Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

em.pc-on-internet virus


  • Please log in to reply

#16
4estbest

4estbest

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
ok here is the malwarebyte scan log. it found 7 infections and i took care of them all. now im going to do the combo fix. see ya soon

Malwarebytes' Anti-Malware 1.23
Database version: 992
Windows 6.0.6000

15:55:34 2008-07-26
mbam-log-7-26-2008 (15-55-34).txt

Scan type: Quick Scan
Objects scanned: 34102
Time elapsed: 14 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

Advertisements


#17
4estbest

4estbest

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
ok here is the combofix log

ComboFix 08-07-24.6 - 4est the best 2008-07-26 15:55:51.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.218 [GMT -7:00]
Running from: C:\Users\4est the best\Downloads\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-06-26 to 2008-07-26 )))))))))))))))))))))))))))))))
.

2008-07-26 15:37 . 2008-07-26 15:37 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-07-26 15:37 . 2008-07-26 15:37 <DIR> d-------- C:\Users\4est the best\AppData\Roaming\Malwarebytes
2008-07-26 15:37 . 2008-07-26 15:37 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-07-26 15:37 . 2008-07-26 15:37 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-26 15:37 . 2008-07-23 20:09 38,472 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-07-26 15:37 . 2008-07-23 20:09 17,144 --a------ C:\Windows\System32\drivers\mbam.sys
2008-07-25 21:57 . 2008-07-25 23:02 <DIR> d-------- C:\Program Files\Navilog1
2008-07-25 19:39 . 2008-07-25 19:39 <DIR> d-------- C:\_OTMoveIt
2008-07-25 02:43 . 2008-07-25 02:43 <DIR> d-------- C:\Program Files\Sun
2008-07-25 01:59 . 2008-07-25 01:59 <DIR> d-------- C:\Deckard
2008-07-24 15:10 . 2008-07-24 15:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-24 14:57 . 2008-07-24 14:57 <DIR> d--hs---- C:\found.000
2008-07-24 01:18 . 2008-06-25 17:33 12,240,896 --a------ C:\Windows\System32\NlsLexicons0007.dll
2008-07-24 01:18 . 2008-06-25 20:22 9,845,248 --a------ C:\Windows\System32\NlsData000a.dll
2008-07-24 01:18 . 2008-06-25 20:22 4,874,240 --a------ C:\Windows\System32\NlsData0009.dll
2008-07-24 01:18 . 2008-06-25 17:33 2,644,480 --a------ C:\Windows\System32\NlsLexicons0009.dll
2008-07-24 01:18 . 2008-06-25 20:22 2,641,408 --a------ C:\Windows\System32\NlsData000c.dll
2008-07-24 01:18 . 2008-06-25 20:22 2,340,864 --a------ C:\Windows\System32\NlsData000d.dll
2008-07-24 01:18 . 2008-06-25 20:22 797,696 --a------ C:\Windows\System32\NaturalLanguage6.dll
2008-07-24 01:16 . 2008-06-25 17:33 11,722,752 --a------ C:\Windows\System32\NlsLexicons0001.dll
2008-07-12 00:51 . 2008-07-12 00:51 <DIR> d-------- C:\Windows\CheckSur
2008-06-26 00:01 . 2008-06-26 00:03 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-06-26 00:01 . 2008-06-26 00:03 <DIR> d-------- C:\ProgramData\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-25 10:08 --------- d-----w C:\Program Files\Real
2008-07-25 09:51 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-25 09:48 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-07-25 09:43 --------- d-----w C:\Program Files\NCH Swift Sound
2008-07-25 09:41 --------- d-----w C:\Program Files\Java
2008-07-25 09:40 --------- d-----w C:\Program Files\Rhapsody
2008-07-25 09:39 --------- d-----w C:\Program Files\Shockwave.com
2008-07-25 09:36 --------- d-----w C:\Users\4est the best\AppData\Roaming\Microsoft Game Studios
2008-07-25 09:36 --------- d-----w C:\ProgramData\Microsoft Games
2008-07-25 09:36 --------- d-----w C:\Program Files\Microsoft Games
2008-07-25 09:34 --------- d-----w C:\ProgramData\AOL
2008-07-12 08:53 174 --sha-w C:\Program Files\desktop.ini
2008-07-12 07:51 --------- d-----w C:\Program Files\Windows Mail
2008-06-26 06:47 2,914,296 ----a-w C:\Users\4est the best\computer cleaner.exe
2008-06-26 06:47 --------- d-----w C:\Program Files\CCleaner
2008-06-26 06:40 9,722,720 ----a-w C:\Users\4est the best\spybot.exe
2008-06-26 00:34 7,964,672 ----a-w C:\Windows\System32\NlsLexicons0024.dll
2008-06-26 00:33 9,892,864 ----a-w C:\Windows\System32\NlsLexicons000a.dll
2008-06-24 07:05 --------- d-----w C:\Program Files\Game_Maker7
2008-06-24 07:04 8,183,675 ----a-w C:\Users\4est the best\gmaker.exe
2008-06-18 14:13 --------- d---a-w C:\ProgramData\TEMP
2008-06-02 10:02 --------- d-----w C:\Program Files\CONEXANT
2008-05-24 00:07 258 ----a-w C:\Users\4est the best\AppData\Roaming\wklnhst.dat
2008-05-10 03:30 14,848 ----a-w C:\Windows\System32\wshrm.dll
2008-04-26 08:02 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2008-04-04 16:12 13,401 ----a-w C:\Users\4est the best\AppData\Roaming\nvModes.dat
2008-03-30 16:14 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-03-30 16:14 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-03-30 16:14 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 05:35 125440]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-05-14 21:33 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 20:36 827392]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-11-14 15:05 1410304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-16 08:00 185896]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"<NO NAME>"=
"C:\\Program Files\\Vongo\\VongoService.exe"= C:\Program Files\Vongo\VongoService.exe:*:enabled:VongoService

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"EarthLink2"= TCP:Profile=Private|Profile=Public|C:\Program Files\earthlink totalaccess\taskpanl.exe:taskpanl
"EarthLink1"= UDP:Profile=Private|Profile=Public|C:\Program Files\earthlink totalaccess\taskpanl.exe:taskpanl
"TCP Query User{31DC0588-866C-4FF1-B25F-4F84AE2E7FCE}C:\\program files\\limewire\\limewire.exe"= UDP:C:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{07EA904F-A36C-4F3E-B2C5-A19A4FD92626}C:\\program files\\limewire\\limewire.exe"= TCP:C:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{00623C06-2885-4E61-9471-AC8742A8733B}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{1113E5F1-5258-4B91-9305-CB290B37704C}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{FB9145F6-D1E8-474B-ABAC-98E587BF73F7}C:\\program files\\itunes\\itunes.exe"= UDP:C:\program files\itunes\itunes.exe:iTunes
"UDP Query User{29C35424-A177-4EDB-A72B-C417142DEE16}C:\\program files\\itunes\\itunes.exe"= TCP:C:\program files\itunes\itunes.exe:iTunes
"TCP Query User{82000440-3995-492E-81BD-998B6D1CEF47}C:\\program files\\itunes\\itunes.exe"= UDP:C:\program files\itunes\itunes.exe:iTunes
"UDP Query User{BD2EA2A4-1D4C-45E7-9FBF-31353F12A968}C:\\program files\\itunes\\itunes.exe"= TCP:C:\program files\itunes\itunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R1 epfwtdir;epfwtdir;C:\Windows\system32\DRIVERS\epfwtdir.sys [2007-11-14 15:06]
R3 CnxtHdAudService;Conexant UAA Function Driver for High Definition Audio Service;C:\Windows\system32\drivers\CHDRT32.sys [2008-03-04 02:32]
R3 NWADI;NWADI Bus Enumerator;C:\Windows\system32\DRIVERS\NWADIenum.sys [2006-09-26 14:29]
R3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;C:\Windows\system32\DRIVERS\nwusbser2.sys [2006-09-14 16:45]
S3 GameConsoleService;GameConsoleService;C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe [2007-08-21 10:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f2e7ee53-003b-11dd-9b45-0016d3a9fd4f}]
\shell\AutoRun\command - F:\PortableVault.exe

*Newly Created Service* - MBAMSWISSARMY
*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKLM-Main,Start Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-26 16:04:54
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-26 16:12:36
ComboFix-quarantined-files.txt 2008-07-26 23:12:18

Pre-Run: 103,333,748,736 bytes free
Post-Run: 103,346,667,520 bytes free

138 --- E O F --- 2008-07-26 04:57:20









and here is the hijacktis log. how does everything look?


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:53 PM, on 7/25/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Users\4est the best\AppData\Local\amsoqyyq.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9b.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\4est the best\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZC0KMEGZ\dss[1].exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\4ESTTH~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...n&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [amsoqyyq] c:\users\4est the best\appdata\local\amsoqyyq.exe amsoqyyq
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...ploader_v10.cab
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7538 bytes
  • 0

#18
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\users\4est the best\appdata\local\amsoqyyq.exe 
Folder::
C:\Program Files\InternetGameBox
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"amsoqyyq"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#19
4estbest

4estbest

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
hey my computer was running good until i put that code into combofix last night. now my computer keeps saying invalid adress and internet explorer is not working. anyway to reverse it? im on a different computer right now so i hope we can reverse it off the internet.

thanks again
  • 0

#20
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Do you have the log it produced?

I need to see it.
What we did was to further delete the malware present.

Can you explain what you mean by it's not working exaclty other than the invalid address?
  • 0

#21
4estbest

4estbest

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
i have the logs but no way of transporting them at the moment. i have a flash drive at home but i am on a family vacation right now.

but i'll try to explain what is happening.

i have a sprint broadban wirless internet connection. when i connect to the internet it says i am connected but when i double click internet explorer it appears to be loading then it takes me to the disconnected screen (this is the same screen the appears if i was not connected to my sprint broadban internet connection and double clicked internet explorer) basically it saying im connected but internet explorer does not recognize im connected. maybe you could tell me what i might be looking for and i could check my log files?
  • 0

#22
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Does it say that you are working offline?

Try this right click on the little internet connection in the bottom right hand corner next to the clock,
It looks like 2 computers .
Right click on it and choose Diagnose and Repair it will automatically repair your internet connection.
Let me know if that works.
  • 0

#23
4estbest

4estbest

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
it says "windows tried to repair but a problem still exists. there might be a problem with one or more network adapters on this computer." should i be connected to the internet when i try this?
  • 0

#24
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Yes connect then try it again
  • 0

#25
4estbest

4estbest

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
hey it worked!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:53 PM, on 7/25/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Users\4est the best\AppData\Local\amsoqyyq.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9b.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\4est the best\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZC0KMEGZ\dss[1].exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\4ESTTH~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...n&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [amsoqyyq] c:\users\4est the best\appdata\local\amsoqyyq.exe amsoqyyq
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...ploader_v10.cab
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7538 bytes




thats the hijackthis.



do you know what the combo fix would be saved under? i cant seem to find it
  • 0

Advertisements


#26
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Typically C:\Combofix.txt or C:\combofix2.txt

If not there do a search for it type in combofix2.txt
  • 0

#27
4estbest

4estbest

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
ok im pretty sure this is it

ComboFix 08-07-24.6 - 4est the best 2008-07-27 0:41:08.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.411 [GMT -7:00]
Running from: C:\Users\4est the best\Downloads\ComboFix.exe
Command switches used :: C:\Users\4est the best\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
c:\users\4est the best\appdata\local\amsoqyyq.exe
.

((((((((((((((((((((((((( Files Created from 2008-06-27 to 2008-07-27 )))))))))))))))))))))))))))))))
.

2008-07-26 15:37 . 2008-07-26 15:37 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-07-26 15:37 . 2008-07-26 15:37 <DIR> d-------- C:\Users\4est the best\AppData\Roaming\Malwarebytes
2008-07-26 15:37 . 2008-07-26 15:37 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-07-26 15:37 . 2008-07-26 15:37 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-26 15:37 . 2008-07-23 20:09 38,472 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-07-26 15:37 . 2008-07-23 20:09 17,144 --a------ C:\Windows\System32\drivers\mbam.sys
2008-07-25 21:57 . 2008-07-25 23:02 <DIR> d-------- C:\Program Files\Navilog1
2008-07-25 19:39 . 2008-07-25 19:39 <DIR> d-------- C:\_OTMoveIt
2008-07-25 02:43 . 2008-07-25 02:43 <DIR> d-------- C:\Program Files\Sun
2008-07-25 01:59 . 2008-07-25 01:59 <DIR> d-------- C:\Deckard
2008-07-24 15:10 . 2008-07-24 15:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-24 14:57 . 2008-07-24 14:57 <DIR> d--hs---- C:\found.000
2008-07-24 01:18 . 2008-06-25 17:33 12,240,896 --a------ C:\Windows\System32\NlsLexicons0007.dll
2008-07-24 01:18 . 2008-06-25 20:22 9,845,248 --a------ C:\Windows\System32\NlsData000a.dll
2008-07-24 01:18 . 2008-06-25 20:22 4,874,240 --a------ C:\Windows\System32\NlsData0009.dll
2008-07-24 01:18 . 2008-06-25 17:33 2,644,480 --a------ C:\Windows\System32\NlsLexicons0009.dll
2008-07-24 01:18 . 2008-06-25 20:22 2,641,408 --a------ C:\Windows\System32\NlsData000c.dll
2008-07-24 01:18 . 2008-06-25 20:22 2,340,864 --a------ C:\Windows\System32\NlsData000d.dll
2008-07-24 01:18 . 2008-06-25 20:22 797,696 --a------ C:\Windows\System32\NaturalLanguage6.dll
2008-07-24 01:16 . 2008-06-25 17:33 11,722,752 --a------ C:\Windows\System32\NlsLexicons0001.dll
2008-07-12 00:51 . 2008-07-12 00:51 <DIR> d-------- C:\Windows\CheckSur

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-25 10:08 --------- d-----w C:\Program Files\Real
2008-07-25 09:51 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-25 09:48 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-07-25 09:43 --------- d-----w C:\Program Files\NCH Swift Sound
2008-07-25 09:41 --------- d-----w C:\Program Files\Java
2008-07-25 09:40 --------- d-----w C:\Program Files\Rhapsody
2008-07-25 09:39 --------- d-----w C:\Program Files\Shockwave.com
2008-07-25 09:36 --------- d-----w C:\Users\4est the best\AppData\Roaming\Microsoft Game Studios
2008-07-25 09:36 --------- d-----w C:\ProgramData\Microsoft Games
2008-07-25 09:36 --------- d-----w C:\Program Files\Microsoft Games
2008-07-25 09:34 --------- d-----w C:\ProgramData\AOL
2008-07-12 08:53 174 --sha-w C:\Program Files\desktop.ini
2008-07-12 07:51 --------- d-----w C:\Program Files\Windows Mail
2008-06-26 07:03 --------- d-----w C:\ProgramData\Lavasoft
2008-06-26 06:47 2,914,296 ----a-w C:\Users\4est the best\computer cleaner.exe
2008-06-26 06:47 --------- d-----w C:\Program Files\CCleaner
2008-06-26 06:40 9,722,720 ----a-w C:\Users\4est the best\spybot.exe
2008-06-26 00:34 7,964,672 ----a-w C:\Windows\System32\NlsLexicons0024.dll
2008-06-26 00:33 9,892,864 ----a-w C:\Windows\System32\NlsLexicons000a.dll
2008-06-24 07:05 --------- d-----w C:\Program Files\Game_Maker7
2008-06-24 07:04 8,183,675 ----a-w C:\Users\4est the best\gmaker.exe
2008-06-18 14:13 --------- d---a-w C:\ProgramData\TEMP
2008-06-02 10:02 --------- d-----w C:\Program Files\CONEXANT
2008-05-24 00:07 258 ----a-w C:\Users\4est the best\AppData\Roaming\wklnhst.dat
2008-05-10 03:30 14,848 ----a-w C:\Windows\System32\wshrm.dll
2008-04-04 16:12 13,401 ----a-w C:\Users\4est the best\AppData\Roaming\nvModes.dat
2008-03-30 16:14 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-03-30 16:14 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-03-30 16:14 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((( [email protected]_16.11.43.74 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-26 16:25:03 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-07-27 01:06:36 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-07-26 16:25:03 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-07-27 01:06:36 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-07-26 16:26:36 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-07-27 01:07:02 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-07-26 16:26:30 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-07-27 01:07:02 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-07-26 16:32:25 104,024 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-07-27 01:11:15 104,024 ----a-w C:\Windows\System32\perfc009.dat
- 2008-07-26 16:32:25 618,648 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-07-27 01:11:15 618,648 ----a-w C:\Windows\System32\perfh009.dat
- 2008-07-26 16:27:17 8,220 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-125451900-3175746660-884198761-1000_UserData.bin
+ 2008-07-27 01:08:38 8,370 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-125451900-3175746660-884198761-1000_UserData.bin
- 2008-07-26 16:27:15 68,136 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-07-27 01:08:38 68,152 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-07-26 06:01:50 39,166 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-07-27 01:08:36 39,182 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 05:35 125440]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-05-14 21:33 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 20:36 827392]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-11-14 15:05 1410304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-16 08:00 185896]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"<NO NAME>"=
"C:\\Program Files\\Vongo\\VongoService.exe"= C:\Program Files\Vongo\VongoService.exe:*:enabled:VongoService

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"EarthLink2"= TCP:Profile=Private|Profile=Public|C:\Program Files\earthlink totalaccess\taskpanl.exe:taskpanl
"EarthLink1"= UDP:Profile=Private|Profile=Public|C:\Program Files\earthlink totalaccess\taskpanl.exe:taskpanl
"TCP Query User{31DC0588-866C-4FF1-B25F-4F84AE2E7FCE}C:\\program files\\limewire\\limewire.exe"= UDP:C:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{07EA904F-A36C-4F3E-B2C5-A19A4FD92626}C:\\program files\\limewire\\limewire.exe"= TCP:C:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{00623C06-2885-4E61-9471-AC8742A8733B}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{1113E5F1-5258-4B91-9305-CB290B37704C}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{FB9145F6-D1E8-474B-ABAC-98E587BF73F7}C:\\program files\\itunes\\itunes.exe"= UDP:C:\program files\itunes\itunes.exe:iTunes
"UDP Query User{29C35424-A177-4EDB-A72B-C417142DEE16}C:\\program files\\itunes\\itunes.exe"= TCP:C:\program files\itunes\itunes.exe:iTunes
"TCP Query User{82000440-3995-492E-81BD-998B6D1CEF47}C:\\program files\\itunes\\itunes.exe"= UDP:C:\program files\itunes\itunes.exe:iTunes
"UDP Query User{BD2EA2A4-1D4C-45E7-9FBF-31353F12A968}C:\\program files\\itunes\\itunes.exe"= TCP:C:\program files\itunes\itunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R1 epfwtdir;epfwtdir;C:\Windows\system32\DRIVERS\epfwtdir.sys [2007-11-14 15:06]
R3 CnxtHdAudService;Conexant UAA Function Driver for High Definition Audio Service;C:\Windows\system32\drivers\CHDRT32.sys [2008-03-04 02:32]
R3 NWADI;NWADI Bus Enumerator;C:\Windows\system32\DRIVERS\NWADIenum.sys [2006-09-26 14:29]
R3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;C:\Windows\system32\DRIVERS\nwusbser2.sys [2006-09-14 16:45]
S3 GameConsoleService;GameConsoleService;C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe [2007-08-21 10:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f2e7ee53-003b-11dd-9b45-0016d3a9fd4f}]
\shell\AutoRun\command - F:\PortableVault.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-27 00:45:42
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-27 0:48:10
ComboFix-quarantined-files.txt 2008-07-27 07:48:01
ComboFix2.txt 2008-07-26 23:12:39

Pre-Run: 102,901,948,416 bytes free
Post-Run: 102,870,454,272 bytes free

155 --- E O F --- 2008-07-26 04:57:20
  • 0

#28
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Yep that was it.

Please right click on Hijackthis and choose Run as Administrator.Then choose "Do a system scan only"
Then place a check mark next to this entry below:

O4 - HKCU\..\Run: [amsoqyyq] c:\users\4est the best\appdata\local\amsoqyyq.exe amsoqyyq

Then click on Fix Checked then close Hijackthis.
================================
Please reboot your computer and post one more Hijackthis log and let me know of any remaining issues
  • 0

#29
4estbest

4estbest

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
i cant find it. i see it on the notepad log file but its not on the hijack this program. there are only 2 "04 hkcu" not three like the log file shows. any suggestions?
  • 0

#30
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
That's good that means it's gone.

Please go ahead and post another hijackthis and let me know i you have any remaining issues :)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP