Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Smitfraud-C.CoreService Issue [RESOLVED]

Started by cbuschor , Jun 16 2008 01:36 PM

  • This topic is locked This topic is locked

#1
cbuschor
Posted 16 June 2008 - 01:36 PM

cbuschor

    Member

  • Member
  • PipPip
  • 10 posts
I have run AVG, Spybot, SUPERAntiSpyware and I am still having problems. I have also run SmitFraudFix.

My Hijackthis report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:15:22, on 6/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark 1300 Series\lxdcamon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad-van.sint...kn.com/wpad.dat
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll (file missing)
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll (file missing)
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: (no name) - {28D8912D-C0B5-42DE-B42C-5FE22D6A2332} - C:\WINDOWS\system32\d3dram.dll
O2 - BHO: (no name) - {3E489DCE-5903-5BA6-0261-5C00CEBF8ACE} - C:\WINDOWS\system32\vbddlq.dll
O2 - BHO: (no name) - {4A01000A-960F-4502-A339-8EB9CEF8ECB5} - C:\Program Files\Internet Explorer\hokevofa.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\system32\2s56aql3.dll
O2 - BHO: 0 - {85EB64C6-5955-486D-3B96-87FAB8BA78EF} - C:\Program Files\Windows Media Player\lavu.dll (file missing)
O2 - BHO: (no name) - {9484D992-B516-4338-8C2E-B6C5571E6F2d} - C:\WINDOWS\system32\ycjcmufy.dll (file missing)
O2 - BHO: (no name) - {A3D78917-8551-436D-8A06-F685E297D4F4} - C:\WINDOWS\system32\awvwu.dll (file missing)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {D390EED3-FD78-442A-A91E-22C4AF7E0BCF} - C:\Program Files\Outlook Express\hokevofa.dll
O2 - BHO: (no name) - {E3B6A570-3BB2-6216-EC2F-3876694D06CA} - C:\WINDOWS\system32\xahp.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe \RESET
O4 - HKLM\..\Run: [lxdcmon.exe] "C:\Program Files\Lexmark 1300 Series\lxdcmon.exe"
O4 - HKLM\..\Run: [lxdcamon] "C:\Program Files\Lexmark 1300 Series\lxdcamon.exe"
O4 - HKLM\..\Run: [LXDCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [xrunwin] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [Bhs] "C:\Program Files\??stem\?poolsv.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Tdbujzb] C:\WINDOWS\system32\??crosoft.NET\??ool32.exe
O4 - HKCU\..\Run: [Eigdmmwt] "C:\Program Files\W?nSxS\l?[bleep].exe"
O4 - HKCU\..\Run: [Tavh] "C:\Documents and Settings\USER\Application Data\?icrosoft\w?aclt.exe"
O4 - HKCU\..\Run: [Khceklj] C:\WINDOWS\system32\a?sembly\??rvices.exe
O4 - HKCU\..\Run: [Jybo] "C:\Documents and Settings\USER\Application Data\?ecurity\w?nlogon.exe"
O4 - HKCU\..\Run: [Asz] "C:\Program Files\Common Files\M?crosoft\?ti2evxx.exe"
O4 - HKCU\..\Run: [Omkom] "C:\Program Files\Common Files\F?nts\m?dtc.exe"
O4 - HKCU\..\Run: [Wuvv] "C:\Program Files\??stem\r?ndll.exe"
O4 - HKCU\..\Run: [Rya] C:\WINDOWS\system32\s?stem\l?gonui.exe
O4 - HKCU\..\Run: [Putfqlm] "C:\Program Files\Common Files\??stem\j?vaw.exe"
O4 - HKCU\..\Run: [Thzdab] C:\WINDOWS\system32\?icrosoft.NET\?canregw.exe
O4 - HKCU\..\Run: [Wdosffvd] "C:\Program Files\?dobe\e?plorer.exe"
O4 - HKCU\..\Run: [Roy] C:\WINDOWS\?ymantec\n?tdde.exe
O4 - HKCU\..\Run: [Xuzhpnl] "C:\Documents and Settings\USER\My Documents\??mantec\m?iexec.exe"
O4 - HKCU\..\Run: [Vilq] C:\WINDOWS\?ymbols\w?auboot.exe
O4 - HKCU\..\Run: [Okznqxvv] "C:\Documents and Settings\USER\Application Data\?ecurity\??chost.exe"
O4 - HKCU\..\Run: [SpyShredder] C:\Program Files\SpyShredder\SpyShredder.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Xjg] "C:\Documents and Settings\USER\Application Data\W?nSxS\d?xplore.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [svchost] C:\WINDOWS\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadc...easeInstall.cab
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} (WebInstall Class) - http://scanner2.malw...tup/webinst.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.co...loadControl.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: awvwu - C:\WINDOWS\system32\awvwu.dll (file missing)
O20 - Winlogon Notify: ssqqrol - ssqqrol.dll (file missing)
O21 - SSODL: mssms - {091D9FBF-3D00-4565-B001-2FEC8976FF6C} - C:\WINDOWS\mssms.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: lxdc_device - - C:\WINDOWS\system32\lxdccoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9749 bytes
  • 0

Advertisements

#2
Essexboy
Posted 16 June 2008 - 01:54 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi you appear to have a nice variety of infections there, so lets see about clearing you up :)

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {28D8912D-C0B5-42DE-B42C-5FE22D6A2332} - C:\WINDOWS\system32\d3dram.dll
O2 - BHO: (no name) - {3E489DCE-5903-5BA6-0261-5C00CEBF8ACE} - C:\WINDOWS\system32\vbddlq.dll
O2 - BHO: (no name) - {4A01000A-960F-4502-A339-8EB9CEF8ECB5} - C:\Program Files\Internet Explorer\hokevofa.dll
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\system32\2s56aql3.dll
O2 - BHO: 0 - {85EB64C6-5955-486D-3B96-87FAB8BA78EF} - C:\Program Files\Windows Media Player\lavu.dll (file missing)
O2 - BHO: (no name) - {9484D992-B516-4338-8C2E-B6C5571E6F2d} - C:\WINDOWS\system32\ycjcmufy.dll (file missing)
O2 - BHO: (no name) - {A3D78917-8551-436D-8A06-F685E297D4F4} - C:\WINDOWS\system32\awvwu.dll (file missing)
O2 - BHO: (no name) - {D390EED3-FD78-442A-A91E-22C4AF7E0BCF} - C:\Program Files\Outlook Express\hokevofa.dll
O2 - BHO: (no name) - {E3B6A570-3BB2-6216-EC2F-3876694D06CA} - C:\WINDOWS\system32\xahp.dll
O4 - HKCU\..\Run: [xrunwin] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [Bhs] "C:\Program Files\??stem\?poolsv.exe"
O4 - HKCU\..\Run: [Tdbujzb] C:\WINDOWS\system32\??crosoft.NET\??ool32.exe
O4 - HKCU\..\Run: [Eigdmmwt] "C:\Program Files\W?nSxS\l?[bleep].exe"
O4 - HKCU\..\Run: [Tavh] "C:\Documents and Settings\USER\Application Data\?icrosoft\w?aclt.exe"
O4 - HKCU\..\Run: [Khceklj] C:\WINDOWS\system32\a?sembly\??rvices.exe
O4 - HKCU\..\Run: [Jybo] "C:\Documents and Settings\USER\Application Data\?ecurity\w?nlogon.exe"
O4 - HKCU\..\Run: [Asz] "C:\Program Files\Common Files\M?crosoft\?ti2evxx.exe"
O4 - HKCU\..\Run: [Omkom] "C:\Program Files\Common Files\F?nts\m?dtc.exe"
O4 - HKCU\..\Run: [Wuvv] "C:\Program Files\??stem\r?ndll.exe"
O4 - HKCU\..\Run: [Rya] C:\WINDOWS\system32\s?stem\l?gonui.exe
O4 - HKCU\..\Run: [Putfqlm] "C:\Program Files\Common Files\??stem\j?vaw.exe"
O4 - HKCU\..\Run: [Thzdab] C:\WINDOWS\system32\?icrosoft.NET\?canregw.exe
O4 - HKCU\..\Run: [Wdosffvd] "C:\Program Files\?dobe\e?plorer.exe"
O4 - HKCU\..\Run: [Roy] C:\WINDOWS\?ymantec\n?tdde.exe
O4 - HKCU\..\Run: [Xuzhpnl] "C:\Documents and Settings\USER\My Documents\??mantec\m?iexec.exe"
O4 - HKCU\..\Run: [Vilq] C:\WINDOWS\?ymbols\w?auboot.exe
O4 - HKCU\..\Run: [Okznqxvv] "C:\Documents and Settings\USER\Application Data\?ecurity\??chost.exe"
O4 - HKCU\..\Run: [Xjg] "C:\Documents and Settings\USER\Application Data\W?nSxS\d?xplore.exe"
O20 - Winlogon Notify: awvwu - C:\WINDOWS\system32\awvwu.dll (file missing)
O20 - Winlogon Notify: ssqqrol - ssqqrol.dll (file missing)
O21 - SSODL: mssms - {091D9FBF-3D00-4565-B001-2FEC8976FF6C} - C:\WINDOWS\mssms.dll (file missing)


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

THEN

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\d3dram.dll
C:\WINDOWS\system32\vbddlq.dll
C:\Program Files\Internet Explorer\hokevofa.dll
C:\WINDOWS\system32\2s56aql3.dll
C:\Program Files\Windows Media Player\lavu.dll 
C:\WINDOWS\system32\ycjcmufy.dll 
C:\WINDOWS\system32\awvwu.dll 
C:\Program Files\Outlook Express\hokevofa.dll
C:\WINDOWS\system32\xahp.dll
C:\WINDOWS\system32\awvwu.dll 
C:\WINDOWS\mssms.dll 
C:\WINDOWS\system32\ssqqrol.dll 
Purity
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

FINALLY FOR NOW

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log and OTMoveit
  • 0

#3
cbuschor
Posted 17 June 2008 - 09:06 AM

cbuschor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
ComboFix:
ComboFix 08-06-16.2 - USER 2008-06-17 9:53:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.202 [GMT -4:00]
Running from: C:\Documents and Settings\USER\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\USER\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\USER\err.log
C:\Program Files\ssembl~1
C:\temp\17o7
C:\temp\17o7\tmpTF.log
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\msettings.ini
C:\WINDOWS\opera6.ini
C:\WINDOWS\search_res.txt
C:\WINDOWS\system32\dheyltsw.ini
C:\WINDOWS\system32\drivers\core.cache(10).dsk
C:\WINDOWS\system32\drivers\core.cache(11).dsk
C:\WINDOWS\system32\drivers\core.cache(12).dsk
C:\WINDOWS\system32\drivers\core.cache(13).dsk
C:\WINDOWS\system32\drivers\core.cache(14).dsk
C:\WINDOWS\system32\drivers\core.cache(15).dsk
C:\WINDOWS\system32\drivers\core.cache(16).dsk
C:\WINDOWS\system32\drivers\core.cache(17).dsk
C:\WINDOWS\system32\drivers\core.cache(18).dsk
C:\WINDOWS\system32\drivers\core.cache(19).dsk
C:\WINDOWS\system32\drivers\core.cache(2).dsk
C:\WINDOWS\system32\drivers\core.cache(20).dsk
C:\WINDOWS\system32\drivers\core.cache(21).dsk
C:\WINDOWS\system32\drivers\core.cache(22).dsk
C:\WINDOWS\system32\drivers\core.cache(23).dsk
C:\WINDOWS\system32\drivers\core.cache(24).dsk
C:\WINDOWS\system32\drivers\core.cache(25).dsk
C:\WINDOWS\system32\drivers\core.cache(26).dsk
C:\WINDOWS\system32\drivers\core.cache(27).dsk
C:\WINDOWS\system32\drivers\core.cache(28).dsk
C:\WINDOWS\system32\drivers\core.cache(29).dsk
C:\WINDOWS\system32\drivers\core.cache(3).dsk
C:\WINDOWS\system32\drivers\core.cache(30).dsk
C:\WINDOWS\system32\drivers\core.cache(31).dsk
C:\WINDOWS\system32\drivers\core.cache(32).dsk
C:\WINDOWS\system32\drivers\core.cache(33).dsk
C:\WINDOWS\system32\drivers\core.cache(34).dsk
C:\WINDOWS\system32\drivers\core.cache(35).dsk
C:\WINDOWS\system32\drivers\core.cache(36).dsk
C:\WINDOWS\system32\drivers\core.cache(37).dsk
C:\WINDOWS\system32\drivers\core.cache(38).dsk
C:\WINDOWS\system32\drivers\core.cache(39).dsk
C:\WINDOWS\system32\drivers\core.cache(4).dsk
C:\WINDOWS\system32\drivers\core.cache(40).dsk
C:\WINDOWS\system32\drivers\core.cache(41).dsk
C:\WINDOWS\system32\drivers\core.cache(42).dsk
C:\WINDOWS\system32\drivers\core.cache(43).dsk
C:\WINDOWS\system32\drivers\core.cache(44).dsk
C:\WINDOWS\system32\drivers\core.cache(45).dsk
C:\WINDOWS\system32\drivers\core.cache(46).dsk
C:\WINDOWS\system32\drivers\core.cache(47).dsk
C:\WINDOWS\system32\drivers\core.cache(48).dsk
C:\WINDOWS\system32\drivers\core.cache(49).dsk
C:\WINDOWS\system32\drivers\core.cache(5).dsk
C:\WINDOWS\system32\drivers\core.cache(50).dsk
C:\WINDOWS\system32\drivers\core.cache(51).dsk
C:\WINDOWS\system32\drivers\core.cache(52).dsk
C:\WINDOWS\system32\drivers\core.cache(53).dsk
C:\WINDOWS\system32\drivers\core.cache(54).dsk
C:\WINDOWS\system32\drivers\core.cache(55).dsk
C:\WINDOWS\system32\drivers\core.cache(56).dsk
C:\WINDOWS\system32\drivers\core.cache(57).dsk
C:\WINDOWS\system32\drivers\core.cache(58).dsk
C:\WINDOWS\system32\drivers\core.cache(59).dsk
C:\WINDOWS\system32\drivers\core.cache(6).dsk
C:\WINDOWS\system32\drivers\core.cache(60).dsk
C:\WINDOWS\system32\drivers\core.cache(61).dsk
C:\WINDOWS\system32\drivers\core.cache(62).dsk
C:\WINDOWS\system32\drivers\core.cache(63).dsk
C:\WINDOWS\system32\drivers\core.cache(64).dsk
C:\WINDOWS\system32\drivers\core.cache(65).dsk
C:\WINDOWS\system32\drivers\core.cache(66).dsk
C:\WINDOWS\system32\drivers\core.cache(67).dsk
C:\WINDOWS\system32\drivers\core.cache(68).dsk
C:\WINDOWS\system32\drivers\core.cache(69).dsk
C:\WINDOWS\system32\drivers\core.cache(7).dsk
C:\WINDOWS\system32\drivers\core.cache(70).dsk
C:\WINDOWS\system32\drivers\core.cache(71).dsk
C:\WINDOWS\system32\drivers\core.cache(72).dsk
C:\WINDOWS\system32\drivers\core.cache(73).dsk
C:\WINDOWS\system32\drivers\core.cache(74).dsk
C:\WINDOWS\system32\drivers\core.cache(75).dsk
C:\WINDOWS\system32\drivers\core.cache(76).dsk
C:\WINDOWS\system32\drivers\core.cache(77).dsk
C:\WINDOWS\system32\drivers\core.cache(78).dsk
C:\WINDOWS\system32\drivers\core.cache(79).dsk
C:\WINDOWS\system32\drivers\core.cache(8).dsk
C:\WINDOWS\system32\drivers\core.cache(80).dsk
C:\WINDOWS\system32\drivers\core.cache(81).dsk
C:\WINDOWS\system32\drivers\core.cache(82).dsk
C:\WINDOWS\system32\drivers\core.cache(83).dsk
C:\WINDOWS\system32\drivers\core.cache(84).dsk
C:\WINDOWS\system32\drivers\core.cache(85).dsk
C:\WINDOWS\system32\drivers\core.cache(86).dsk
C:\WINDOWS\system32\drivers\core.cache(87).dsk
C:\WINDOWS\system32\drivers\core.cache(88).dsk
C:\WINDOWS\system32\drivers\core.cache(9).dsk
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\ftrgekkw.ini
C:\WINDOWS\system32\ggbpbrvl.ini
C:\WINDOWS\system32\gxnckofy.dll
C:\WINDOWS\system32\iaddclbi.ini
C:\WINDOWS\system32\jyexipfj.ini
C:\WINDOWS\system32\khmdgndj.ini
C:\WINDOWS\system32\lddnvgvo.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mgmjwvmt.ini
C:\WINDOWS\system32\mgmjwvmt.ini2
C:\WINDOWS\system32\mgmjwvmt.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\muihmtxw.ini
C:\WINDOWS\system32\ogncxemq.ini
C:\WINDOWS\system32\ojsciwjc.ini
C:\WINDOWS\system32\poqkeixv.ini
C:\WINDOWS\system32\pvakpxnw.ini
C:\WINDOWS\system32\qcuplbls.ini
C:\WINDOWS\system32\qnefpffo.ini
C:\WINDOWS\system32\qxtuvkld.ini
C:\WINDOWS\system32\smpi1
C:\WINDOWS\system32\tmvwjmgm.dll
C:\WINDOWS\system32\uddwgdub.ini
C:\WINDOWS\system32\usmmjsrd.ini
C:\WINDOWS\system32\uwvwa.bak1
C:\WINDOWS\system32\uwvwa.bak2
C:\WINDOWS\system32\uwvwa.ini
C:\WINDOWS\system32\uwvwa.ini2
C:\WINDOWS\system32\uwvwa.tmp
C:\WINDOWS\system32\veacntgb.ini
C:\WINDOWS\system32\vscdlbmn.ini
C:\WINDOWS\system32\wggksqds.ini2
C:\WINDOWS\system32\wggksqds.tmp
C:\WINDOWS\system32\wkkegrtf.dll
C:\WINDOWS\system32\xggpglvk.ini2
C:\WINDOWS\system32\xspbyucb.ini
C:\WINDOWS\system32\yfokcnxg.ini

----- BITS: Possible infected sites -----

hxxp://nmextensions.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CORE
-------\Service_core


((((((((((((((((((((((((( Files Created from 2008-05-17 to 2008-06-17 )))))))))))))))))))))))))))))))
.

2008-06-17 08:32 . 2008-06-17 08:32 <DIR> d-------- C:\_OTMoveIt
2008-06-16 15:09 . 2008-06-16 15:09 1,278 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-14 14:14 . 2008-06-15 08:00 <DIR> d-------- C:\Documents and Settings\kids\Application Data\AVG7
2008-06-14 14:12 . 2008-06-14 14:12 <DIR> d-------- C:\Documents and Settings\kids
2008-06-13 18:32 . 2008-06-13 18:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-13 17:36 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 17:36 . 2008-04-14 07:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-13 16:24 . 2008-06-13 16:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-13 14:08 . 2008-06-16 12:26 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-13 14:08 . 2008-06-13 14:08 <DIR> d-------- C:\Documents and Settings\USER\Application Data\SUPERAntiSpyware.com
2008-06-12 09:20 . 2008-06-12 09:21 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-12 09:20 . 2008-06-12 09:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-08 12:50 . 2008-06-08 12:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-08 12:41 . 2003-09-03 16:45 274,432 --a------ C:\WINDOWS\system32\FFTIFF16.dll
2008-06-08 12:41 . 2006-07-12 14:39 208,896 --a------ C:\WINDOWS\system32\FFRafShellEx.dll
2008-06-08 12:41 . 2004-07-24 21:28 155,648 --a------ C:\WINDOWS\system32\FFRAFLIB.DLL
2008-06-08 12:38 . 2008-06-08 12:38 <DIR> d-------- C:\Documents and Settings\USER\Application Data\InstallShield
2008-05-30 01:07 . 2008-06-08 12:50 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-30 01:03 . 2008-06-13 13:38 <DIR> d-------- C:\Documents and Settings\USER\Application Data\FUJIFILM
2008-05-30 01:01 . 2008-06-17 09:49 <DIR> d-------- C:\Program Files\FinePixViewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-17 12:00 --------- d-----w C:\Documents and Settings\USER\Application Data\AVG7
2008-06-14 14:52 --------- d-----w C:\Program Files\LimeWire
2008-06-13 22:31 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-12 13:34 374 ----a-w C:\Documents and Settings\USER\Application Data\internaldb6334.dat
2008-06-11 16:27 18,432 ----a-w C:\Documents and Settings\USER\Application Data\internaldb41.dat
2008-06-11 16:26 555 ----a-w C:\Documents and Settings\USER\Application Data\internaldb8467.dat
2008-06-08 16:54 --------- d-----w C:\Program Files\QuickTime
2008-06-08 16:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-08 16:26 --------- d-----w C:\Program Files\Lx_cats
2008-05-30 05:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-16 11:04 --------- d-----w C:\Documents and Settings\USER\Application Data\OpenOffice.org2
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28D8912D-C0B5-42DE-B42C-5FE22D6A2332}]
2008-02-19 13:25 98048 --a------ C:\WINDOWS\system32\d3dram.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-06-16 12:26 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCTVOICE"="pctspk.exe" [2003-02-24 18:35 163840 C:\WINDOWS\system32\pctspk.exe]
"zzzHPSETUP"="D:\Setup.exe" [ ]
"lxdcmon.exe"="C:\Program Files\Lexmark 1300 Series\lxdcmon.exe" [ ]
"lxdcamon"="C:\Program Files\Lexmark 1300 Series\lxdcamon.exe" [2007-02-05 19:32 20480]
"LXDCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll" [2007-01-22 18:05 102400]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 16:49 49152]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-23 09:03 579584]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-19 20:08 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ExifLauncher2.lnk - C:\Program Files\FinePixViewer\QuickDCF2.exe [2008-06-08 12:42:03 303104]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 20:28:24 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 20:50:52 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"svchost"= C:\WINDOWS\svchost.exe

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-06-16 12:25 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-06-16 12:26 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\system32\LgNotify.dll 2005-07-05 04:33 188482 C:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\WINDOWS\\system32\\lxdccoms.exe"=
"C:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe"=
"C:\\Program Files\\Lexmark 1300 Series\\App4R.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R0 wsqdqixr;wsqdqixr;C:\WINDOWS\system32\drivers\xjhgicnc.dat []
R2 lxdc_device;lxdc_device;C:\WINDOWS\system32\lxdccoms.exe [2007-02-12 19:56]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys [2005-04-22 00:58]
S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family Driver;C:\WINDOWS\system32\DRIVERS\cben5.sys [2001-08-17 08:13]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2002-11-22 23:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76366070-396f-11dd-97bb-009096b6aa61}]
\Shell\AutoRun\command - E:\LinksysConnectPC.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-11 23:02:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-17 13:39:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 10:05:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\wsqdqixr]
"ImagePath"="system32\drivers\xjhgicnc.dat"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\WINDOWS\system32\scardsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
.
**************************************************************************
.
Completion time: 2008-06-17 10:12:03 - machine was rebooted [USER]
ComboFix-quarantined-files.txt 2008-06-17 14:11:54

Pre-Run: 28,113,747,968 bytes free
Post-Run: 28,115,886,080 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

297 --- E O F --- 2008-06-16 15:45:26

MoveIt:
LoadLibrary failed for C:\WINDOWS\system32\d3dram.dll
C:\WINDOWS\system32\d3dram.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\d3dram.dll scheduled to be moved on reboot.
File/Folder C:\WINDOWS\systm32\vbddlq.dll not found.
File/Folder C:\Program Files\Internet Explorer\hokevofa.dll not found.
File/Folder C:\WINDOWS\system32\2s56aql3.dll not found.
File/Folder C:\Program Files\Windows Media Player\lavu.dll not found.
File/Folder C:\WINDOWS\system32\ycjcmufy.dll not found.
File/Folder C:\WINDOWS\system32\awvwu.dll not found.
File/Folder C:\Program Files\Outlook Express\hokevofa.dll not found.
File/Folder C:\WINDOWS\system32\xahp.dll not found.
File/Folder C:\WINDOWS\system32\awvwu.dll not found.
File/Folder C:\WINDOWS\mssms.dll not found.
File/Folder C:\WINDOWS\system32\ssqqrol.dll not found.
< Purity >
C:\WINDOWS\АppPatch moved successfully.
C:\WINDOWS\ΑppPatch moved successfully.
C:\WINDOWS\Ѕymantec moved successfully.
C:\WINDOWS\ѕymbols moved successfully.
C:\WINDOWS\system32\aѕsembly moved successfully.
C:\WINDOWS\system32\аѕsembly moved successfully.
C:\WINDOWS\system32\Μicrosoft.NET moved successfully.
C:\WINDOWS\system32\Міcrosoft.NET moved successfully.
C:\WINDOWS\system32\sуstem moved successfully.
C:\Program Files\Αdobe moved successfully.
C:\Program Files\Аdobe moved successfully.
C:\Program Files\Mіcrosoft moved successfully.
C:\Program Files\ѕуstem moved successfully.
C:\Program Files\WіnSxS moved successfully.
C:\Program Files\Common Files\Fοnts moved successfully.
C:\Program Files\Common Files\Mіcrosoft moved successfully.
C:\Program Files\Common Files\ѕуstem moved successfully.
C:\Program Files\Common Files\sуstem32 moved successfully.
C:\Program Files\Common Files\Tаsks moved successfully.
C:\Documents and Settings\USER\My Documents\аѕsembly moved successfully.
C:\Documents and Settings\USER\My Documents\Μicrosoft moved successfully.
C:\Documents and Settings\USER\My Documents\Ѕуmantec moved successfully.
C:\Documents and Settings\USER\My Documents\ѕуmbols\ѕуmbols moved successfully.
C:\Documents and Settings\USER\My Documents\ѕуmbols\bak moved successfully.
C:\Documents and Settings\USER\My Documents\ѕуmbols moved successfully.
C:\Documents and Settings\USER\My Documents\ѕуstem moved successfully.
C:\Documents and Settings\USER\My Documents\ѕуstem32 moved successfully.
C:\Documents and Settings\USER\Application Data\Мicrosoft moved successfully.
C:\Documents and Settings\USER\Application Data\Οracle moved successfully.
C:\Documents and Settings\USER\Application Data\ѕecurity moved successfully.
C:\Documents and Settings\USER\Application Data\Тasks moved successfully.
C:\Documents and Settings\USER\Application Data\WіnSxS moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06172008_083254

HiJack:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:35, on 6/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lexmark 1300 Series\lxdcamon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad-van.sint...kn.com/wpad.dat
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll (file missing)
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll (file missing)
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: (no name) - {28D8912D-C0B5-42DE-B42C-5FE22D6A2332} - C:\WINDOWS\system32\d3dram.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe \RESET
O4 - HKLM\..\Run: [lxdcmon.exe] "C:\Program Files\Lexmark 1300 Series\lxdcmon.exe"
O4 - HKLM\..\Run: [lxdcamon] "C:\Program Files\Lexmark 1300 Series\lxdcamon.exe"
O4 - HKLM\..\Run: [LXDCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [svchost] C:\WINDOWS\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} (WebInstall Class) - http://scanner2.malw...tup/webinst.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.co...loadControl.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: lxdc_device - - C:\WINDOWS\system32\lxdccoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6797 bytes

Sorry this took so long. Thank you so much for this help, I would be lost without your instruction.
  • 0

#4
Essexboy
Posted 17 June 2008 - 11:29 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
No problem on the time. A few stubborn ones to remove, and then we shall see how it goes

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Driver::
wsqdqixr

File::
C:\WINDOWS\system32\d3dram.dll
C:\WINDOWS\system32\drivers\xjhgicnc.dat 

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28D8912D-C0B5-42DE-B42C-5FE22D6A2332}]

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#5
cbuschor
Posted 17 June 2008 - 12:01 PM

cbuschor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Here you go......

ComboFix 08-06-16.2 - USER 2008-06-17 13:41:11.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.215 [GMT -4:00]
Running from: C:\Documents and Settings\USER\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\USER\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-05-17 to 2008-06-17 )))))))))))))))))))))))))))))))
.

2008-06-17 08:32 . 2008-06-17 08:32 <DIR> d-------- C:\_OTMoveIt
2008-06-16 15:09 . 2008-06-16 15:09 1,278 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-14 14:14 . 2008-06-15 08:00 <DIR> d-------- C:\Documents and Settings\kids\Application Data\AVG7
2008-06-14 14:12 . 2008-06-14 14:12 <DIR> d-------- C:\Documents and Settings\kids
2008-06-13 18:32 . 2008-06-13 18:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-13 17:36 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 17:36 . 2008-04-14 07:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-13 16:24 . 2008-06-13 16:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-13 14:08 . 2008-06-16 12:26 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-13 14:08 . 2008-06-13 14:08 <DIR> d-------- C:\Documents and Settings\USER\Application Data\SUPERAntiSpyware.com
2008-06-12 09:20 . 2008-06-12 09:21 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-12 09:20 . 2008-06-12 09:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-08 12:50 . 2008-06-08 12:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-08 12:41 . 2003-09-03 16:45 274,432 --a------ C:\WINDOWS\system32\FFTIFF16.dll
2008-06-08 12:41 . 2006-07-12 14:39 208,896 --a------ C:\WINDOWS\system32\FFRafShellEx.dll
2008-06-08 12:41 . 2004-07-24 21:28 155,648 --a------ C:\WINDOWS\system32\FFRAFLIB.DLL
2008-06-08 12:38 . 2008-06-08 12:38 <DIR> d-------- C:\Documents and Settings\USER\Application Data\InstallShield
2008-05-30 01:07 . 2008-06-08 12:50 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-30 01:03 . 2008-06-13 13:38 <DIR> d-------- C:\Documents and Settings\USER\Application Data\FUJIFILM
2008-05-30 01:01 . 2008-06-17 10:45 <DIR> d-------- C:\Program Files\FinePixViewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-17 12:00 --------- d-----w C:\Documents and Settings\USER\Application Data\AVG7
2008-06-14 14:52 --------- d-----w C:\Program Files\LimeWire
2008-06-13 22:31 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-12 13:34 374 ----a-w C:\Documents and Settings\USER\Application Data\internaldb6334.dat
2008-06-11 16:27 18,432 ----a-w C:\Documents and Settings\USER\Application Data\internaldb41.dat
2008-06-11 16:26 555 ----a-w C:\Documents and Settings\USER\Application Data\internaldb8467.dat
2008-06-08 16:54 --------- d-----w C:\Program Files\QuickTime
2008-06-08 16:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-08 16:26 --------- d-----w C:\Program Files\Lx_cats
2008-05-30 05:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-16 11:04 --------- d-----w C:\Documents and Settings\USER\Application Data\OpenOffice.org2
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-17_10.11.16.90 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-17 14:03:43 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-17 16:28:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28D8912D-C0B5-42DE-B42C-5FE22D6A2332}]
2008-02-19 13:25 98048 --a------ C:\WINDOWS\system32\d3dram.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-06-16 12:26 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCTVOICE"="pctspk.exe" [2003-02-24 18:35 163840 C:\WINDOWS\system32\pctspk.exe]
"zzzHPSETUP"="D:\Setup.exe" [ ]
"lxdcmon.exe"="C:\Program Files\Lexmark 1300 Series\lxdcmon.exe" [ ]
"lxdcamon"="C:\Program Files\Lexmark 1300 Series\lxdcamon.exe" [2007-02-05 19:32 20480]
"LXDCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll" [2007-01-22 18:05 102400]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 16:49 49152]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-23 09:03 579584]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-19 20:08 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ExifLauncher2.lnk - C:\Program Files\FinePixViewer\QuickDCF2.exe [2008-06-08 12:42:03 303104]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 20:28:24 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 20:50:52 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"svchost"= C:\WINDOWS\svchost.exe

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-06-16 12:25 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-06-16 12:26 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\system32\LgNotify.dll 2005-07-05 04:33 188482 C:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\WINDOWS\\system32\\lxdccoms.exe"=
"C:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe"=
"C:\\Program Files\\Lexmark 1300 Series\\App4R.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

R0 wsqdqixr;wsqdqixr;C:\WINDOWS\system32\drivers\xjhgicnc.dat []
R2 lxdc_device;lxdc_device;C:\WINDOWS\system32\lxdccoms.exe [2007-02-12 19:56]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys [2005-04-22 00:58]
S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family Driver;C:\WINDOWS\system32\DRIVERS\cben5.sys [2001-08-17 08:13]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2002-11-22 23:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76366070-396f-11dd-97bb-009096b6aa61}]
\Shell\AutoRun\command - E:\LinksysConnectPC.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-11 23:02:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-17 17:39:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 13:44:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\wsqdqixr]
"ImagePath"="system32\drivers\xjhgicnc.dat"
.
Completion time: 2008-06-17 13:46:17
ComboFix-quarantined-files.txt 2008-06-17 17:45:57
ComboFix2.txt 2008-06-17 14:12:04

Pre-Run: 28,131,426,304 bytes free
Post-Run: 28,116,164,608 bytes free

136 --- E O F --- 2008-06-16 15:45:26


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:56:14, on 6/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lexmark 1300 Series\lxdcamon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad-van.sint...kn.com/wpad.dat
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll (file missing)
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll (file missing)
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: (no name) - {28D8912D-C0B5-42DE-B42C-5FE22D6A2332} - C:\WINDOWS\system32\d3dram.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe \RESET
O4 - HKLM\..\Run: [lxdcmon.exe] "C:\Program Files\Lexmark 1300 Series\lxdcmon.exe"
O4 - HKLM\..\Run: [lxdcamon] "C:\Program Files\Lexmark 1300 Series\lxdcamon.exe"
O4 - HKLM\..\Run: [LXDCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [svchost] C:\WINDOWS\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} (WebInstall Class) - http://scanner2.malw...tup/webinst.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.co...loadControl.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: lxdc_device - - C:\WINDOWS\system32\lxdccoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6797 bytes
  • 0

#6
Essexboy
Posted 17 June 2008 - 12:21 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK it don't wanna go - so its big hammer time

1. Please download The Avenger2 by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:

Drivers to delete:
wsqdqixr

Files to delete:
C:\Documents and Settings\USER\Application Data\internaldb6334.dat
C:\Documents and Settings\USER\Application Data\internaldb41.dat
C:\Documents and Settings\USER\Application Data\internaldb8467.dat
C:\WINDOWS\system32\d3dram.dll
C:\WINDOWS\system32\drivers\xjhgicnc.dat

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .
  • 0

#7
cbuschor
Posted 17 June 2008 - 12:35 PM

cbuschor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
During second boot it went to blue screen with:
STOP: c000021a {Fatal System Error}
The Windows Logon Process system process terminated unexpectedly with a status of 0x00000402 (0x00000000 0x00000000).
The system has been shut down.
  • 0

#8
Essexboy
Posted 17 June 2008 - 12:38 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Did you system restart and was there a log at c:\avenger.txt
  • 0

#9
cbuschor
Posted 17 June 2008 - 12:41 PM

cbuschor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
No avenger log file.
  • 0

#10
Essexboy
Posted 17 June 2008 - 12:50 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK I will try a different approach (unless Avenger actually killed it )

Download OTScanit to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  • Check the box that says Scan All User Accounts
  • Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
  • Under Additional Scans check the following:
    • File - Additional Folder Scans
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

  • 0

Advertisements

#11
cbuschor
Posted 17 June 2008 - 01:04 PM

cbuschor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Here is the file.

