Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan shuts off laptop [CLOSED]


  • This topic is locked This topic is locked

#1
darwin7410

darwin7410

    New Member

  • Member
  • Pip
  • 3 posts
I am hoping someone can help! :)

Just helping out a friend who recently had his laptop infected with a trojan virus.
We've been trying to update XP, run various malware/spyware and virus programs, but it doesn't stay on long enough.
I was able to run HJT and pull the logs though:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:27:23 PM, on 6/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\Compaq\COMPAQ~1\Dmi\Win32\bin\Win32sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13F20E4F-F379-41EA-8F80-CCAAE787362A} - C:\WINDOWS\system32\ljJARhHA.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: {ac01ce51-16b8-16b8-c924-dc903e09d326} - {623d90e3-09cd-429c-8b61-8b6115ec10ca} - C:\WINDOWS\system32\wvufqfgx.dll
O2 - BHO: (no name) - {729C287D-F90F-4623-A78D-18F5443CAEF4} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.914.9778\swg.dll
O2 - BHO: (no name) - {C293A517-6FEA-43C8-A682-73A60B3E38E2} - C:\WINDOWS\system32\geBtQhiG.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [c8881a23] rundll32.exe "C:\WINDOWS\system32\wybswjjg.dll",b
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [BMcbbb29bf] Rundll32.exe "C:\WINDOWS\system32\avovitcu.dll",s
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [HP Mobile Printing] C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.goo...5/uploader2.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) -
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1202075325790
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: wvufqfgx.dll,avgrsstx.dll
O20 - Winlogon Notify: ljJARhHA - C:\WINDOWS\SYSTEM32\ljJARhHA.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Insight Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Insight Web Agent (cpqWebDmi) - Hewlett-Packard Company - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett-Packard - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\PROGRA~1\Compaq\COMPAQ~1\Dmi\Win32\bin\Win32sl.exe

--
End of file - 9802 bytes
  • 0

Advertisements


#2
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Just helping out a friend who recently had his laptop infected with a trojan virus.

It is still infected though..

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#3
darwin7410

darwin7410

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Thanks for the help... yes, it's still infected with the Trojan virus.
I'm posting the following logs, as per your request:

ComboFix Log:

ComboFix 08-06-20.4 - Rohit 2008-06-27 11:54:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.202 [GMT -6:00]
Running from: C:\Documents and Settings\Rohit.ROHIT-70CEB8A8E\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Rohit.ROHIT-70CEB8A8E\My Documents\ASKS~1
C:\Documents and Settings\Rohit.ROHIT-70CEB8A8E\My Documents\YSTEM3~1
C:\WINDOWS\BMcbbb29bf.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\GihQtBeg.ini
C:\WINDOWS\system32\GihQtBeg.ini2
C:\WINDOWS\system32\gjjwsbyw.ini
C:\WINDOWS\system32\nGpxx01
.
---- Previous Run -------
.
C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\fnts~1\F?nts\
C:\Program Files\Common Files\icroso~1
C:\Program Files\mcroso~1
C:\Temp\isgTi19
C:\Temp\sanR24
C:\Temp\vtmp2
C:\WINDOWS\pskt.ini
C:\WINDOWS\stem~1
C:\WINDOWS\system32\fnts~1
C:\WINDOWS\system32\iDlo01
C:\WINDOWS\system32\mbols~1
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mcroso~1
C:\WINDOWS\system32\mcroso~1.net
C:\WINDOWS\system32\mcroso~1\w?wexec.exe
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\sks~1

.
((((((((((((((((((((((((( Files Created from 2008-05-27 to 2008-06-27 )))))))))))))))))))))))))))))))
.

2008-06-27 12:02 . 2008-06-27 12:02 22 --a------ C:\WINDOWS\pskt.ini
2008-06-27 12:02 . 2008-06-27 12:03 0 --a------ C:\WINDOWS\BMcbbb29bf.xml
2008-06-25 15:26 . 2008-06-25 15:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-24 10:07 . 2008-06-25 08:06 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-24 10:03 . 2008-06-26 09:13 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-24 10:03 . 2008-06-24 10:03 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-24 10:03 . 2008-06-24 10:03 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-24 10:02 . 2008-06-24 10:02 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8
2008-06-23 19:45 . 2008-06-23 19:45 105,472 --a------ C:\WINDOWS\system32\wvufqfgx.dll
2008-06-23 19:43 . 2008-06-23 19:43 91,136 --a------ C:\WINDOWS\system32\avovitcu.dll
2008-06-23 19:43 . 2008-06-23 19:43 81,408 --a------ C:\WINDOWS\system32\wybswjjg.dll
2008-06-23 16:21 . 2008-06-23 16:21 <DIR> d-------- C:\Documents and Settings\Rohit.ROHIT-70CEB8A8E\Application Data\Apple Computer
2008-06-23 16:20 . 2008-06-23 16:20 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-06-23 15:06 . 2008-06-23 15:06 <DIR> d-------- C:\Program Files\AVG
2008-06-23 13:30 . 2008-06-23 16:15 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-06-23 09:58 . 2008-06-23 09:59 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-06-23 09:45 . 2008-06-23 09:45 0 --a------ C:\WINDOWS\system32\ljJARhHA.dll
2008-06-16 19:12 . 2008-06-16 19:12 <DIR> d-------- C:\WINDOWS\system32\netrax01
2008-06-16 19:12 . 2008-06-16 19:12 <DIR> d-------- C:\TEMP\itmp4
2008-06-10 19:32 . 2008-06-10 19:32 179 --a------ C:\WINDOWS\wininit.ini
2008-06-10 18:54 . 2008-06-23 11:02 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-10 18:54 . 2008-06-23 09:58 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-06-08 01:23 . 2008-06-08 01:23 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconFR.ico
2008-06-07 18:30 . 2008-06-07 19:23 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-06-06 19:31 . 2008-06-06 19:31 68,732 --a------ C:\WINDOWS\system32\10003.sks
2008-06-06 19:31 . 2008-06-06 19:31 2,955 --a------ C:\WINDOWS\system32\10004.sks
2008-06-06 19:31 . 2008-06-06 19:31 2,170 --a------ C:\WINDOWS\system32\10001.sks
2008-06-06 19:31 . 2008-06-06 19:31 889 --a------ C:\WINDOWS\system32\10002.sks
2008-06-06 19:29 . 2008-06-06 19:29 2,380 --a------ C:\WINDOWS\system32\BlockedCookies
2008-06-06 19:28 . 2008-06-23 09:49 <DIR> d-------- C:\Program Files\SpyRemover Pro
2008-06-06 19:28 . 2008-06-23 19:40 1,240 --a------ C:\WINDOWS\system32\sk_bho.ini
2008-06-03 09:13 . 2008-06-03 09:13 <DIR> d-------- C:\WINDOWS\system32\vntiho01
2008-06-02 19:11 . 2008-06-02 19:12 <DIR> d-------- C:\Program Files\QuickTime
2008-06-02 19:11 . 2008-06-02 19:11 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2008-06-02 19:10 . 2008-06-02 19:10 <DIR> d-------- C:\Program Files\Apple Software Update
2008-06-02 19:10 . 2008-06-02 19:10 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple
2008-05-31 10:16 . 2008-05-31 11:14 <DIR> d-------- C:\Documents and Settings\Rohit.ROHIT-70CEB8A8E\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-24 15:59 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-24 02:00 --------- d-----w C:\Program Files\Norton AntiVirus
2008-06-24 01:54 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec
2008-06-23 15:58 --------- d-----w C:\Program Files\Lavasoft
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-16 17:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-10 08:36 --------- d-----w C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Symantec
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-06 02:57 --------- d-----w C:\Program Files\Symantec
2008-05-06 01:25 --------- d-----w C:\Documents and Settings\Rohit.ROHIT-70CEB8A8E\Application Data\Symantec
2008-05-02 21:53 --------- d-----w C:\Program Files\Longman iBT
2008-04-29 17:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 17:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 17:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-29 14:41 7,034,727 ----a-w C:\WINDOWS\system32\SRPRSig.dll
2008-04-29 14:39 5,644,127 ----a-w C:\WINDOWS\system32\SRPFSig.dll
2008-04-29 14:38 505,648 ----a-w C:\WINDOWS\system32\SRPESig.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{623d90e3-09cd-429c-8b61-8b6115ec10ca}]
2008-06-23 19:45 105472 --a------ C:\WINDOWS\system32\wvufqfgx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{729C287D-F90F-4623-A78D-18F5443CAEF4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C293A517-6FEA-43C8-A682-73A60B3E38E2}]
C:\WINDOWS\system32\geBtQhiG.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Mobile Printing"="C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE" [2003-05-23 14:12 630784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-30 10:01 88267 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-07-15 13:09 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-15 13:08 618496]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 11:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-25 22:10 335872]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-03-01 14:05 200766]
"ChkAdmin"="C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE" [2003-05-12 18:33 81920]
"PRONoMgr.exe"="c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-10 03:36 86016]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-17 17:19 290816]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 22:12 49152]
"BluetoothAuthenticationAgent"="bthprops.cpl,,BluetoothAuthenticationAgent" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"c8881a23"="C:\WINDOWS\system32\wybswjjg.dll" [2008-06-23 19:43 81408]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-24 10:02 1177368]
"BMcbbb29bf"="C:\WINDOWS\system32\avovitcu.dll" [2008-06-23 19:43 91136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"CPQDFWAG"="C:\WINDOWS\Cpqdiag\CpqDfwAg.exe" [2003-03-13 17:14 212992]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-06-02 18:48:22 565309]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 22:23:26 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJARhHA]
ljJARhHA.dll 2008-06-23 09:45 0 C:\WINDOWS\system32\ljJARhHA.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
c:\WINDOWS\system32\LgNotify.dll 2003-12-16 17:49 110592 c:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wvufqfgx.dll,avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-24 10:03]
R1 ClntMgmt;HP Client Management Driver;C:\WINDOWS\system32\Drivers\ClntMgmt.sys [2003-03-06 10:50]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-24 10:02]
R2 cpqWebDmi;Insight Web Agent;C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe [2003-05-12 18:38]
R3 CONAN;CONAN;C:\WINDOWS\system32\drivers\o2mmb.sys [2003-07-28 18:49]
R3 MbxStby;MbxStby;C:\WINDOWS\system32\drivers\MbxStby.sys [2003-07-24 08:50]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d32df480-2f2c-11dd-a3fe-00127956a28a}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d32df481-2f2c-11dd-a3fe-00127956a28a}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe uc.vbs

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-27 12:01:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????8?0?8?4??????? ???B???????????????B? ??????

scanning hidden files ...


C:\WINDOWS\system32\gjjwsbyw.ini 294 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Compaq\Compaq Management Agents\Cpqalert.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\Compaq\COMPAQ~1\Dmi\Win32\bin\Win32sl.exe
C:\PROGRA~1\Compaq\COMPAQ~1\Cpqdmi.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-06-27 12:05:58 - machine was rebooted [Rohit]
ComboFix-quarantined-files.txt 2008-06-27 18:05:52

Pre-Run: 12,707,176,448 bytes free
Post-Run: 13,150,621,696 bytes free

213 --- E O F --- 2008-06-24 01:35:01

HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:35 PM, on 6/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Compaq\COMPAQ~1\Dmi\Win32\bin\Win32sl.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: {ac01ce51-16b8-16b8-c924-dc903e09d326} - {623d90e3-09cd-429c-8b61-8b6115ec10ca} - C:\WINDOWS\system32\wvufqfgx.dll
O2 - BHO: (no name) - {729C287D-F90F-4623-A78D-18F5443CAEF4} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.914.9778\swg.dll
O2 - BHO: (no name) - {C293A517-6FEA-43C8-A682-73A60B3E38E2} - C:\WINDOWS\system32\geBtQhiG.dll (file missing)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [c8881a23] rundll32.exe "C:\WINDOWS\system32\wybswjjg.dll",b
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [BMcbbb29bf] Rundll32.exe "C:\WINDOWS\system32\avovitcu.dll",s
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [HP Mobile Printing] C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.goo...5/uploader2.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) -
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1202075325790
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: wvufqfgx.dll,avgrsstx.dll
O20 - Winlogon Notify: ljJARhHA - C:\WINDOWS\SYSTEM32\ljJARhHA.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Insight Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Insight Web Agent (cpqWebDmi) - Hewlett-Packard Company - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett-Packard - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\PROGRA~1\Compaq\COMPAQ~1\Dmi\Win32\bin\Win32sl.exe

--
End of file - 9547 bytes
  • 0

#4
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Please disable AVG during the following step as it may interfere.
Also uninstall Eusing Free Registry Cleaner and SpyRemover Pro if still present in add/remove programs.
Reboot afterwards.

After reboot,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\gjjwsbyw.ini
C:\WINDOWS\system32\ljJARhHA.dll
C:\WINDOWS\system32\wvufqfgx.dll
C:\WINDOWS\system32\ZoneAlarmIconFR.ico
C:\WINDOWS\pskt.ini
C:\WINDOWS\BMcbbb29bf.xml
C:\WINDOWS\system32\avovitcu.dll
C:\WINDOWS\system32\wybswjjg.dll
C:\WINDOWS\system32\10003.sks
C:\WINDOWS\system32\10004.sks
C:\WINDOWS\system32\10001.sks
C:\WINDOWS\system32\10002.sks
C:\WINDOWS\system32\BlockedCookies
C:\WINDOWS\system32\sk_bho.ini
Folder::
C:\WINDOWS\system32\vntiho01
C:\Program Files\SpyRemover Pro
C:\WINDOWS\system32\netrax01
C:\Program Files\Eusing Free Registry Cleaner
C:\TEMP\itmp4
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{623d90e3-09cd-429c-8b61-8b6115ec10ca}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{729C287D-F90F-4623-A78D-18F5443CAEF4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C293A517-6FEA-43C8-A682-73A60B3E38E2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c8881a23"=-
"BMcbbb29bf"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJARhHA]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"="avgrsstx.dll"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d32df481-2f2c-11dd-a3fe-00127956a28a}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
  • 0

#5
darwin7410

darwin7410

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
As per your instructions:

I removed the registry cleaner, but the spyremover is not showing up in add/remove programs.

ComboFix Log:

ComboFix 08-06-20.4 - Rohit 2008-06-30 12:49:18.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.239 [GMT -6:00]
Running from: C:\Documents and Settings\Rohit.ROHIT-70CEB8A8E\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Rohit.ROHIT-70CEB8A8E\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BMcbbb29bf.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\10001.sks
C:\WINDOWS\system32\10002.sks
C:\WINDOWS\system32\10003.sks
C:\WINDOWS\system32\10004.sks
C:\WINDOWS\system32\avovitcu.dll
C:\WINDOWS\system32\BlockedCookies
C:\WINDOWS\system32\gjjwsbyw.ini
C:\WINDOWS\system32\ljJARhHA.dll
C:\WINDOWS\system32\sk_bho.ini
C:\WINDOWS\system32\wvufqfgx.dll
C:\WINDOWS\system32\wybswjjg.dll
C:\WINDOWS\system32\ZoneAlarmIconFR.ico
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Program Files\Eusing Free Registry Cleaner
C:\Program Files\Eusing Free Registry Cleaner\Backup\Backup20080623160518.reg
C:\Program Files\Eusing Free Registry Cleaner\Backup\Backup20080623161527.reg
C:\Program Files\Eusing Free Registry Cleaner\Backup\Backup20080623164927.reg
C:\Program Files\Eusing Free Registry Cleaner\options.ini
C:\Program Files\SpyRemover Pro
C:\Program Files\SpyRemover Pro\ScanHistory.ini
C:\Program Files\SpyRemover Pro\SftTree_IX86_U_50.ocx
C:\Program Files\SpyRemover Pro\SpyRemover Pro_Startup.txt
C:\Program Files\SpyRemover Pro\SpyRemoverPro.exe
C:\Program Files\SpyRemover Pro\SS_BHR.ini
C:\TEMP\itmp4
C:\WINDOWS\BMcbbb29bf.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\10001.sks
C:\WINDOWS\system32\10002.sks
C:\WINDOWS\system32\10003.sks
C:\WINDOWS\system32\10004.sks
C:\WINDOWS\system32\avovitcu.dll
C:\WINDOWS\system32\BlockedCookies
C:\WINDOWS\system32\gjjwsbyw.ini
C:\WINDOWS\system32\ljJARhHA.dll
C:\WINDOWS\system32\netrax01
C:\WINDOWS\system32\sk_bho.ini
C:\WINDOWS\system32\vntiho01
C:\WINDOWS\system32\wvufqfgx.dll
C:\WINDOWS\system32\wybswjjg.dll
C:\WINDOWS\system32\ZoneAlarmIconFR.ico

.
((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-30 )))))))))))))))))))))))))))))))
.

2008-06-25 15:26 . 2008-06-25 15:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-24 10:07 . 2008-06-25 08:06 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-24 10:03 . 2008-06-27 12:04 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-24 10:03 . 2008-06-24 10:03 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-24 10:03 . 2008-06-24 10:03 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-24 10:02 . 2008-06-24 10:02 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8
2008-06-23 16:21 . 2008-06-23 16:21 <DIR> d-------- C:\Documents and Settings\Rohit.ROHIT-70CEB8A8E\Application Data\Apple Computer
2008-06-23 16:20 . 2008-06-23 16:20 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-06-23 15:06 . 2008-06-23 15:06 <DIR> d-------- C:\Program Files\AVG
2008-06-23 09:58 . 2008-06-23 09:59 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-06-10 19:32 . 2008-06-10 19:32 179 --a------ C:\WINDOWS\wininit.ini
2008-06-10 18:54 . 2008-06-23 11:02 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-10 18:54 . 2008-06-23 09:58 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-06-07 18:30 . 2008-06-07 19:23 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-06-02 19:11 . 2008-06-02 19:12 <DIR> d-------- C:\Program Files\QuickTime
2008-06-02 19:11 . 2008-06-02 19:11 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2008-06-02 19:10 . 2008-06-02 19:10 <DIR> d-------- C:\Program Files\Apple Software Update
2008-06-02 19:10 . 2008-06-02 19:10 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple
2008-05-31 10:16 . 2008-05-31 11:14 <DIR> d-------- C:\Documents and Settings\Rohit.ROHIT-70CEB8A8E\Application Data\U3
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-05-10 02:36 . 2008-05-10 02:36 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Symantec
2008-05-05 18:47 . 2008-06-23 20:00 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-05-05 18:45 . 2008-05-05 19:25 <DIR> d-------- C:\Documents and Settings\Rohit.ROHIT-70CEB8A8E\Application Data\Symantec
2008-05-05 18:45 . 2006-09-15 22:52 124,016 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-05 18:45 . 2006-09-15 22:52 91,904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-05 18:41 . 2008-05-05 20:57 <DIR> d-------- C:\Program Files\Symantec
2008-05-05 18:40 . 2008-06-24 09:59 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-05 18:40 . 2008-06-23 19:54 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-23 15:58 --------- d-----w C:\Program Files\Lavasoft
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-02 21:53 --------- d-----w C:\Program Files\Longman iBT
2008-04-29 17:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 17:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 17:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-29 14:41 7,034,727 ----a-w C:\WINDOWS\system32\SRPRSig.dll
2008-04-29 14:39 5,644,127 ----a-w C:\WINDOWS\system32\SRPFSig.dll
2008-04-29 14:38 505,648 ----a-w C:\WINDOWS\system32\SRPESig.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-05 00:52 286,720 ----a-w C:\WINDOWS\system32\libcurl.dll
.

((((((((((((((((((((((((((((( [email protected]_12.05.35.05 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-27 18:00:44 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-30 18:25:18 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Mobile Printing"="C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE" [2003-05-23 14:12 630784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-30 10:01 88267 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-07-15 13:09 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-15 13:08 618496]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 11:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-25 22:10 335872]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-03-01 14:05 200766]
"ChkAdmin"="C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE" [2003-05-12 18:33 81920]
"PRONoMgr.exe"="c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-10 03:36 86016]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-17 17:19 290816]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 22:12 49152]
"BluetoothAuthenticationAgent"="bthprops.cpl,,BluetoothAuthenticationAgent" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-24 10:02 1177368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"CPQDFWAG"="C:\WINDOWS\Cpqdiag\CpqDfwAg.exe" [2003-03-13 17:14 212992]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-06-02 18:48:22 565309]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 22:23:26 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
c:\WINDOWS\system32\LgNotify.dll 2003-12-16 17:49 110592 c:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-24 10:03]
R1 ClntMgmt;HP Client Management Driver;C:\WINDOWS\system32\Drivers\ClntMgmt.sys [2003-03-06 10:50]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-24 10:02]
R2 cpqWebDmi;Insight Web Agent;C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe [2003-05-12 18:38]
R3 CONAN;CONAN;C:\WINDOWS\system32\drivers\o2mmb.sys [2003-07-28 18:49]
R3 MbxStby;MbxStby;C:\WINDOWS\system32\drivers\MbxStby.sys [2003-07-24 08:50]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d32df480-2f2c-11dd-a3fe-00127956a28a}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 12:51:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????8?0?8?4??????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-30 12:53:06
ComboFix-quarantined-files.txt 2008-06-30 18:52:54
ComboFix2.txt 2008-06-27 18:06:00

Pre-Run: 13,110,603,776 bytes free
Post-Run: 13,102,346,240 bytes free

186 --- E O F --- 2008-06-24 01:35:01


HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:54:00 PM, on 6/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Compaq\COMPAQ~1\Dmi\Win32\bin\Win32sl.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.914.9778\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [HP Mobile Printing] C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.goo...5/uploader2.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) -
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1202075325790
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Insight Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Insight Web Agent (cpqWebDmi) - Hewlett-Packard Company - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett-Packard - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\PROGRA~1\Compaq\COMPAQ~1\Dmi\Win32\bin\Win32sl.exe

--
End of file - 8535 bytes
  • 0

#6
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

This looks OK :)

Just some leftovers here...

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
<== this is a resource hog
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) -

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then, Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.
Then * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
  • 0

#7
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP