location

Adware:Adware/PurityScan Not disinfected c:\progra~1\common~1\crosof~1\winspool.exe
Adware:Adware/Yazzle Not disinfected C:\Documents and Settings\Magda Zapata\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.14930
Adware:Adware/Yazzle Not disinfected C:\Documents and Settings\Magda Zapata\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.29598
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Magda Zapata\Cookies\magda [email protected][2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Magda Zapata\Cookies\magda zapata@doubleclick[1].txt
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Magda Zapata\Local Settings\Temp\!update.exe
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Magda Zapata\Local Settings\Temp\TMP34.tmp
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Magda Zapata\Local Settings\Temporary Internet Files\Content.IE5\2LMNSB8D\!update-4495[1].0000
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Magda Zapata\Local Settings\Temporary Internet Files\Content.IE5\WD87WRCF\!update-4495[1].0000
Adware:Adware/PurityScan Not disinfected C:\Program Files\Common Files\??crosoft\winspool.exe
Possible Virus. Not disinfected C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
Adware:Adware/Yazzle

Hijack This Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:17:38 PM, on 2/6/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\Synaptics\SynTP\SynTPLpr .exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
C:\Documents and Settings\Magda Zapata\My Documents\?ymantec\n?tdde.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\PROGRA~1\COMMON~1\CROSOF~1\winspool.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.att.net/i...arch/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/Home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
F3 - REG:win.ini: load=C:\WINDOWS\System32\khhfc.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Scvpt] "C:\Documents and Settings\Magda Zapata\My Documents\?ymantec\n?tdde.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Aaou] "C:\PROGRA~1\COMMON~1\CROSOF~1\winspool.exe" -vt ndrv
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZKxdm021YYUS
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 5981 bytes

#2
miekiemoes

Posted 07 February 2008 - 08:44 AM

Malware Expert

Member
5,503 posts

Hi,

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.

#3
Compz

Posted 07 February 2008 - 11:06 AM

Member

Topic Starter
Member
14 posts

Thank you very much for that suggestion. I had one and never renewed the subscription. I will download the anitvirus program you suggested and post the AV log.

Thanks!
Compz

#4
miekiemoes

Posted 07 February 2008 - 11:19 AM

Malware Expert

Member
5,503 posts

I had one and never renewed the subscription.

And that's how you got infected, because nothing was preventing the infection.

Anyway, I'll read your logs afterwards

#5
Compz

Posted 07 February 2008 - 08:42 PM

Member

Topic Starter
Member
14 posts

Hi,

I have downloaded Antivir and down below is a log for the antivir scan and also a new hijackthis log. I wanted to report that when I rebooted the computer after the scan, I got a message saying the exe file for anitvir could not be found. I opened up the desktop shortcut and it seemed like was working fine. I don't know if the exe file is just damaged from the virus. Can you please help me out? Thank you very much for your help!

Antivir Scan Log:

AntiVir PersonalEdition Classic
Report file date: Thursday, February 07, 2008 19:58

Scanning for 835736 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 1) [5.1.2600]
Username: SYSTEM
Computer name: LABTOPDREAM

Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 19:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 18:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 8/14/2007 21:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 18:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 20:27:15
ANTIVIR1.VDF : 7.0.0.0 1640448 Bytes 9/13/2007 20:26:55
ANTIVIR2.VDF : 7.0.0.1 2048 Bytes 9/13/2007 20:27:04
ANTIVIR3.VDF : 7.0.0.2 2048 Bytes 9/13/2007 20:27:13
AVEWIN32.DLL : 7.6.0.15 2806272 Bytes 9/17/2007 23:43:56
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 16:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 13:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 19:16:24
AVPACK32.DLL : 7.3.0.15 360488 Bytes 8/3/2007 14:46:00
AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 13:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 18:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 13:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 17:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 18:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 18:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 15:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Thursday, February 07, 2008 19:58

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'webshots.scr' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'SonyTray.exe' - '1' Module(s) have been scanned
Scan process 'SUPERAntiSpyware .exe' - '1' Module(s) have been scanned
Scan process 'SUPERAntiSpyware.exe' - '1' Module(s) have been scanned
Scan process 'nеtdde.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper .exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'wanmpsvc.exe' - '1' Module(s) have been scanned
Scan process 'QTTask .exe' - '1' Module(s) have been scanned
Scan process 'HPWirelessMgr.exe' - '1' Module(s) have been scanned
Scan process 'Reader_sl .exe' - '1' Module(s) have been scanned
Scan process 'QTTask .exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh .exe' - '1' Module(s) have been scanned
Scan process 'apdproxy .exe' - '1' Module(s) have been scanned
Scan process 'HPConfig.exe' - '1' Module(s) have been scanned
Scan process 'Reader_sl.exe' - '1' Module(s) have been scanned
Scan process 'SynTPLpr .exe' - '1' Module(s) have been scanned
Scan process 'apdproxy.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'SynTPLpr.exe' - '1' Module(s) have been scanned
Scan process 'carpserv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
42 processes with 42 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '39' files ).

Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Magda Zapata\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.14930
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47eca9f5.qua'!
C:\Documents and Settings\Magda Zapata\Local Settings\Temp\!update.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '481baa43.qua'!
C:\Documents and Settings\Magda Zapata\Local Settings\Temp\TMP34.tmp
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47fbaa44.qua'!
C:\Documents and Settings\Magda Zapata\Local Settings\Temp\TMP460.tmp
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47fbaa45.qua'!
C:\Documents and Settings\Magda Zapata\Local Settings\Temp\TMP55.tmp
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47fbaa46.qua'!
C:\Documents and Settings\Magda Zapata\Local Settings\Temporary Internet Files\Content.IE5\2LMNSB8D\!update-4495[1].0000
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '481baa71.qua'!
C:\Documents and Settings\Magda Zapata\Local Settings\Temporary Internet Files\Content.IE5\WD87WRCF\!update-4495[1].0000
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '481bb2ff.qua'!
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017892.dll
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47dbbbfb.qua'!
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP89\A0017914.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '47dbbc00.qua'!
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP92\A0018015.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47dbbc0b.qua'!
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP92\A0018016.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47dbbc0c.qua'!
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP92\A0018017.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '46b1ea5d.qua'!
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP92\A0018020.dll
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47dbbc0e.qua'!
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP92\A0018059.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47dbbc11.qua'!
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP92\A0018189.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47dbbc22.qua'!
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP92\A0018217.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47dbbc26.qua'!
C:\WINDOWS\mrofinu72.exe.tmp
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '481abc78.qua'!
C:\WINDOWS\system32\ActiveScan\pskavs.dll
[DETECTION] Contains detection pattern of the Windows virus W95/Blumblebee.1738
[INFO] The file was moved to '4816bd96.qua'!

End of the scan: Thursday, February 07, 2008 21:24
Used time: 1:25:21 min

The scan has been done completely.

3848 Scanning directories
252434 Files were scanned
3 viruses and/or unwanted programs were found
15 Files were classified as suspicious:
0 files were deleted
0 files were repaired
18 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
252431 Files not concerned
7572 Archives were scanned
2 Warnings
6 Notes

Hijackthis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:35:53 PM, on 2/7/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr .exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Documents and Settings\Magda Zapata\My Documents\?ymantec\n?tdde.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.att.net/i...arch/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/Home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
F3 - REG:win.ini: load=C:\WINDOWS\System32\khhfc.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Scvpt] "C:\Documents and Settings\Magda Zapata\My Documents\?ymantec\n?tdde.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZKxdm021YYUS
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6286 bytes

#6
miekiemoes

Posted 08 February 2008 - 03:05 AM

Malware Expert

Member
5,503 posts

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

#7
Compz

Posted 09 February 2008 - 04:53 PM

Member

Topic Starter
Member
14 posts

Hi

Down below I have posted my ComboFix log and my Hijack This Log. I have also deleted some of the programs that got infected like the SuperAntispyware, ITUNES, Real Player, Quicktime, AntiMalaware, AntiVir. Please note I have dowloaded the Antivir Program again. Thanks for your help again!

Combo Fix Log:

ComboFix 08-02.05.3 - Magda Zapata 2008-02-09 13:59:45.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.33 [GMT -5:00]
Running from: C:\Documents and Settings\Magda Zapata\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Magda Zapata\Application Data\FunWebProducts
C:\Documents and Settings\Magda Zapata\Application Data\ICROSO~1
C:\Documents and Settings\Magda Zapata\My Documents\YMANTE~1
C:\Documents and Settings\Magda Zapata\My Documents\YMANTE~1\n?tdde.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\crosof~1
C:\Program Files\Common Files\crosof~1\??crosoft\
C:\Program Files\HPQ\Notebook Utilities\hptasks.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\bwuchoky.dll
C:\WINDOWS\system32\cfhhk.ini
C:\WINDOWS\system32\cfhhk.ini2
C:\WINDOWS\system32\gqjslkxf.dll
C:\WINDOWS\system32\hgbcqbbv.dll
C:\WINDOWS\system32\hjvkxxfx.dll
C:\WINDOWS\system32\khhfc.dll
C:\WINDOWS\system32\khhfc.exe
C:\WINDOWS\system32\kvwcslbm.dll
C:\WINDOWS\system32\legtqxax.dll
C:\WINDOWS\system32\lvapnast.ini
C:\WINDOWS\system32\mblscwvk.ini
C:\WINDOWS\system32\nfxjiliv.dll
C:\WINDOWS\system32\owxixgud.dll
C:\WINDOWS\system32\skfiiren.dll
C:\WINDOWS\system32\sodrjhjy.ini
C:\WINDOWS\system32\vbbqcbgh.ini
C:\WINDOWS\system32\vcaucyyl.dll
C:\WINDOWS\system32\vilijxfn.ini
C:\WINDOWS\system32\xaxqtgel.ini
C:\WINDOWS\system32\xmqbvsre.dll
C:\WINDOWS\system32\yjhjrdos.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))
.

2008-02-09 13:56 . 2002-08-29 01:05 245,920 --a------ C:\cmldr
2008-02-07 19:46 . 2008-02-07 19:46 <DIR> d-------- C:\Program Files\Avira
2008-02-07 19:46 . 2008-02-07 19:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-02-06 21:17 . 2008-02-06 21:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-06 19:20 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-06 18:55 . 2008-02-07 21:23 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-06 18:55 . 2008-02-06 18:55 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-06 18:55 . 2008-02-06 18:55 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-06 18:55 . 2008-02-06 18:55 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-06 18:55 . 2008-02-06 18:55 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-05 22:57 . 2008-02-05 22:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-05 22:56 . 2008-02-09 14:00 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-05 22:56 . 2008-02-05 22:56 <DIR> d-------- C:\Documents and Settings\Magda Zapata\Application Data\SUPERAntiSpyware.com
2008-02-05 22:55 . 2008-02-05 22:55 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-05 19:02 . 2008-02-05 19:02 90,688 --------- C:\WINDOWS\system32\eamxopjk.dll
2008-02-05 18:56 . 2008-02-05 18:56 90,688 --------- C:\WINDOWS\system32\qssqsjrc.dll
2008-02-05 18:54 . 2008-02-05 18:54 <DIR> d-------- C:\Documents and Settings\Magda Zapata\Application Data\Malwarebytes
2008-02-05 18:53 . 2008-02-05 18:54 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-05 18:53 . 2008-02-05 18:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-05 00:02 . 2008-02-05 00:02 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-02-03 14:10 . 2008-02-03 14:10 270,698 --a------ C:\WINDOWS\system32\L198.tmp
2008-02-03 14:10 . 2008-02-03 14:10 181,965 --a------ C:\WINDOWS\system32\LF745.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-09 19:04 --------- d-----w C:\Program Files\QuickTime
2008-02-09 19:04 --------- d-----w C:\Program Files\iTunes
2008-02-07 01:37 --------- d-----w C:\Program Files\Webshots
2008-02-05 05:53 --------- d-----w C:\Program Files\HPQ
2008-02-05 05:50 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-07 03:45 --------- d-----w C:\Program Files\iPod
2007-09-20 02:37 1,695,432 ----a-w C:\Program Files\InstallMusicnotesPlayer_v_1_23_1.exe
2007-09-20 02:32 198,232 ----a-w C:\Program Files\SetupMusicnotesViewerIE.exe
.

<pre>
----a-w			36,864 2008-02-06 03:46:00  C:\cpqs\scom\srmclean .exe
----a-w			36,864 2008-02-06 03:45:56  C:\hp\drivers\printers\photosmart\hphprld .exe
----a-w			63,712 2008-02-09 18:37:36  C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
----a-w			39,792 2008-02-09 18:37:40  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w		   290,816 2008-02-09 18:37:21  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w		   249,896 2008-02-09 18:38:37  C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt .exe
----a-w		   180,316 2008-02-06 03:45:49  C:\Program Files\HPQ\Default Settings\cpqset .exe
----a-w			45,056 2008-02-09 18:37:23  C:\Program Files\HPQ\Notebook Utilities\hptasks .exe
----a-w		   282,624 2008-02-06 10:02:20  C:\Program Files\HPQ\Notebook Utilities\TvNow .exe
----a-w		   267,048 2008-02-09 18:38:12  C:\Program Files\iTunes\iTunesHelper .exe
----a-w		 1,511,453 2008-02-06 10:03:20  C:\Program Files\Messenger\msmsgs .exe
----a-w		   654,848 2008-02-08 02:30:26  C:\Program Files\QuickTime\QTTask				  .exe
----a-w		   654,848 2008-02-08 00:55:00  C:\Program Files\QuickTime\QTTask				 .exe
----a-w		   654,848 2008-02-08 00:26:14  C:\Program Files\QuickTime\QTTask				.exe
----a-w		   654,848 2008-02-07 02:35:42  C:\Program Files\QuickTime\QTTask			   .exe
----a-w		   654,848 2008-02-06 23:48:45  C:\Program Files\QuickTime\QTTask			  .exe
----a-w		   654,848 2008-02-06 10:23:12  C:\Program Files\QuickTime\QTTask			 .exe
----a-w		   654,848 2008-02-06 10:03:59  C:\Program Files\QuickTime\QTTask			.exe
----a-w		   654,848 2008-02-06 09:55:41  C:\Program Files\QuickTime\QTTask		   .exe
----a-w		   654,848 2008-02-06 09:22:16  C:\Program Files\QuickTime\QTTask		  .exe
----a-w		   654,848 2008-02-06 03:47:19  C:\Program Files\QuickTime\QTTask		 .exe
----a-w		   654,848 2008-02-06 01:55:20  C:\Program Files\QuickTime\QTTask		.exe
----a-w		   654,848 2008-02-05 22:50:44  C:\Program Files\QuickTime\QTTask	   .exe
----a-w		   654,848 2008-02-05 06:22:57  C:\Program Files\QuickTime\QTTask	  .exe
----a-w		   654,848 2008-02-05 05:54:33  C:\Program Files\QuickTime\QTTask	 .exe
----a-w		   654,848 2008-02-05 05:40:27  C:\Program Files\QuickTime\QTTask	.exe
----a-w		   654,848 2008-02-05 05:30:48  C:\Program Files\QuickTime\QTTask   .exe
----a-w		   654,848 2008-02-05 05:09:26  C:\Program Files\QuickTime\QTTask  .exe
----a-w		   654,848 2008-02-05 04:57:55  C:\Program Files\QuickTime\QTTask .exe
----a-w			26,112 2008-02-06 10:02:44  C:\Program Files\Real\RealPlayer\RealPlay .exe
----a-w		   684,032 2008-02-06 10:02:31  C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD .exe
----a-w		 1,310,720 2008-02-09 18:39:21  C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
----a-w		   634,880 2008-02-09 18:37:31  C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w		   110,592 2008-02-09 18:37:26  C:\Program Files\Synaptics\SynTP\SynTPLpr .exe
</pre>

-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"Scvpt"="C:\Documents and Settings\Magda Zapata\My Documents\?ymantec\n?tdde.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2002-06-11 16:14 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"CARPService"="carpserv.exe" [2003-04-14 20:00 4608 C:\WINDOWS\system32\carpserv.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"AutoTBar"="C:\hp\bin\autotbar.exe" [ ]
"TV Now"="C:\Program Files\HPQ\Notebook Utilities\TvNow.exe" [ ]
"Display Settings"="C:\Program Files\HPQ\Notebook Utilities\hptasks.exe" [ ]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [ ]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [ ]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [ ]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [ ]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [ ]

C:\Documents and Settings\Magda Zapata\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2005-10-22 17:44:17 45056]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Billminder.lnk - C:\Program Files\Quicken\billmind.exe [2002-09-20 11:19:46 36864]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2006-01-07 16:55:57 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 10:05:56 65588]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2002-09-20 11:20:02 53248]
Quicken Startup.lnk - C:\Program Files\Quicken\QWDLLS.EXE [2002-09-20 11:20:06 36864]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrssrs]
rqrssrs.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\DRIVERS\avgntmgr.sys [2007-07-18 14:22]
R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntdd.sys [2007-08-09 13:04]
R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;C:\WINDOWS\System32\drivers\caliaud.sys [2002-11-05 10:04]
R3 CALIHALA;CALIHALA;C:\WINDOWS\System32\drivers\calihal.sys [2002-11-05 10:04]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;C:\WINDOWS\System32\DRIVERS\DP83815.SYS [2002-08-28 19:00]

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-09 14:16:47
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\Webshots\webshots.scr
.
**************************************************************************
.
Completion time: 2008-02-09 14:23:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-09 19:23:22

Hijack This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:43:26 PM, on 2/9/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/Home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Scvpt] "C:\Documents and Settings\Magda Zapata\My Documents\?ymantec\n?tdde.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZKxdm021YYUS
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O20 - Winlogon Notify: rqrssrs - rqrssrs.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 3545 bytes

#8
miekiemoes

Posted 09 February 2008 - 05:15 PM

Malware Expert

Member
5,503 posts

Hi,

Down below I have posted my ComboFix log and my Hijack This Log. I have also deleted some of the programs that got infected like the SuperAntispyware, ITUNES, Real Player, Quicktime, AntiMalaware, AntiVir. Please note I have dowloaded the Antivir Program again. Thanks for your help again!

Yes I know that they got infected. You can reinstall them afterwards again once your system is clean again, because as long as the infection is present and active, it will infect the programs again.

Your Quicktime got infected as well. In your case, I suggest you uninstall Quicktime (you can reinstall it afterwards again).
Then delete next folder: C:\Program Files\QuickTime, because it contains a lot of infected exe's. One of them is clean though, but in this case it's better to delete that entire folder and reinstall Quicktime afterwards again since that will be the easiest solution.

We'll restore the other files which are infected if possible.. So please perform next instructions:

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\eamxopjk.dll
C:\WINDOWS\system32\qssqsjrc.dll

RENV::
C:\cpqs\scom\srmclean .exe
C:\hp\drivers\printers\photosmart\hphprld .exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt .exe
C:\Program Files\HPQ\Default Settings\cpqset .exe
C:\Program Files\HPQ\Notebook Utilities\hptasks .exe
C:\Program Files\HPQ\Notebook Utilities\TvNow .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\Real\RealPlayer\RealPlay .exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD .exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\Program Files\Synaptics\SynTP\SynTPLpr .exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Scvpt"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"=-
"QuickTime Task"=-
"iTunesHelper"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrssrs]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Also, Go to next site:
http://www.virustota.../en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\system32\LF745.tmp

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply as well.

Do the same for this file:

C:\WINDOWS\system32\L198.tmp

#9
Compz

Posted 09 February 2008 - 11:34 PM

Member

Topic Starter
Member
14 posts

Hi,

Thanks again for your suggestions. I have deleted Quick Time and uninstalled the Antivir. I have also added the script to the Combo Fix icon and down below is the log. Also, I was able to get a scan on the L198.tmp file but it says the other file can't be found. You can find the L198.tmp scan results below.

Thanks,
Compz

Combo Fix Log:

ComboFix 08-02.05.3 - Magda Zapata 2008-02-10 0:13:41.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.72 [GMT -5:00]
Running from: C:\Documents and Settings\Magda Zapata\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Magda Zapata\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\eamxopjk.dll
C:\WINDOWS\system32\qssqsjrc.dll
.

((((((((((((((((((((((((( Files Created from 2008-01-10 to 2008-02-10 )))))))))))))))))))))))))))))))
.

2008-02-09 13:56 . 2002-08-29 01:05 245,920 --a------ C:\cmldr
2008-02-09 13:52 . 2002-08-28 21:00 375,808 --a------ C:\kmd.exe
2008-02-07 19:46 . 2008-02-10 00:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-02-06 21:17 . 2008-02-06 21:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-06 19:20 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-06 18:55 . 2008-02-09 15:09 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-06 18:55 . 2008-02-06 18:55 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-06 18:55 . 2008-02-06 18:55 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-05 22:57 . 2008-02-05 22:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-05 22:56 . 2008-02-05 22:56 <DIR> d-------- C:\Documents and Settings\Magda Zapata\Application Data\SUPERAntiSpyware.com
2008-02-05 18:54 . 2008-02-05 18:54 <DIR> d-------- C:\Documents and Settings\Magda Zapata\Application Data\Malwarebytes
2008-02-05 18:53 . 2008-02-05 18:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-05 00:02 . 2008-02-05 00:02 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-02-03 14:10 . 2008-02-03 14:10 270,698 --a------ C:\WINDOWS\system32\L198.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-09 20:10 --------- d-----w C:\Documents and Settings\Magda Zapata\Application Data\Webshots
2008-02-09 20:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-09 19:34 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-05 05:53 --------- d-----w C:\Program Files\HPQ
2007-09-20 02:37 1,695,432 ----a-w C:\Program Files\InstallMusicnotesPlayer_v_1_23_1.exe
2007-09-20 02:32 198,232 ----a-w C:\Program Files\SetupMusicnotesViewerIE.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-02-06 05:03 1511453]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2002-06-11 16:14 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"CARPService"="carpserv.exe" [2003-04-14 20:00 4608 C:\WINDOWS\system32\carpserv.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-02-09 13:37 290816]
"AutoTBar"="C:\hp\bin\autotbar.exe" [ ]
"TV Now"="C:\Program Files\HPQ\Notebook Utilities\TvNow.exe" [2008-02-06 05:02 282624]
"Display Settings"="C:\Program Files\HPQ\Notebook Utilities\hptasks.exe" [2008-02-09 13:37 45056]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2008-02-06 05:02 684032]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2008-02-09 13:37 63712]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Billminder.lnk - C:\Program Files\Quicken\billmind.exe [2002-09-20 11:19:46 36864]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 10:05:56 65588]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2002-09-20 11:20:02 53248]
Quicken Startup.lnk - C:\Program Files\Quicken\QWDLLS.EXE [2002-09-20 11:20:06 36864]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;C:\WINDOWS\System32\drivers\caliaud.sys [2002-11-05 10:04]
R3 CALIHALA;CALIHALA;C:\WINDOWS\System32\drivers\calihal.sys [2002-11-05 10:04]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;C:\WINDOWS\System32\DRIVERS\DP83815.SYS [2002-08-28 19:00]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-10 00:15:33
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-10 0:16:15
ComboFix-quarantined-files.txt 2008-02-10 05:16:04
ComboFix2.txt 2008-02-09 19:23:30

Hijack This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:31:26 AM, on 2/10/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/Home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZKxdm021YYUS
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 3536 bytes

L198.tmp Scan Results:
File LB978.tmp received on 02.07.2008 17:54:13 (CET)
Current status: finished

Result: 3/31 (9.68%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.2.6.10 2008.02.05 -
AntiVir 7.6.0.62 2008.02.07 -
Authentium 4.93.8 2008.02.06 -
Avast 4.7.1098.0 2008.02.06 -
AVG 7.5.0.516 2008.02.07 -
BitDefender 7.2 2008.02.07 -
CAT-QuickHeal 9.00 2008.02.04 -
ClamAV 0.92 2008.02.07 -
DrWeb 4.44.0.09170 2008.02.07 Adware.SearchAid.origin
eSafe 7.0.15.0 2008.01.28 -
eTrust-Vet 31.3.5518 2008.02.07 -
Ewido 4.0 2008.02.07 -
FileAdvisor 1 2008.02.07 -
Fortinet 3.14.0.0 2008.02.07 -
F-Prot 4.4.2.54 2008.02.06 -
F-Secure 6.70.13260.0 2008.02.07 -
Ikarus T3.1.1.20 2008.02.07 -
Kaspersky 7.0.0.125 2008.02.07 -
McAfee 5224 2008.02.06 -
Microsoft 1.3204 2008.02.07 -
NOD32v2 2856 2008.02.07 Win32/Adware.ISM
Norman 5.80.02 2008.02.07 -
Panda 9.0.0.4 2008.02.07 -
Prevx1 V2 2008.02.07 Generic.Malware
Rising 20.29.22.00 2008.01.30 -
Sophos 4.26.0 2008.02.07 -
Sunbelt 2.2.907.0 2008.02.07 -
TheHacker 6.2.9.211 2008.02.06 -
VBA32 3.12.6.0 2008.02.07 -
VirusBuster 4.3.26:9 2008.02.07 -
Webwasher-Gateway 6.6.2 2008.02.07 -
Additional information
File size: 270698 bytes
MD5: ee5c42ed75354a9627fe32f04127be9d
SHA1: c879f18f0eff8c0fba4d2308686b9ea6edb4cc30
PEiD: -
Prevx info: http://info.prevx.co...E2951007C02802D

ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

#10
miekiemoes

Posted 10 February 2008 - 02:26 AM

Malware Expert

Member
5,503 posts

Hi,

Delete the C:\WINDOWS\system32\L198.tmp file

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL <== not required
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe <== this file is missing
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe <== this file is missing
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZKxdm021YYUS

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then reinstall your Avira again and any other program you have deleted previously (in case you will still use it).

As a final check... * Go here to run an online scannner from ESET.

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Check next options: Remove found threats and Scan unwanted applications.
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log in your next reply and also let me know how things are now.

#11
Compz

Posted 10 February 2008 - 10:39 AM

Member

Topic Starter
Member
14 posts

Thank you for your suggestions. I have deleted what you have told me on Hijack this. When I went to ESET, it was trying to intialize and then it said there was error with the update. Can you tell me what might have happened?

Thanks
Compz

#12
Compz

Posted 10 February 2008 - 11:37 AM

Member

Topic Starter
Member
14 posts

Hi,

I installed Avira Antivirus and performed a full scan. Down below is a log along with a HijackThis log.

Avira Log:

AntiVir PersonalEdition Classic
Report file date: Sunday, February 10, 2008 11:54

Scanning for 1096761 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 1) [5.1.2600]
Username: SYSTEM
Computer name: LABTOPDREAM

Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 19:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 18:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 8/14/2007 21:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 18:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 20:27:15
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 12/14/2007 16:53:53
ANTIVIR2.VDF : 7.0.2.113 1673728 Bytes 2/8/2008 16:53:53
ANTIVIR3.VDF : 7.0.2.114 2048 Bytes 2/8/2008 16:53:53
AVEWIN32.DLL : 7.6.0.62 3240448 Bytes 2/10/2008 16:53:57
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 16:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 13:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 19:16:24
AVPACK32.DLL : 7.6.0.3 360488 Bytes 2/10/2008 16:53:57
AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 13:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 18:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 13:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 17:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 18:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 18:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 15:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Sunday, February 10, 2008 11:54

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'wanmpsvc.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'DirectCD.exe' - '1' Module(s) have been scanned
Scan process 'carpserv.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
23 processes with 23 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '34' files ).

Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP105\A0020673.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP105\A0020674.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was deleted!

End of the scan: Sunday, February 10, 2008 12:28
Used time: 33:16 min

The scan has been done completely.

2524 Scanning directories
167896 Files were scanned
2 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
2 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
167894 Files not concerned
6284 Archives were scanned
2 Warnings
5 Notes

Hijack This Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:32:44 PM, on 2/10/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/Home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Unknown owner - C:\WINDOWS\system32\HPConfig.exe (file missing)
O23 - Service: HPWirelessMgr - Unknown owner - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 3396 bytes

#13
miekiemoes

Posted 10 February 2008 - 11:55 AM

Malware Expert

Member
5,503 posts

Hi,

Yes, it happens frequently that there are problems with the Eset online scan and the update server - so don't worry.
In anyway, I see you reinstalled Avira again and performed a full scan with it - so Avira already deleted the leftovers.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

#14
Compz

Posted 10 February 2008 - 12:18 PM

Member

Topic Starter
Member
14 posts

Hi,

I have uninstalled Combo Fix. I also uninstalled Windows Messenger. However, I still feel the computer is running a bit slow. Thanks for any help you can provide.

Thanks,
Magda

#15
miekiemoes

Posted 10 February 2008 - 12:26 PM

Malware Expert

Member
5,503 posts

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!