I checked after a hard boot and the computer was back up and the only thing in the avenger file was a dat file.

Attached Files


  • 0

#12
Essexboy
Posted 17 June 2008 - 01:14 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Looks like Avenger did get it :)

Found one other miscreant to remove and we will then go for a registry sweep to get the orphans

Start OTScanit. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Files/Folders - Modified Within 90 days]
NY -> mxkrxyza.dat -> C:\Documents and Settings\USER\Local Settings\Temp\mxkrxyza.dat
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

THEN

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

How is your computer running now ?
  • 0

#13
cbuschor
Posted 17 June 2008 - 01:37 PM

cbuschor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Two part reply since I am leaving the office shortly while the scan is running.

Here is the OTScan for now, I will post the Malware log tomorrow.

Thank you so much for spending all this time with me today. :)

[Files\Folders - Modified Within 90 days]
File move failed. C:\Documents and Settings\USER\Local Settings\Temp\mxkrxyza.dat scheduled to be moved on reboot.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\USER\Local Settings\Temp\~DFA122.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
RecycleBin -> emptied.
< End of fix log >
OTScanIt by OldTimer - Version 1.0.15.15 fix logfile created on 06172008_152055

Files moved on Reboot...
File C:\Documents and Settings\USER\Local Settings\Temp\mxkrxyza.dat not found!
File C:\Documents and Settings\USER\Local Settings\Temp\~DFA122.tmp not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
  • 0

#14
cbuschor
Posted 18 June 2008 - 07:56 AM

cbuschor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Malware Log:

Malwarebytes' Anti-Malware 1.17
Database version: 864
Executable location: C:\Program Files\Malwarebytes' Anti-Malware
Database location: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref

Username: USER
Windows folder: C:\WINDOWS
System folder: C:\WINDOWS\system32
Root drive: C:
Program Files: C:\Program Files
Common Files: C:\Program Files\Common Files

Desktop: C:\Documents and Settings\All Users\Desktop
Desktop: C:\Documents and Settings\Default User\Desktop
Desktop: C:\Documents and Settings\kids\Desktop
Desktop: C:\Documents and Settings\USER\Desktop

Start Menu: C:\Documents and Settings\All Users\Start Menu
Start Menu: C:\Documents and Settings\Default User\Start Menu
Start Menu: C:\Documents and Settings\kids\Start Menu
Start Menu: C:\Documents and Settings\USER\Start Menu
Start Menu: C:\Documents and Settings\All Users\Start Menu

User Root: C:\Documents and Settings\All Users
User Root: C:\Documents and Settings\Default User
User Root: C:\Documents and Settings\kids
User Root: C:\Documents and Settings\LocalService
User Root: C:\Documents and Settings\NetworkService
User Root: C:\Documents and Settings\USER

Favorite: C:\Documents and Settings\All Users\Favorites
Favorite: C:\Documents and Settings\Default User\Favorites
Favorite: C:\Documents and Settings\kids\Favorites
Favorite: C:\Documents and Settings\USER\Favorites

Application Data: C:\Documents and Settings\All Users\Application Data
Application Data: C:\Documents and Settings\Default User\Application Data
Application Data: C:\Documents and Settings\kids\Application Data
Application Data: C:\Documents and Settings\LocalService\Application Data
Application Data: C:\Documents and Settings\NetworkService\Application Data
Application Data: C:\Documents and Settings\USER\Application Data
Application Data: C:\Documents and Settings\All Users\Application Data

Quick Launch: C:\Documents and Settings\kids\Application Data\Microsoft\Internet Explorer\Quick Launch
Quick Launch: C:\Documents and Settings\USER\Application Data\Microsoft\Internet Explorer\Quick Launch

Temporary Folder: C:\DOCUME~1\Default User\LOCALS~1\Temp
Temporary Folder: C:\DOCUME~1\kids\LOCALS~1\Temp
Temporary Folder: C:\DOCUME~1\LocalService\LOCALS~1\Temp
Temporary Folder: C:\DOCUME~1\NetworkService\LOCALS~1\Temp
Temporary Folder: C:\DOCUME~1\USER\LOCALS~1\Temp
Temporary Folder: C:\WINDOWS\Temp

Then I ran HiJack again:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:52:08, on 6/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark 1300 Series\lxdcamon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\FinePixViewer\FinePixViewer.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad-van.sint...kn.com/wpad.dat
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll (file missing)
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll (file missing)
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: (no name) - {28D8912D-C0B5-42DE-B42C-5FE22D6A2332} - C:\WINDOWS\system32\d3dram.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe \RESET
O4 - HKLM\..\Run: [lxdcmon.exe] "C:\Program Files\Lexmark 1300 Series\lxdcmon.exe"
O4 - HKLM\..\Run: [lxdcamon] "C:\Program Files\Lexmark 1300 Series\lxdcamon.exe"
O4 - HKLM\..\Run: [LXDCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [svchost] C:\WINDOWS\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.co...loadControl.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: lxdc_device - - C:\WINDOWS\system32\lxdccoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6774 bytes
  • 0

#15
Essexboy
Posted 18 June 2008 - 01:16 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
How is your system running now ?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP