Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

i got a problem... idk if its a virus worm ect! [RESOLVED]

Started by ZetaByte , Mar 02 2008 05:50 PM

  • This topic is locked This topic is locked

#1
ZetaByte
Posted 02 March 2008 - 05:50 PM

ZetaByte

    Member

  • Member
  • PipPip
  • 60 posts
i have encountered a new problem...
i have 2 new desktop bottons i dont remember having...
*Help and Support Center
*Windows Update
and i have a ton of files in My Documents that have pos...

i really need help!

if someone can help me with the steps to get rid of this it will be forever appreciated!

ZB
  • 0

Advertisements

#2
kahdah
Posted 02 March 2008 - 05:58 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello ZetaByte

Welcome to G2Go. :)
=====================
* Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\Hijack This.
  • Click on I agree
  • Then Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

  • 0

#3
ZetaByte
Posted 02 March 2008 - 06:00 PM

ZetaByte

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
OMG!
thanks for replying!

i was going to ask how the HijackThis thing worked so hopefully you'll help me out!

brb with the log!
how long will it take?
  • 0

#4
kahdah
Posted 02 March 2008 - 06:01 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
About a minute or so.
  • 0

#5
ZetaByte
Posted 02 March 2008 - 06:04 PM

ZetaByte

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
that was fast!
here it is...

***************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:03:30 PM, on 3/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_05\bin\jucheck.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn27\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdMgr.exe
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [20f4b7ef] rundll32.exe "C:\WINDOWS\system32\lrnypfux.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BM23c78473] Rundll32.exe "C:\WINDOWS\system32\whadosov.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 9592 bytes
  • 0

#6
kahdah
Posted 02 March 2008 - 06:09 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#7
ZetaByte
Posted 02 March 2008 - 06:16 PM

ZetaByte

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
idk what happened...
a blue screen popped up and it said combofiz was prepareing to run then a disclaimer of the warrenty of the softare poped up

should i click yes or no?
and do i need a new HJT log or can i use the old one?

Edited by ZetaByte, 02 March 2008 - 06:21 PM.

  • 0

#8
kahdah
Posted 02 March 2008 - 06:34 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
It is up to you I recommend you running it.
It is there because some malware can crash your system through the disinfection process.
I can tell you though eventually your system will crash from the malware you have present.

Please do run it.
  • 0

#9
ZetaByte
Posted 02 March 2008 - 07:12 PM

ZetaByte

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
ok i ran it...
here is the report

*******

ComboFix 08-03-03.6 - HP_Administrator 2008-03-02 16:39:41.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.97 [GMT -8:00]Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\salesmonitor
C:\DOCUME~1\ALLUSE~1\STARTM~1\Live Safety Center.lnk
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.lnk
C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\HP_Administrator\Application Data\antivirus.exe
C:\Documents and Settings\HP_Administrator\Application Data\pcpriv.exe
C:\Documents and Settings\HP_Administrator\Application Data\printer.exe
C:\Documents and Settings\HP_Administrator\Application Data\SKS~1
C:\Documents and Settings\HP_Administrator\Application Data\SKS~1\d?dplay.exe
C:\Documents and Settings\HP_Administrator\Application Data\ultra
C:\Documents and Settings\HP_Administrator\Application Data\ultra\uninstall.bat
C:\Documents and Settings\HP_Administrator\Favorites\Online Security Guide.lnk
C:\Program Files\Common Files\crosof~1.net
C:\Program Files\Common Files\curity~1
C:\Program Files\Common Files\curity~1\?canregw.exe
C:\Program Files\Helper
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp .exe
C:\Program Files\NoDNS
C:\Program Files\NoDNS\NoDNS.exe
C:\Program Files\NoDNS\UnInstall.exe
C:\Program Files\racle~1
C:\Program Files\racle~1\e?plorer.exe
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1165296946.old
C:\Program Files\WinBudget\bin\crap.1165978300.old
C:\Program Files\WinBudget\bin\crap.1165989960.old
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\isgTi19
C:\Temp\isgTi19\lPig.log
C:\Temp\xOe
C:\Temp\xOe\tOasF.log
C:\WINDOWS\b111.exe
C:\WINDOWS\b154.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\medichi.exe
C:\WINDOWS\medichi2.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\murka.dat
C:\WINDOWS\system32\dqdviqjh.dll
C:\WINDOWS\system32\gplpqptz.dll
C:\WINDOWS\system32\gplpqptz.dllbox
C:\WINDOWS\system32\hggddcd.dll
C:\WINDOWS\system32\hhhkj.ini
C:\WINDOWS\system32\hhhkj.ini2
C:\WINDOWS\system32\jkhhh.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\sstem~1
C:\WINDOWS\system32\vtuspnm.dll
C:\WINDOWS\system32\whadosov.dll
C:\WINDOWS\system32\xufpynrl.ini
C:\WINDOWS\tk58.exe
C:\WINDOWS\trayicon.exe
C:\WINDOWS\windsk.dll
C:\WINDOWS\wsystmp_brj.exe
C:\WINDOWS\wsystmp_bwi.exe
C:\WINDOWS\wsystmp_qom.exe
C:\WINDOWS\wsystmp_roe.exe
C:\WINDOWS\wsystmp_xnn.exe
C:\WINDOWS\wsystmp_yah.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-03 to 2008-03-03 )))))))))))))))))))))))))))))))
.

2008-03-02 16:02 . 2008-03-02 16:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-02 12:14 . 2008-03-02 16:40 21 --a------ C:\WINDOWS\pskt.ini
2008-03-01 20:29 . 2008-03-01 20:29 <DIR> d-------- C:\WINDOWS\system32\iDlo01
2008-03-01 20:29 . 2008-03-01 20:30 <DIR> d-------- C:\temp\sanR24
2008-02-24 20:20 . 2007-02-28 01:10 2,180,352 --------- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-02-24 20:20 . 2007-02-28 01:08 2,136,064 --------- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-02-24 20:20 . 2007-02-28 00:38 2,057,600 --------- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-02-24 20:20 . 2007-02-28 00:38 2,015,744 --------- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-02-24 20:19 . 2006-06-01 10:47 163,840 --------- C:\WINDOWS\system32\dllcache\jgdw400.dll
2008-02-24 20:19 . 2006-06-01 10:47 27,648 --------- C:\WINDOWS\system32\dllcache\jgpl400.dll
2008-02-24 20:18 . 2006-03-16 16:38 28,672 --------- C:\WINDOWS\system32\verclsid.exe
2008-02-24 20:17 . 2006-05-05 01:41 453,120 --------- C:\WINDOWS\system32\dllcache\mrxsmb.sys
2008-02-24 04:35 . 2008-03-02 15:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-24 04:35 . 2008-02-24 04:35 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-24 04:32 . 2007-10-31 14:09 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2008-02-24 04:29 . 2008-02-24 04:32 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-02-24 04:09 . 2005-05-10 03:36 81,920 --------- C:\WINDOWS\system32\W32n50.dll
2008-02-24 04:09 . 2005-05-10 03:36 17,162 --------- C:\WINDOWS\system32\Pcandis5.sys
2008-02-24 04:09 . 2005-05-10 03:36 16,848 --------- C:\WINDOWS\system32\Pcandis4.sys
2008-02-24 04:09 . 2005-05-10 03:36 16,073 --------- C:\WINDOWS\system32\Pcandis3.vxd
2008-02-24 04:05 . 2002-01-05 05:18 84,992 --a------ C:\WINDOWS\system32\ATL70.DLL
2008-02-24 04:05 . 2001-10-11 10:26 65,536 --a------ C:\WINDOWS\system32\YCRWin32.dll
2008-02-24 04:05 . 2002-02-21 18:56 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-02-24 03:52 . 2002-02-13 18:53 6,345 -ra------ C:\WINDOWS\system32\DevMngr.vxd
2008-02-24 02:41 . 2008-02-24 02:41 1,885 -rahs---- C:\WINDOWS\system32\drivers\103C_HP_CPC_EX269AA-ABA a1514n_YC_0Pavi_QCNH630_E63NAemMPA2_48_IAsterope2_SHewleet-Packard_V1.0_B3.16_T060622_WXP2_L409_M448_J250_7Intel_8Pentium 4_93.06_#060907_N10EC8139_Z14F12F20_G10025A61.MRK
2008-02-24 02:39 . 2006-05-14 08:00 <DIR> d-------- C:\Documents and Settings\HP_Administrator\WINDOWS
2008-02-24 02:39 . 2008-02-24 03:48 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Symantec
2008-02-24 02:39 . 2006-05-14 08:03 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Intuit
2008-02-24 02:39 . 2007-12-29 14:40 89,088 --ah----- C:\Documents and Settings\HP_Administrator\Administrator.exe
2008-02-24 02:37 . 2006-05-14 08:00 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\WINDOWS
2008-02-24 02:37 . 2006-05-14 08:27 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec
2008-02-24 02:37 . 2006-05-14 08:03 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Intuit
2008-02-24 02:37 . 2007-12-29 14:40 89,088 --ah----- C:\WINDOWS\system32\config\systemprofile\Administrator.exe
2008-02-24 01:32 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-02-24 00:55 . 2008-02-25 18:05 <DIR> dr-hs---- C:\WINDOWS\system32\dllcache
2008-02-23 13:47 . 2008-02-23 22:14 40,960 --a------ C:\WINDOWS\gsdtwenfgh.exe
2008-02-23 13:47 . 2008-02-23 22:14 20,480 --a------ C:\WINDOWS\quit.exe
2008-02-19 16:22 . 2008-02-19 16:22 <DIR> d-------- C:\Program Files\Disney
2008-02-10 18:50 . 2007-12-29 14:40 89,088 --ah----- C:\Documents and Settings\Default User\Administrator.exe
2008-02-05 19:49 . 2007-12-29 14:40 89,088 ---h----- C:\Documents and Settings\Administrator\Administrator.exe
2008-02-05 19:14 . 2008-03-02 14:12 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\AVG7
2008-02-05 19:13 . 2008-02-05 19:13 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-05 19:12 . 2008-02-05 19:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Grisoft
2008-02-05 19:12 . 2008-03-02 14:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\avg7
2008-02-04 20:41 . 2008-02-04 20:41 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\PC Tools
2008-02-04 20:40 . 2008-02-04 20:58 <DIR> d-------- C:\Program Files\PC Tools AntiVirus
2008-02-04 20:40 . 2008-02-04 20:40 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-02-04 20:40 . 2008-02-04 20:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Tools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-02 04:30 37,376 ----a-w C:\WINDOWS\mrofinu572.exe.tmp
2008-02-27 04:34 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Apple Computer
2008-02-24 12:29 --------- d-----w C:\Program Files\MSN Messenger
2008-02-24 11:48 --------- d-----w C:\Program Files\Symantec
2008-02-24 11:48 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-24 11:48 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2008-02-24 10:41 1,885 --sha-r C:\WINDOWS\system32\drivers\103C_HP_CPC_EX269AA-ABA a1514n_YC_0Pavi_QCNH630_E63NAemMPA2_48_IAsterope2_SHewleet-Packard_V1.0_B3.16_T060622_WXP2_L409_M448_J250_7Intel_8Pentium 4_93.06_#060907_N10EC8139_Z14F12F20_G10025A61.MRK
2008-02-11 03:32 --------- d-----w C:\Program Files\QuickTime
2008-02-11 01:17 --------- d-----w C:\Program Files\iTunes
2008-02-05 04:41 --------- d---a-w C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2008-02-03 02:29 --------- d-----w C:\Program Files\Norton SystemWorks
2008-01-29 06:00 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\LimeWire
2008-01-28 15:00 13,024 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2008-01-21 23:51 --------- d-----w C:\Program Files\SBC Self Support Tool
2008-01-21 21:18 367,616 ----a-w C:\WINDOWS\mrofinu72.exe.tmp
2008-01-19 22:59 --------- d-----w C:\Program Files\Bonjour
2008-01-19 18:39 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Netscape
2008-01-19 17:15 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-17 01:05 --------- d-----w C:\Program Files\iPod
2008-01-13 00:16 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-01-12 01:30 --------- d-----w C:\Program Files\Moyea
2008-01-11 00:53 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\WLInstaller
2008-01-08 19:49 34,049 ----a-w C:\WINDOWS\seiernlc.exe
2008-01-08 19:49 34,049 ----a-w C:\WINDOWS\36mya5mq.exe
2008-01-08 19:48 34,049 ----a-w C:\WINDOWS\f2w1iber.exe
2008-01-08 18:01 --------- d-----w C:\Program Files\Virtual Earth 3D
2008-01-08 03:56 --------- d-----w C:\Program Files\Lavasoft
2007-12-29 22:40 89,088 ---ha-w C:\Documents and Settings\HP_Administrator\HP_Administrator.exe
2007-12-29 22:40 89,088 ---h--w C:\Documents and Settings\All Users\All Users.exe
2007-12-29 17:45 34,049 ----a-w C:\WINDOWS\g0pb9g8t.exe
2007-12-29 17:45 34,049 ----a-w C:\WINDOWS\f8owjhfb.exe
2007-12-29 17:45 34,049 ----a-w C:\WINDOWS\35h4uv70.exe
2007-12-26 02:30 34,049 ----a-w C:\WINDOWS\6t5cvl39.exe
2007-12-26 02:29 34,049 ----a-w C:\WINDOWS\t1qtuxqy.exe
2007-12-26 02:29 34,049 ----a-w C:\WINDOWS\mfye73i6.exe
2007-12-26 02:29 34,049 ----a-w C:\WINDOWS\dydlef6i.exe
2007-12-26 02:29 34,049 ----a-w C:\WINDOWS\c2dfn1lj.exe
2006-12-23 20:31 1,132,112 ----a-w C:\DOCUME~1\ALLUSE~1\APPLIC~1\pswi_preloaded.exe
2006-10-19 05:37 284 ----a-w C:\Documents and Settings\Karina\Application Data\wklnhst.dat
2005-05-06 17:37 257,568 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\sysfixer.exe
.
<pre>
----a-w		   368,640 2008-02-05 03:53:40  C:\Program Files\BroadJump\Client Foundation\CFD .exe
----a-w			52,848 2008-01-13 00:17:30  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w		   218,240 2008-01-13 00:17:35  C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt .exe
----a-w		 1,077,248 2008-02-05 02:24:34  C:\Program Files\DISC\DISCover .exe
----a-w			61,440 2008-02-05 02:24:36  C:\Program Files\DISC\DiscUpdMgr .exe
----a-w		   171,448 2008-01-19 17:15:25  C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier .exe
----a-w		   249,856 2008-02-02 10:08:12  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp				  .exe
----a-w		   580,608 2008-02-02 10:06:54  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp				 .exe
----a-w		   580,608 2008-02-02 01:37:10  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp				.exe
----a-w		   580,608 2008-02-01 01:03:17  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp			   .exe
----a-w		   580,608 2008-01-31 06:26:49  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp			  .exe
----a-w		   580,608 2008-01-31 04:20:03  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp			 .exe
----a-w		   580,608 2008-01-30 00:14:47  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp			.exe
----a-w		   580,608 2008-01-28 22:54:55  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp		   .exe
----a-w		   580,608 2008-01-27 23:04:09  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp		  .exe
----a-w		   580,608 2008-01-27 21:11:36  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp		 .exe
----a-w		   580,608 2008-01-27 04:42:26  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp		.exe
----a-w		   580,608 2008-01-27 00:49:47  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp	   .exe
----a-w		   580,608 2008-01-26 20:03:18  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp	  .exe
----a-w		   580,608 2008-01-26 05:28:53  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp	 .exe
----a-w		   580,608 2008-01-26 00:10:45  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp	.exe
----a-w		   249,856 2008-02-05 02:24:43  C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp   .exe
----a-w			49,152 2008-02-05 00:30:51  C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08 .exe
----a-w			49,152 2008-02-05 02:24:47  C:\Program Files\HP\HP Software Update\HPwuSchd2 .exe
----a-w			90,112 2008-02-05 02:24:42  C:\Program Files\HP DigitalMedia Archive\DMAScheduler .exe
----a-w		   267,048 2008-02-05 04:33:14  C:\Program Files\iTunes\iTunesHelper .exe
----a-w		 1,694,208 2008-01-13 00:42:42  C:\Program Files\Messenger\msmsgs .exe
----a-w		 5,674,352 2008-02-05 04:19:10  C:\Program Files\MSN Messenger\msnmsgr .exe
----a-w			53,248 2008-01-12 02:18:39  C:\Program Files\PC-Doctor 5 for Windows\RunProfiler .exe
----a-w		   286,720 2008-01-16 02:29:59  C:\Program Files\QuickTime\QTTask			 .exe
----a-w		   385,024 2008-01-27 00:51:07  C:\Program Files\QuickTime\QTTask			.exe
----a-w		   741,888 2008-01-27 00:49:52  C:\Program Files\QuickTime\QTTask		   .exe
----a-w		   741,888 2008-01-26 20:03:25  C:\Program Files\QuickTime\QTTask		  .exe
----a-w		   741,888 2008-01-26 05:28:55  C:\Program Files\QuickTime\QTTask		 .exe
----a-w		   741,888 2008-01-26 05:13:40  C:\Program Files\QuickTime\QTTask		.exe
----a-w		   385,024 2008-01-30 00:15:56  C:\Program Files\QuickTime\QTTask	   .exe
----a-w		   741,888 2008-01-30 00:14:51  C:\Program Files\QuickTime\qttask	  .exe
----a-w		   385,024 2008-02-01 01:04:34  C:\Program Files\QuickTime\qttask	 .exe
----a-w		   741,888 2008-02-01 01:03:21  C:\Program Files\QuickTime\qttask	.exe
----a-w		   385,024 2008-02-04 22:08:40  C:\Program Files\QuickTime\qttask   .exe
----a-w		   385,024 2008-02-05 02:24:53  C:\Program Files\QuickTime\QTTask  .exe
----a-w		   380,928 2008-02-05 04:10:48  C:\Program Files\SBC Self Support Tool\SmartBridge\MotiveSB .exe
----a-w		 1,460,560 2008-01-19 17:15:30  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w		   129,536 2008-02-05 04:12:12  C:\Program Files\Yahoo!\browser\ybrwicon .exe
----a-w		   663,552 2008-02-05 02:24:49  C:\WINDOWS\CREATOR\Remind_XP .exe
----a-w			64,512 2008-02-06 00:21:03  C:\WINDOWS\ehome\ehtray .exe
----a-w		   237,568 2008-02-05 02:24:43  C:\WINDOWS\SMINST\RECGUARD .EXE
</pre>


-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ad7f9707-740e-4f5e-bd10-742237899475}]
C:\WINDOWS\system32\hdjysxeg.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 20:00 15360]
"Yahoo! Pager"="1" []
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 20:01 67584]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 03:54 16010240 C:\WINDOWS\RTHDCPL.EXE]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 22:19 77312 C:\WINDOWS\arpwrmsg.exe]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 22:35 49152]
"DISCover"="C:\Program Files\DISC\DISCover.exe" [2006-03-16 01:12 1077248]
"DiscUpdateManager"="C:\Program Files\DISC\DiscUpdMgr.exe" [2006-03-16 01:11 61440]
"DMAScheduler"="c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-03-20 08:05 90112]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-22 21:14 237568]
"PCDrProfiler"="" []
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 21:34 249856]
"Reminder"="C:\Windows\Creator\Remind_XP.exe" [2004-12-14 01:23 663552]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-12-15 17:18 49152]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26 368706]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 14:02 57344]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"20f4b7ef"="C:\WINDOWS\system32\lrnypfux.dll" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-02 14:09 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-05 19:12 219136]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 17:40:44 282624]
SBC Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2006-09-19 21:43:18 217088]
Updates From HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [2006-05-14 08:06:58 36903]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2006-03-26 21:44:08 257752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\DISC\\DISCover.exe"=
"C:\\Program Files\\DISC\\DiscStreamHub.exe"=
"C:\\Program Files\\DISC\\myFTP.exe"=
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=


.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-02 17:02:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-03-02 17:08:30 - machine was rebooted [HP_Administrator]
ComboFix-quarantined-files.txt 2008-03-03 01:08:26
.
2008-02-26 02:05:24 --- E O F ---
  • 0

#10
ZetaByte
Posted 02 March 2008 - 07:13 PM

ZetaByte

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
here is another HJT log

****

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:14:12 PM, on 3/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: {57499873-2247-01db-e5f4-e0477079f7da} - {ad7f9707-740e-4f5e-bd10-742237899475} - C:\WINDOWS\system32\hdjysxeg.dll (file missing)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn27\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdMgr.exe
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [20f4b7ef] rundll32.exe "C:\WINDOWS\system32\lrnypfux.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 8443 bytes
  • 0

Advertisements

#11
kahdah
Posted 03 March 2008 - 03:16 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\pskt.ini
C:\WINDOWS\gsdtwenfgh.exe
C:\WINDOWS\quit.exe
C:\Documents and Settings\Default User\Administrator.exe
C:\WINDOWS\system32\config\systemprofile\Administrator.exe
C:\Documents and Settings\Administrator\Administrator.exe
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\mrofinu72.exe.tmp
C:\WINDOWS\seiernlc.exe
C:\WINDOWS\36mya5mq.exe
C:\WINDOWS\f2w1iber.exe
C:\Documents and Settings\HP_Administrator\HP_Administrator.exe
C:\Documents and Settings\All Users\All Users.exe
C:\WINDOWS\g0pb9g8t.exe
C:\WINDOWS\f8owjhfb.exe
C:\WINDOWS\35h4uv70.exe
C:\WINDOWS\6t5cvl39.exe
C:\WINDOWS\t1qtuxqy.exe
C:\WINDOWS\mfye73i6.exe
C:\WINDOWS\dydlef6i.exe
C:\WINDOWS\c2dfn1lj.exe
C:\Documents and Settings\HP_Administrator\Application Data\sysfixer.exe
C:\WINDOWS\system32\hdjysxeg.dll
C:\WINDOWS\system32\lrnypfux.dll
Folder::
C:\WINDOWS\system32\iDlo01
C:\temp\sanR24
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ad7f9707-740e-4f5e-bd10-742237899475}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"20f4b7ef"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=-
RenV::
C:\Program Files\BroadJump\Client Foundation\CFD .exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt .exe
C:\Program Files\DISC\DISCover .exe
C:\Program Files\DISC\DiscUpdMgr .exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp				  .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp				 .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp				.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp			   .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp			  .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp			 .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp			.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp		   .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp		  .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp		 .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp		.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp	   .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp	  .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp	 .exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp	.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp   .exe
C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08 .exe
C:\Program Files\HP\HP Software Update\HPwuSchd2 .exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\MSN Messenger\msnmsgr .exe
C:\Program Files\PC-Doctor 5 for Windows\RunProfiler .exe
C:\Program Files\QuickTime\QTTask			 .exe
C:\Program Files\QuickTime\QTTask			.exe
C:\Program Files\QuickTime\QTTask		   .exe
C:\Program Files\QuickTime\QTTask		  .exe
C:\Program Files\QuickTime\QTTask		 .exe
C:\Program Files\QuickTime\QTTask		.exe
C:\Program Files\QuickTime\QTTask	   .exe
C:\Program Files\QuickTime\qttask	  .exe
C:\Program Files\QuickTime\qttask	 .exe
C:\Program Files\QuickTime\qttask	.exe
C:\Program Files\QuickTime\qttask   .exe
C:\Program Files\QuickTime\QTTask  .exe
C:\Program Files\SBC Self Support Tool\SmartBridge\MotiveSB .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\Program Files\Yahoo!\browser\ybrwicon .exe
C:\WINDOWS\CREATOR\Remind_XP .exe
C:\WINDOWS\ehome\ehtray .exe
C:\WINDOWS\SMINST\RECGUARD .EXE


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#12
ZetaByte
Posted 03 March 2008 - 06:45 PM

ZetaByte

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
sorry for taking long...
i had to go to school :)

here is the combofix log...

******

ComboFix 08-03-03.6 - HP_Administrator 2008-03-03 16:18:37.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.141 [GMT -8:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\Administrator\Administrator.exe
C:\Documents and Settings\All Users\All Users.exe
C:\Documents and Settings\Default User\Administrator.exe
C:\Documents and Settings\HP_Administrator\Application Data\sysfixer.exe
C:\Documents and Settings\HP_Administrator\HP_Administrator.exe
C:\WINDOWS\35h4uv70.exe
C:\WINDOWS\36mya5mq.exe
C:\WINDOWS\6t5cvl39.exe
C:\WINDOWS\c2dfn1lj.exe
C:\WINDOWS\dydlef6i.exe
C:\WINDOWS\f2w1iber.exe
C:\WINDOWS\f8owjhfb.exe
C:\WINDOWS\g0pb9g8t.exe
C:\WINDOWS\gsdtwenfgh.exe
C:\WINDOWS\mfye73i6.exe
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\mrofinu72.exe.tmp
C:\WINDOWS\pskt.ini
C:\WINDOWS\quit.exe
C:\WINDOWS\seiernlc.exe
C:\WINDOWS\system32\config\systemprofile\Administrator.exe
C:\WINDOWS\system32\hdjysxeg.dll
C:\WINDOWS\system32\lrnypfux.dll
C:\WINDOWS\t1qtuxqy.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\Documents and Settings\All Users\All Users.exe
C:\Documents and Settings\Default User\Administrator.exe
C:\Documents and Settings\HP_Administrator\Application Data\sysfixer.exe
C:\Documents and Settings\HP_Administrator\HP_Administrator.exe
C:\temp\sanR24
C:\temp\sanR24\lDii.log
C:\WINDOWS\35h4uv70.exe
C:\WINDOWS\36mya5mq.exe
C:\WINDOWS\6t5cvl39.exe
C:\WINDOWS\c2dfn1lj.exe
C:\WINDOWS\dydlef6i.exe
C:\WINDOWS\f2w1iber.exe
C:\WINDOWS\f8owjhfb.exe
C:\WINDOWS\g0pb9g8t.exe
C:\WINDOWS\gsdtwenfgh.exe
C:\WINDOWS\mfye73i6.exe
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\mrofinu72.exe.tmp
C:\WINDOWS\pskt.ini
C:\WINDOWS\quit.exe
C:\WINDOWS\seiernlc.exe
C:\WINDOWS\system32\config\systemprofile\Administrator.exe
C:\WINDOWS\system32\iDlo01
C:\WINDOWS\system32\iDlo01\iDlo011065.exe
C:\WINDOWS\t1qtuxqy.exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-02-04 to 2008-03-04 )))))))))))))))))))))))))))))))
.

2008-03-02 16:02 . 2008-03-02 16:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-24 20:20 . 2007-02-28 01:10 2,180,352 --------- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-02-24 20:20 . 2007-02-28 01:08 2,136,064 --------- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-02-24 20:20 . 2007-02-28 00:38 2,057,600 --------- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-02-24 20:20 . 2007-02-28 00:38 2,015,744 --------- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-02-24 20:19 . 2006-06-01 10:47 163,840 --------- C:\WINDOWS\system32\dllcache\jgdw400.dll
2008-02-24 20:19 . 2006-06-01 10:47 27,648 --------- C:\WINDOWS\system32\dllcache\jgpl400.dll
2008-02-24 20:18 . 2006-03-16 16:38 28,672 --------- C:\WINDOWS\system32\verclsid.exe
2008-02-24 20:17 . 2006-05-05 01:41 453,120 --------- C:\WINDOWS\system32\dllcache\mrxsmb.sys
2008-02-24 04:35 . 2008-03-03 15:02 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-24 04:35 . 2008-02-24 04:35 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-24 04:32 . 2007-10-31 14:09 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2008-02-24 04:29 . 2008-02-24 04:32 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-02-24 04:09 . 2005-05-10 03:36 81,920 --------- C:\WINDOWS\system32\W32n50.dll
2008-02-24 04:09 . 2005-05-10 03:36 17,162 --------- C:\WINDOWS\system32\Pcandis5.sys
2008-02-24 04:09 . 2005-05-10 03:36 16,848 --------- C:\WINDOWS\system32\Pcandis4.sys
2008-02-24 04:09 . 2005-05-10 03:36 16,073 --------- C:\WINDOWS\system32\Pcandis3.vxd
2008-02-24 04:05 . 2002-01-05 05:18 84,992 --a------ C:\WINDOWS\system32\ATL70.DLL
2008-02-24 04:05 . 2001-10-11 10:26 65,536 --a------ C:\WINDOWS\system32\YCRWin32.dll
2008-02-24 04:05 . 2002-02-21 18:56 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-02-24 03:52 . 2002-02-13 18:53 6,345 -ra------ C:\WINDOWS\system32\DevMngr.vxd
2008-02-24 02:41 . 2008-02-24 02:41 1,885 -rahs---- C:\WINDOWS\system32\drivers\103C_HP_CPC_EX269AA-ABA a1514n_YC_0Pavi_QCNH630_E63NAemMPA2_48_IAsterope2_SHewleet-Packard_V1.0_B3.16_T060622_WXP2_L409_M448_J250_7Intel_8Pentium 4_93.06_#060907_N10EC8139_Z14F12F20_G10025A61.MRK
2008-02-24 02:39 . 2006-05-14 08:00 <DIR> d-------- C:\Documents and Settings\HP_Administrator\WINDOWS
2008-02-24 02:39 . 2008-02-24 03:48 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Symantec
2008-02-24 02:39 . 2006-05-14 08:03 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Intuit
2008-02-24 02:39 . 2007-12-29 14:40 89,088 --ah----- C:\Documents and Settings\HP_Administrator\Administrator.exe
2008-02-24 02:37 . 2006-05-14 08:00 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\WINDOWS
2008-02-24 02:37 . 2006-05-14 08:27 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec
2008-02-24 02:37 . 2006-05-14 08:03 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Intuit
2008-02-24 01:32 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-02-24 00:55 . 2008-02-25 18:05 <DIR> dr-hs---- C:\WINDOWS\system32\dllcache
2008-02-19 16:22 . 2008-02-19 16:22 <DIR> d-------- C:\Program Files\Disney
2008-02-05 19:14 . 2008-03-03 14:55 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\AVG7
2008-02-05 19:13 . 2008-02-05 19:13 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-05 19:12 . 2008-02-05 19:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Grisoft
2008-02-05 19:12 . 2008-03-02 14:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\avg7
2008-02-04 20:41 . 2008-02-04 20:41 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\PC Tools
2008-02-04 20:40 . 2008-02-04 20:58 <DIR> d-------- C:\Program Files\PC Tools AntiVirus
2008-02-04 20:40 . 2008-02-04 20:40 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-02-04 20:40 . 2008-02-04 20:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Tools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 00:30 --------- d-----w C:\Program Files\MSN Messenger
2008-03-04 00:30 --------- d-----w C:\Program Files\iTunes
2008-03-04 00:30 --------- d-----w C:\Program Files\HP DigitalMedia Archive
2008-03-04 00:30 --------- d-----w C:\Program Files\DISC
2008-03-04 00:18 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-04 00:18 --------- d-----w C:\Program Files\QuickTime
2008-03-04 00:18 --------- d-----w C:\Program Files\PC-Doctor 5 for Windows
2008-03-04 00:17 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-27 04:34 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Apple Computer
2008-02-24 11:48 --------- d-----w C:\Program Files\Symantec
2008-02-24 11:48 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2008-02-24 10:41 1,885 --sha-r C:\WINDOWS\system32\drivers\103C_HP_CPC_EX269AA-ABA a1514n_YC_0Pavi_QCNH630_E63NAemMPA2_48_IAsterope2_SHewleet-Packard_V1.0_B3.16_T060622_WXP2_L409_M448_J250_7Intel_8Pentium 4_93.06_#060907_N10EC8139_Z14F12F20_G10025A61.MRK
2008-02-05 04:41 --------- d---a-w C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2008-02-03 02:29 --------- d-----w C:\Program Files\Norton SystemWorks
2008-01-29 06:00 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\LimeWire
2008-01-28 15:00 13,024 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2008-01-21 23:51 --------- d-----w C:\Program Files\SBC Self Support Tool
2008-01-19 22:59 --------- d-----w C:\Program Files\Bonjour
2008-01-19 18:39 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Netscape
2008-01-17 01:05 --------- d-----w C:\Program Files\iPod
2008-01-13 00:16 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-01-12 01:30 --------- d-----w C:\Program Files\Moyea
2008-01-11 00:53 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\WLInstaller
2008-01-08 18:01 --------- d-----w C:\Program Files\Virtual Earth 3D
2008-01-08 03:56 --------- d-----w C:\Program Files\Lavasoft
2006-12-23 20:31 1,132,112 ----a-w C:\DOCUME~1\ALLUSE~1\APPLIC~1\pswi_preloaded.exe
2006-10-19 05:37 284 ----a-w C:\Documents and Settings\Karina\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 368,706 2002-09-11 04:26:26 C:\Program Files\BroadJump\Client Foundation\bak\CFD.exe
----a-w 368,640 2008-02-05 03:53:40 C:\Program Files\BroadJump\Client Foundation\CFD.exe

----a-w 218,240 2004-11-02 22:59:52 C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe
----a-w 218,240 2008-01-13 00:17:35 C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

----a-w 165,304 2006-12-17 01:50:10 C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\bak\GoogleToolbarNotifier.exe

----a-w 249,856 2006-02-16 05:34:58 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe
----a-w 249,856 2008-02-05 02:24:43 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

----a-w 49,152 2005-06-02 06:35:56 C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak\hphupd08.exe
----a-w 49,152 2008-02-05 00:30:51 C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

----a-w 49,152 2005-12-16 01:18:50 C:\Program Files\HP\HP Software Update\bak\HPwuSchd2.exe
----a-w 49,152 2008-02-05 02:24:47 C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

----a-w 90,112 2006-03-20 16:05:00 C:\Program Files\HP DigitalMedia Archive\bak\DMAScheduler.exe
----a-w 90,112 2008-02-05 02:24:42 C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe

----a-w 53,248 2006-01-20 07:20:02 C:\Program Files\PC-Doctor 5 for Windows\bak\RunProfiler.exe
----a-w 53,248 2008-01-12 02:18:39 C:\Program Files\PC-Doctor 5 for Windows\RunProfiler.exe

----a-w 129,536 2006-07-21 23:19:46 C:\Program Files\Yahoo!\browser\bak\ybrwicon.exe
----a-w 129,536 2008-02-05 04:12:12 C:\Program Files\Yahoo!\browser\ybrwicon.exe

----a-w 4,662,776 2006-10-27 05:21:48 C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE

----a-w 407,032 2006-07-21 17:43:10 C:\Program Files\Yahoo!\YOP\bak\yop.exe
----a-w 509,224 2007-06-26 20:48:14 C:\Program Files\Yahoo!\YOP\yop.exe

----a-w 663,552 2004-12-14 09:23:44 C:\WINDOWS\CREATOR\bak\Remind_XP.exe
----a-w 663,552 2008-02-05 02:24:49 C:\WINDOWS\CREATOR\Remind_XP.exe

----a-w 67,584 2005-09-30 04:01:14 C:\WINDOWS\ehome\bak\ehtray.exe
----a-w 67,584 2005-09-30 04:01:14 C:\WINDOWS\ehome\ehtray.exe

----a-w 237,568 2005-07-23 05:14:00 C:\WINDOWS\SMINST\bak\RECGUARD.EXE
----a-w 237,568 2008-02-05 02:24:43 C:\WINDOWS\SMINST\RECGUARD.EXE

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 20:00 15360]
"Yahoo! Pager"="1" []
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2008-02-04 20:19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 20:01 67584]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 03:54 16010240 C:\WINDOWS\RTHDCPL.EXE]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 22:19 77312 C:\WINDOWS\arpwrmsg.exe]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2008-02-04 16:30 49152]
"DISCover"="C:\Program Files\DISC\DISCover.exe" [2008-02-04 18:24 1077248]
"DiscUpdateManager"="C:\Program Files\DISC\DiscUpdMgr.exe" [2008-02-04 18:24 61440]
"DMAScheduler"="c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe" [2008-02-04 18:24 90112]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2008-02-04 18:24 237568]
"PCDrProfiler"="" []
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2008-02-04 18:24 249856]
"Reminder"="C:\Windows\Creator\Remind_XP.exe" [2008-02-04 18:24 663552]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2008-02-04 18:24 49152]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2008-02-04 19:53 368640]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2008-02-04 20:12 129536]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-04 18:24 385024]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-02 14:09 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-05 19:12 219136]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 17:40:44 282624]
SBC Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2006-09-19 21:43:18 217088]
Updates From HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [2006-05-14 08:06:58 36903]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2006-03-26 21:44:08 257752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\DISC\\DISCover.exe"=
"C:\\Program Files\\DISC\\DiscStreamHub.exe"=
"C:\\Program Files\\DISC\\myFTP.exe"=
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"=


.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-03 16:31:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-03-03 16:41:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-04 00:41:15
ComboFix2.txt 2008-03-03 01:08:30
.
2008-02-26 02:05:24 --- E O F ---
  • 0

#13
ZetaByte
Posted 03 March 2008 - 06:46 PM

ZetaByte

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
here is the Hijack This log...

******

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:44:12 PM, on 3/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn27\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdMgr.exe
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 8182 bytes
  • 0

#14
kahdah
Posted 03 March 2008 - 07:58 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups then restore them.

Download FindAWF.exe from here or here, and save it to your desktop.
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders
    2. Press 2 then Enter to restore files from bak folders
    3. Press 3 then Enter to remove bak folders
    4. Press 4 then Enter to reset domain zones
    5. Press E then Enter to EXIT

  • Press 1, then press Enter
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.

  • 0

#15
ZetaByte
Posted 03 March 2008 - 08:10 PM

ZetaByte

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
here it is!

*******


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Mon 03/03/2008
The current time is: 18:05:01.85


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\HPDIGI~1\BAK

03/20/2006 08:05 AM 90,112 DMAScheduler.exe
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\PC-DOC~1\BAK

01/19/2006 11:20 PM 53,248 RunProfiler.exe
1 File(s) 53,248 bytes

Directory of C:\WINDOWS\CREATOR\BAK

12/14/2004 01:23 AM 663,552 Remind_XP.exe
1 File(s) 663,552 bytes

Directory of C:\WINDOWS\EHOME\BAK

09/29/2005 08:01 PM 67,584 ehtray.exe
1 File(s) 67,584 bytes

Directory of C:\WINDOWS\SMINST\BAK

07/22/2005 09:14 PM 237,568 RECGUARD.EXE
1 File(s) 237,568 bytes

Directory of C:\WINDOWS\TEMP\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\BROADJ~1\CLIENT~1\BAK

09/10/2002 08:26 PM 368,706 CFD.exe
1 File(s) 368,706 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COREL\CORELS~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPBOOT~1\BAK

02/15/2006 09:34 PM 249,856 HPBootOp.exe
1 File(s) 249,856 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

12/15/2005 05:18 PM 49,152 HPwuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\YAHOO!\BROWSER\BAK

07/21/2006 03:19 PM 129,536 ybrwicon.exe
1 File(s) 129,536 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

10/26/2006 09:21 PM 4,662,776 YAHOOM~1.EXE
1 File(s) 4,662,776 bytes

Directory of C:\PROGRA~1\YAHOO!\YOP\BAK

07/21/2006 09:43 AM 407,032 yop.exe
1 File(s) 407,032 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~2\BAK

11/02/2004 02:59 PM 218,240 UsrPrmpt.exe
1 File(s) 218,240 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~2\12908~1.847\BAK

12/16/2006 05:50 PM 165,304 GoogleToolbarNotifier.exe
1 File(s) 165,304 bytes

Directory of C:\PROGRA~1\HP\DIGITA~1\{33D6C~1\BAK

06/01/2005 10:35 PM 49,152 hphupd08.exe
1 File(s) 49,152 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

90112 Mar 20 2006 "C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe1167274216"
90112 Mar 20 2006 "C:\Program Files\HP DigitalMedia Archive\bak\DMAScheduler.exe"
53248 Jan 11 2008 "C:\Program Files\PC-Doctor 5 for Windows\RunProfiler.exe"
53248 Jan 19 2006 "C:\Program Files\PC-Doctor 5 for Windows\bak\RunProfiler.exe"
53248 Jan 19 2006 "D:\MiniNT\PC-Doctor 5 for Win PE\RunProfiler.exe"
663552 Feb 4 2008 "C:\WINDOWS\CREATOR\Remind_XP.exe"
663552 Dec 14 2004 "C:\WINDOWS\CREATOR\bak\Remind_XP.exe"
64512 Aug 5 2005 "C:\WINDOWS\$NtUninstallKB908246$\ehtray.exe"
67584 Sep 29 2005 "C:\WINDOWS\ehome\ehtray.exe"
67584 Sep 29 2005 "C:\WINDOWS\ehome\bak\ehtray.exe"
237568 Feb 4 2008 "C:\WINDOWS\SMINST\RECGUARD.EXE"
237568 Jul 22 2005 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
368640 Feb 4 2008 "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
368706 Sep 10 2002 "C:\Program Files\BroadJump\Client Foundation\bak\CFD.exe"
249856 Feb 4 2008 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe"
249856 Feb 15 2006 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
49152 Dec 15 2005 "C:\Program Files\HP\HP Software Update\HPwuSchd2.exe1167274221"
49152 Dec 15 2005 "C:\Program Files\HP\HP Software Update\bak\HPwuSchd2.exe"
129536 Feb 4 2008 "C:\Program Files\Yahoo!\browser\ybrwicon.exe"
129536 Jul 21 2006 "C:\Program Files\Yahoo!\browser\bak\ybrwicon.exe"
4670968 Mar 1 2007 "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"
4662776 Oct 26 2006 "C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE"
509224 Jun 26 2007 "C:\Program Files\Yahoo!\YOP\yop.exe"
407032 Jul 21 2006 "C:\Program Files\Yahoo!\YOP\bak\yop.exe"
218240 Jan 12 2008 "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
218240 Nov 2 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe"
52272 Feb 23 2008 "C:\Program Files\Google\googletoolbar3user.exe"
61440 Sep 14 2006 "C:\Program Files\Google\Google Earth\googleearth.exe"
559784 May 14 2006 "C:\Program Files\Common Files\Real\GToolbar\GoogleToolbarInstaller.exe"
138168 Feb 23 2008 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
171448 Jan 19 2008 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe"
165304 Dec 16 2006 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\bak\GoogleToolbarNotifier.exe"
49152 Feb 4 2008 "C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe"
49152 Jun 1 2005 "C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak\hphupd08.exe"


end of report
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP