Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

darksma


  • Please log in to reply

#1
rsgard

rsgard

    New Member

  • Member
  • Pip
  • 3 posts
CA Spyware detects it but cleaning it has no effect, here is the log, for some reason im having problems obtaining an uninstall list
If im missing something i apologize ahead of time, its very early in the morning and im trying to fix this laptop for my girlfriend

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:52:04 AM, on 2/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\mshta.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/go...bookaccessories
F3 - REG:win.ini: load=C:\WINDOWS\system32\pmnlj.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - (no file)
O4 - HKLM\..\Run: [BM327f10ca] Rundll32.exe "C:\WINDOWS\system32\jsykpixm.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-4020749451-2679251738-2323731748-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-4020749451-2679251738-2323731748-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-4020749451-2679251738-2323731748-1008\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'mark')
O4 - HKUS\S-1-5-21-4020749451-2679251738-2323731748-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Administrator')
O4 - HKUS\S-1-5-21-4020749451-2679251738-2323731748-501\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Guest')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html (file missing)
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html (file missing)
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html (file missing)
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html (file missing)
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html (file missing)
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1148641823359
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0EF4E53-8684-40C1-91E9-C6FF7155CE89}: NameServer = 192.168.1.1
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8153 bytes
  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello rsgard

Welcome to G2Go. :)
================
Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#3
rsgard

rsgard

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
ComboFix 08-02-24.4 - mark 2008-02-24 15:04:17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.144 [GMT -5:00]
Running from: C:\Documents and Settings\mark\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\ablasgvn.dll
C:\WINDOWS\system32\ablrdcgy.dll
C:\WINDOWS\system32\agbeeiqt.dll
C:\WINDOWS\system32\agdffjwa.ini
C:\WINDOWS\system32\ahaorngi.dll
C:\WINDOWS\system32\atonfbjp.ini
C:\WINDOWS\system32\bbixshtd.ini
C:\WINDOWS\system32\bfcpdcob.dll
C:\WINDOWS\system32\bukyitjh.dll
C:\WINDOWS\system32\bybjifvj.dll
C:\WINDOWS\system32\cdgtlvys.ini
C:\WINDOWS\system32\cixhxnut.dll
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\cuxoljpo.ini
C:\WINDOWS\system32\cwgltbyh.dll
C:\WINDOWS\system32\dgrywcot.ini
C:\WINDOWS\system32\din.ip
C:\WINDOWS\system32\drivers\4_stars.gif
C:\WINDOWS\system32\drivers\5_stars.gif
C:\WINDOWS\system32\drivers\alert_icon.gif
C:\WINDOWS\system32\drivers\arrow.gif
C:\WINDOWS\system32\drivers\buy_btn.gif
C:\WINDOWS\system32\drivers\close_icon.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_btn.gif
C:\WINDOWS\system32\drivers\features.gif
C:\WINDOWS\system32\drivers\header_bg.gif
C:\WINDOWS\system32\drivers\icon_warning.gif
C:\WINDOWS\system32\drivers\logo_bg.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\perfect_cleaner_box_small.jpg
C:\WINDOWS\system32\drivers\perfect_cleaner_header.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_header_small.gif
C:\WINDOWS\system32\drivers\protect.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\secuity_center_logo.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\spy_away_box_small.jpg
C:\WINDOWS\system32\drivers\spy_away_header.gif
C:\WINDOWS\system32\drivers\spy_away_header_small.gif
C:\WINDOWS\system32\drivers\users_rating.gif
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\dtowuhme.ini
C:\WINDOWS\system32\duoeafph.dll
C:\WINDOWS\system32\edrpqhbn.ini
C:\WINDOWS\system32\eedtemlp.ini
C:\WINDOWS\system32\eimxkvvp.ini
C:\WINDOWS\system32\emhuwotd.dll
C:\WINDOWS\system32\fauqgoto.ini
C:\WINDOWS\system32\gbgstmgg.ini
C:\WINDOWS\system32\gbhrnwxa.ini
C:\WINDOWS\system32\gnlwkkhj.ini
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\gwdxrewr.dll
C:\WINDOWS\system32\hflysfhu.ini
C:\WINDOWS\system32\hijwfbuj.dll
C:\WINDOWS\system32\idctmfmu.dll
C:\WINDOWS\system32\ifewaovv.ini
C:\WINDOWS\system32\iisrtaay.dll
C:\WINDOWS\system32\jlnmp.ini
C:\WINDOWS\system32\jlnmp.ini2
C:\WINDOWS\system32\jsykpixm.dll
C:\WINDOWS\system32\jvgwnayn.ini
C:\WINDOWS\system32\khgyffwe.ini
C:\WINDOWS\system32\kqnovgng.ini
C:\WINDOWS\system32\kribblki.dll
C:\WINDOWS\system32\lexoistb.ini
C:\WINDOWS\system32\lqyiancm.ini
C:\WINDOWS\system32\mclc.dll
C:\WINDOWS\system32\nayjmemt.ini
C:\WINDOWS\system32\nkarpsrr.ini
C:\WINDOWS\system32\owevsfnh.ini
C:\WINDOWS\system32\pfbbfhyj.dll
C:\WINDOWS\system32\pmnlj.dll
C:\WINDOWS\system32\qbxmeppj.dll
C:\WINDOWS\system32\qhtrboal.ini
C:\WINDOWS\system32\qlhyyhnw.ini
C:\WINDOWS\system32\rjkypywp.dll
C:\WINDOWS\system32\rlkxkukd.ini
C:\WINDOWS\system32\ropbgsss.ini
C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.ini2
C:\WINDOWS\system32\shrupuik.dll
C:\WINDOWS\system32\sowoeixb.dll
C:\WINDOWS\system32\thebapix.dll
C:\WINDOWS\system32\tmrsr.exe
C:\WINDOWS\system32\tmuswtup.ini
C:\WINDOWS\system32\tqieebga.ini
C:\WINDOWS\system32\twgconau.ini
C:\WINDOWS\system32\ufekmwru.dll
C:\WINDOWS\system32\ufusimii.ini
C:\WINDOWS\system32\uoccmxdv.ini
C:\WINDOWS\system32\vjuvhitm.dll
C:\WINDOWS\system32\vmcelyof.ini
C:\WINDOWS\system32\vmhodurj.dll
C:\WINDOWS\system32\vvoawefi.dll
C:\WINDOWS\system32\vvsbjysu.ini
C:\WINDOWS\system32\whlevoyl.dll
C:\WINDOWS\system32\wyodpurs.dll
C:\WINDOWS\system32\xcxuagbq.ini
C:\WINDOWS\system32\xqiaqeiy.ini
C:\WINDOWS\system32\yaatrsii.ini
C:\WINDOWS\system32\yaohwnaa.ini
C:\WINDOWS\system32\yexeudos.ini
C:\WINDOWS\system32\ygcdrlba.ini
C:\WINDOWS\system32\ynbgchjp.ini
C:\WINDOWS\system32\yvxwbrhr.ini

.
((((((((((((((((((((((((( Files Created from 2008-01-24 to 2008-02-24 )))))))))))))))))))))))))))))))
.

2008-02-23 02:50 . 2008-02-23 02:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-23 02:06 . 2008-02-23 02:06 0 --a------ C:\WINDOWS\system32\SDRemoveDB.db
2008-02-23 02:05 . 2008-02-23 02:05 63 --a------ C:\WINDOWS\system\SysSD.dll
2008-02-23 02:03 . 2008-01-30 11:03 6,144 --a------ C:\WINDOWS\system32\SDEarlyDelete.exe
2008-02-23 02:02 . 2008-02-24 15:42 <DIR> d-------- C:\Program Files\SpywareDetector
2008-02-23 02:02 . 2007-03-19 12:39 270,336 --a------ C:\WINDOWS\system32\CheckDll.dll
2008-02-23 02:02 . 2008-01-25 18:58 67,024 --a------ C:\WINDOWS\system32\CloseAll.exe
2008-02-23 02:02 . 2005-02-06 09:02 104 --a------ C:\WINDOWS\system32\ProxySettings.ini
2008-02-19 21:55 . 2008-02-19 21:55 0 --a------ C:\WINDOWS\pcfriend.INI
2008-02-19 19:54 . 2008-02-24 12:52 157,332 --a------ C:\WINDOWS\BM327f10ca.xml
2008-02-17 14:39 . 2008-02-20 07:06 321 --ahs---- C:\WINDOWS\system32\jjkmp.ini
2008-02-14 16:30 . 2008-02-24 02:13 22 --a------ C:\WINDOWS\pskt.ini
2008-02-09 21:08 . 2008-02-24 15:39 55,376 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2008-02-09 21:08 . 2008-02-24 15:39 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2008-02-09 21:08 . 2008-02-24 15:39 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2008-02-09 21:08 . 2008-02-24 15:39 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2008-02-09 21:08 . 2008-02-24 15:39 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2008-02-09 21:08 . 2008-02-24 15:39 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2008-02-09 21:08 . 2008-02-24 15:39 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2008-02-09 21:08 . 2008-02-24 15:39 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2008-02-09 00:43 . 2008-02-09 00:43 1,215,404 --ahs---- C:\WINDOWS\system32\pkauvvqo.tmp
2008-02-09 00:20 . 2008-02-22 15:27 <DIR> d-------- C:\WINDOWS\CAVTemp
2008-02-06 00:45 . 2007-08-20 13:42 879,784 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2008-02-06 00:45 . 2007-08-20 13:42 108,312 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2008-02-06 00:45 . 2007-08-20 13:42 99,592 --a------ C:\WINDOWS\system32\isafeif.dll
2008-02-06 00:45 . 2007-08-20 13:42 79,424 --a------ C:\WINDOWS\system32\vetredir.dll
2008-02-06 00:45 . 2007-08-20 13:42 75,016 --a------ C:\WINDOWS\system32\isafprod.dll
2008-02-06 00:45 . 2007-08-20 13:42 32,264 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-02-06 00:45 . 2007-08-20 13:42 26,376 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2008-02-06 00:45 . 2007-08-20 13:42 21,512 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-02-06 00:45 . 2007-08-20 13:42 21,128 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2008-02-06 00:43 . 2008-02-06 00:43 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-02-06 00:43 . 2008-02-06 00:43 <DIR> d-------- C:\Program Files\CA
2008-02-06 00:43 . 2008-02-06 00:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CA
2008-01-27 20:54 . 2008-01-27 20:54 78,912 --a------ C:\WINDOWS\system32\canwuicx.dll
2008-01-27 20:45 . 2008-01-27 20:45 78,912 --a------ C:\WINDOWS\system32\qoitattj.dll

.














Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:47:36 PM, on 2/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SpywareDetector\SDService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - (no file)
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html (file missing)
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html (file missing)
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html (file missing)
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html (file missing)
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html (file missing)
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1148641823359
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0EF4E53-8684-40C1-91E9-C6FF7155CE89}: NameServer = 192.168.1.1
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7866 bytes
  • 0

#4
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
It appears that the Combofix log was cut off.
Can you repost it please.
  • 0

#5
rsgard

rsgard

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
ComboFix 08-02-24.4 - mark 2008-02-24 15:04:17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.144 [GMT -5:00]
Running from: C:\Documents and Settings\mark\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\ablasgvn.dll
C:\WINDOWS\system32\ablrdcgy.dll
C:\WINDOWS\system32\agbeeiqt.dll
C:\WINDOWS\system32\agdffjwa.ini
C:\WINDOWS\system32\ahaorngi.dll
C:\WINDOWS\system32\atonfbjp.ini
C:\WINDOWS\system32\bbixshtd.ini
C:\WINDOWS\system32\bfcpdcob.dll
C:\WINDOWS\system32\bukyitjh.dll
C:\WINDOWS\system32\bybjifvj.dll
C:\WINDOWS\system32\cdgtlvys.ini
C:\WINDOWS\system32\cixhxnut.dll
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\cuxoljpo.ini
C:\WINDOWS\system32\cwgltbyh.dll
C:\WINDOWS\system32\dgrywcot.ini
C:\WINDOWS\system32\din.ip
C:\WINDOWS\system32\drivers\4_stars.gif
C:\WINDOWS\system32\drivers\5_stars.gif
C:\WINDOWS\system32\drivers\alert_icon.gif
C:\WINDOWS\system32\drivers\arrow.gif
C:\WINDOWS\system32\drivers\buy_btn.gif
C:\WINDOWS\system32\drivers\close_icon.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_btn.gif
C:\WINDOWS\system32\drivers\features.gif
C:\WINDOWS\system32\drivers\header_bg.gif
C:\WINDOWS\system32\drivers\icon_warning.gif
C:\WINDOWS\system32\drivers\logo_bg.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\perfect_cleaner_box_small.jpg
C:\WINDOWS\system32\drivers\perfect_cleaner_header.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_header_small.gif
C:\WINDOWS\system32\drivers\protect.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\secuity_center_logo.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\spy_away_box_small.jpg
C:\WINDOWS\system32\drivers\spy_away_header.gif
C:\WINDOWS\system32\drivers\spy_away_header_small.gif
C:\WINDOWS\system32\drivers\users_rating.gif
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\dtowuhme.ini
C:\WINDOWS\system32\duoeafph.dll
C:\WINDOWS\system32\edrpqhbn.ini
C:\WINDOWS\system32\eedtemlp.ini
C:\WINDOWS\system32\eimxkvvp.ini
C:\WINDOWS\system32\emhuwotd.dll
C:\WINDOWS\system32\fauqgoto.ini
C:\WINDOWS\system32\gbgstmgg.ini
C:\WINDOWS\system32\gbhrnwxa.ini
C:\WINDOWS\system32\gnlwkkhj.ini
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\gwdxrewr.dll
C:\WINDOWS\system32\hflysfhu.ini
C:\WINDOWS\system32\hijwfbuj.dll
C:\WINDOWS\system32\idctmfmu.dll
C:\WINDOWS\system32\ifewaovv.ini
C:\WINDOWS\system32\iisrtaay.dll
C:\WINDOWS\system32\jlnmp.ini
C:\WINDOWS\system32\jlnmp.ini2
C:\WINDOWS\system32\jsykpixm.dll
C:\WINDOWS\system32\jvgwnayn.ini
C:\WINDOWS\system32\khgyffwe.ini
C:\WINDOWS\system32\kqnovgng.ini
C:\WINDOWS\system32\kribblki.dll
C:\WINDOWS\system32\lexoistb.ini
C:\WINDOWS\system32\lqyiancm.ini
C:\WINDOWS\system32\mclc.dll
C:\WINDOWS\system32\nayjmemt.ini
C:\WINDOWS\system32\nkarpsrr.ini
C:\WINDOWS\system32\owevsfnh.ini
C:\WINDOWS\system32\pfbbfhyj.dll
C:\WINDOWS\system32\pmnlj.dll
C:\WINDOWS\system32\qbxmeppj.dll
C:\WINDOWS\system32\qhtrboal.ini
C:\WINDOWS\system32\qlhyyhnw.ini
C:\WINDOWS\system32\rjkypywp.dll
C:\WINDOWS\system32\rlkxkukd.ini
C:\WINDOWS\system32\ropbgsss.ini
C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\rttss.ini2
C:\WINDOWS\system32\shrupuik.dll
C:\WINDOWS\system32\sowoeixb.dll
C:\WINDOWS\system32\thebapix.dll
C:\WINDOWS\system32\tmrsr.exe
C:\WINDOWS\system32\tmuswtup.ini
C:\WINDOWS\system32\tqieebga.ini
C:\WINDOWS\system32\twgconau.ini
C:\WINDOWS\system32\ufekmwru.dll
C:\WINDOWS\system32\ufusimii.ini
C:\WINDOWS\system32\uoccmxdv.ini
C:\WINDOWS\system32\vjuvhitm.dll
C:\WINDOWS\system32\vmcelyof.ini
C:\WINDOWS\system32\vmhodurj.dll
C:\WINDOWS\system32\vvoawefi.dll
C:\WINDOWS\system32\vvsbjysu.ini
C:\WINDOWS\system32\whlevoyl.dll
C:\WINDOWS\system32\wyodpurs.dll
C:\WINDOWS\system32\xcxuagbq.ini
C:\WINDOWS\system32\xqiaqeiy.ini
C:\WINDOWS\system32\yaatrsii.ini
C:\WINDOWS\system32\yaohwnaa.ini
C:\WINDOWS\system32\yexeudos.ini
C:\WINDOWS\system32\ygcdrlba.ini
C:\WINDOWS\system32\ynbgchjp.ini
C:\WINDOWS\system32\yvxwbrhr.ini

.
((((((((((((((((((((((((( Files Created from 2008-01-24 to 2008-02-24 )))))))))))))))))))))))))))))))
.

2008-02-23 02:50 . 2008-02-23 02:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-23 02:06 . 2008-02-23 02:06 0 --a------ C:\WINDOWS\system32\SDRemoveDB.db
2008-02-23 02:05 . 2008-02-23 02:05 63 --a------ C:\WINDOWS\system\SysSD.dll
2008-02-23 02:03 . 2008-01-30 11:03 6,144 --a------ C:\WINDOWS\system32\SDEarlyDelete.exe
2008-02-23 02:02 . 2008-02-24 15:42 <DIR> d-------- C:\Program Files\SpywareDetector
2008-02-23 02:02 . 2007-03-19 12:39 270,336 --a------ C:\WINDOWS\system32\CheckDll.dll
2008-02-23 02:02 . 2008-01-25 18:58 67,024 --a------ C:\WINDOWS\system32\CloseAll.exe
2008-02-23 02:02 . 2005-02-06 09:02 104 --a------ C:\WINDOWS\system32\ProxySettings.ini
2008-02-19 21:55 . 2008-02-19 21:55 0 --a------ C:\WINDOWS\pcfriend.INI
2008-02-19 19:54 . 2008-02-24 12:52 157,332 --a------ C:\WINDOWS\BM327f10ca.xml
2008-02-17 14:39 . 2008-02-20 07:06 321 --ahs---- C:\WINDOWS\system32\jjkmp.ini
2008-02-14 16:30 . 2008-02-24 02:13 22 --a------ C:\WINDOWS\pskt.ini
2008-02-09 21:08 . 2008-02-24 15:39 55,376 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2008-02-09 21:08 . 2008-02-24 15:39 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2008-02-09 21:08 . 2008-02-24 15:39 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2008-02-09 21:08 . 2008-02-24 15:39 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2008-02-09 21:08 . 2008-02-24 15:39 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2008-02-09 21:08 . 2008-02-24 15:39 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2008-02-09 21:08 . 2008-02-24 15:39 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2008-02-09 21:08 . 2008-02-24 15:39 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2008-02-09 00:43 . 2008-02-09 00:43 1,215,404 --ahs---- C:\WINDOWS\system32\pkauvvqo.tmp
2008-02-09 00:20 . 2008-02-22 15:27 <DIR> d-------- C:\WINDOWS\CAVTemp
2008-02-06 00:45 . 2007-08-20 13:42 879,784 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2008-02-06 00:45 . 2007-08-20 13:42 108,312 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2008-02-06 00:45 . 2007-08-20 13:42 99,592 --a------ C:\WINDOWS\system32\isafeif.dll
2008-02-06 00:45 . 2007-08-20 13:42 79,424 --a------ C:\WINDOWS\system32\vetredir.dll
2008-02-06 00:45 . 2007-08-20 13:42 75,016 --a------ C:\WINDOWS\system32\isafprod.dll
2008-02-06 00:45 . 2007-08-20 13:42 32,264 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2008-02-06 00:45 . 2007-08-20 13:42 26,376 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2008-02-06 00:45 . 2007-08-20 13:42 21,512 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2008-02-06 00:45 . 2007-08-20 13:42 21,128 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2008-02-06 00:43 . 2008-02-06 00:43 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-02-06 00:43 . 2008-02-06 00:43 <DIR> d-------- C:\Program Files\CA
2008-02-06 00:43 . 2008-02-06 00:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CA
2008-01-27 20:54 . 2008-01-27 20:54 78,912 --a------ C:\WINDOWS\system32\canwuicx.dll
2008-01-27 20:45 . 2008-01-27 20:45 78,912 --a------ C:\WINDOWS\system32\qoitattj.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-23 06:11 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-23 06:06 --------- d-----w C:\Program Files\Google
2008-02-23 06:04 --------- d-----w C:\Program Files\Easy Internet signup
2008-02-23 06:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-06 17:33 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-06 06:04 --------- d-----w C:\Program Files\QuickTime
2008-02-06 06:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-23 04:33 --------- d-----w C:\Program Files\Riven
2008-01-10 21:26 --------- d-----w C:\Program Files\Norton SystemWorks
2008-01-09 03:24 --------- d-----w C:\Documents and Settings\mark\Application Data\Symantec
2007-12-31 01:39 --------- d-----w C:\Program Files\InterActual
.
<pre>
----a-w		   253,952 2008-02-04 21:24:00  C:\hp\drivers\hplsbwatcher\lsburnwatcher .exe
----a-w			81,920 2008-02-04 21:24:12  C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
----a-w		   221,184 2008-02-04 23:11:52  C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
----a-w			53,408 2008-02-04 21:23:51  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w			68,856 2008-02-06 05:31:42  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w			49,152 2008-02-04 21:24:31  C:\Program Files\Hp\HP Software Update\HPWuSchd2 .exe
----a-w		   233,534 2008-02-04 21:23:54  C:\Program Files\HPQ\Default Settings\cpqset .exe
----a-w		   290,816 2008-02-04 21:23:54  C:\Program Files\HPQ\Quick Launch Buttons\EabServr .exe
----a-w			36,972 2008-02-04 21:23:39  C:\Program Files\Java\jre1.5.0\bin\jusched .exe
----a-w		 1,694,208 2008-02-06 05:31:43  C:\Program Files\Messenger\msmsgs .exe
----a-w			98,304 2008-02-06 05:30:01  C:\Program Files\QuickTime\qttask			  .exe
----a-w			98,304 2008-02-04 21:23:02  C:\Program Files\QuickTime\qttask			 .exe
----a-w			98,304 2008-02-02 16:50:05  C:\Program Files\QuickTime\qttask			.exe
----a-w			98,304 2008-02-02 02:51:09  C:\Program Files\QuickTime\qttask		   .exe
----a-w			98,304 2008-02-01 16:49:48  C:\Program Files\QuickTime\qttask		  .exe
----a-w			98,304 2008-01-31 06:15:52  C:\Program Files\QuickTime\qttask		 .exe
----a-w			98,304 2008-01-30 04:02:13  C:\Program Files\QuickTime\qttask		.exe
----a-w			98,304 2008-01-29 00:13:45  C:\Program Files\QuickTime\qttask	   .exe
----a-w			98,304 2008-01-27 07:29:26  C:\Program Files\QuickTime\qttask	  .exe
----a-w			98,304 2008-01-26 17:44:25  C:\Program Files\QuickTime\qttask	 .exe
----a-w			98,304 2008-01-25 18:06:39  C:\Program Files\QuickTime\qttask	.exe
----a-w			98,304 2008-01-25 01:32:15  C:\Program Files\QuickTime\qttask   .exe
----a-w			98,304 2008-01-22 14:47:02  C:\Program Files\QuickTime\qttask  .exe
----a-w			98,304 2008-01-22 14:37:18  C:\Program Files\QuickTime\qttask .exe
----a-w		 1,415,824 2008-02-04 21:24:59  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w		   688,218 2008-02-04 21:23:46  C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w			98,394 2008-02-04 21:23:43  C:\Program Files\Synaptics\SynTP\SynTPLpr .exe
----a-w		   112,336 2008-02-06 05:59:55  C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr .exe
----a-w			15,360 2008-02-06 05:31:43  C:\WINDOWS\system32\ctfmon .exe
----a-w		   126,976 2008-02-04 21:23:39  C:\WINDOWS\system32\hkcmd .exe
----a-w		   155,648 2008-02-04 21:23:39  C:\WINDOWS\system32\igfxtray .exe
----a-w		   886,272 2008-02-04 21:24:22  C:\WINDOWS\system32\LXSUPMON .EXE
----a-w		   155,648 2008-02-04 21:24:25  C:\WINDOWS\system32\NeroCheck .exe
----a-w			45,632 2008-02-04 21:23:59  C:\WINDOWS\system32\taskswitch .exe
</pre>


-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 2007-05-18 14:30 79368 C:\WINDOWS\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify]
C:\Program Files\SpywareDetector\SDNotify.dll 2008-01-28 11:30 167936 C:\Program Files\SpywareDetector\SDNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys [2007-07-24 17:00]
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys [2007-05-18 14:30]
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys [2007-05-18 14:30]
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys [2007-07-24 17:00]
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys [2007-07-24 17:00]
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys [2007-05-18 14:30]
R2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe" [2007-07-24 17:00]
R2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe" [2007-07-24 17:37]
R2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe" [2007-05-18 14:30]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys [2007-05-18 14:30]
S3 EraserUtilDrv10614;EraserUtilDrv10614;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10614.sys []
S3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe" [2007-08-16 21:10]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-06 05:44:59 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as mark at 12 44 AM.job"
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-24 15:41:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SpywareDetector\SDService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
.
**************************************************************************
.
Completion time: 2008-02-24 15:45:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-24 20:45:19
.
2008-02-14 08:16:27 --- E O F ---
  • 0

#6
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\BM327f10ca.xml
C:\WINDOWS\system32\jjkmp.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\canwuicx.dll
C:\WINDOWS\system32\qoitattj.dll
Folder::
C:\Program Files\Viewpoint
Driver::
Viewpoint Manager Service
RenV::
C:\hp\drivers\hplsbwatcher\lsburnwatcher .exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2 .exe
C:\Program Files\HPQ\Default Settings\cpqset .exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr .exe
C:\Program Files\Java\jre1.5.0\bin\jusched .exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\QuickTime\qttask			  .exe
C:\Program Files\QuickTime\qttask			 .exe
C:\Program Files\QuickTime\qttask			.exe
C:\Program Files\QuickTime\qttask		   .exe
C:\Program Files\QuickTime\qttask		  .exe
C:\Program Files\QuickTime\qttask		 .exe
C:\Program Files\QuickTime\qttask		.exe
C:\Program Files\QuickTime\qttask	   .exe
C:\Program Files\QuickTime\qttask	  .exe
C:\Program Files\QuickTime\qttask	 .exe
C:\Program Files\QuickTime\qttask	.exe
C:\Program Files\QuickTime\qttask   .exe
C:\Program Files\QuickTime\qttask  .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\Program Files\Synaptics\SynTP\SynTPLpr .exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr .exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\hkcmd .exe
C:\WINDOWS\system32\igfxtray .exe
C:\WINDOWS\system32\LXSUPMON .EXE
C:\WINDOWS\system32\NeroCheck .exe
C:\WINDOWS\system32\taskswitch .exe


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP