Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Win32 Trogan-gen problems [RESOLVED]


  • This topic is locked This topic is locked

#1
cschaaf

cschaaf

    Member

  • Member
  • PipPip
  • 27 posts
I have a lot of Win32 Trojan-gen problems popping up on my PC. I can't enable Automatic Updates. My IE won't resolve a lot of web pages, it just hangs.

I have run AdAware, CCleaner, SpyBot. I used to have McAfee, but I deleted it after this problem popped up, I now have Avast installed.

Any help is greatly appreciated!

Here is my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:39 AM, on 9/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: {fefbb4a2-90bc-5f6b-1a94-33c1b7b73d25} - {52d37b7b-1c33-49a1-b6f5-cb092a4bbfef} - C:\WINDOWS\system32\rpbgqj.dll
O2 - BHO: (no name) - {88339CAA-2FFA-4884-9533-BE4465FA62AC} - C:\WINDOWS\system32\mlJDvVpn.dll (file missing)
O2 - BHO: (no name) - {AEA4DE5E-37ED-4A91-A883-6D8953A84614} - C:\WINDOWS\system32\fccyayaX.dll
O2 - BHO: (no name) - {CD50BD1A-E86D-4C8F-8679-CAF2630FA223} - (no file)
O2 - BHO: (no name) - {D07EC762-1EF6-48F1-A3A6-95A9B9B920D9} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BM1f043a15] Rundll32.exe "C:\WINDOWS\system32\jtbqbhtw.dll",s
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1154782497203
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O20 - AppInit_DLLs: eoyazn.dll dekiua.dll rpbgqj.dll
O20 - Winlogon Notify: fccyayaX - C:\WINDOWS\SYSTEM32\fccyayaX.dll
O20 - Winlogon Notify: ssqpm - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe

--
End of file - 7179 bytes
  • 0

Advertisements


#2
IndiGenus

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
Hi and welcome back to the forums here at G2G! :)

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#3
cschaaf

cschaaf

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Thank you for the quick response!

I ran ComboFix, and during the operation I got an error box. It says - Error loading C:\WINDOWS\System32\jtbqbhtw.dll The specified module could not be found.

Here are the results from the ComboFix log, and a new HijackThis log:

ComboFix 08-09-04.09 - HP_Owner 2008-09-05 15:10:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.184 [GMT -4:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\tmp1.tmp
C:\Documents and Settings\HP_Owner\Application Data\rhcaj5j0ee4e
C:\WINDOWS\BM1f043a15.txt
C:\WINDOWS\BM1f043a15.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aknaxk.dll
C:\WINDOWS\system32\bpogomku.dll
C:\WINDOWS\system32\ckmhqe.dll
C:\WINDOWS\system32\cwpuxhsm.dll
C:\WINDOWS\system32\cxwnubrm.ini
C:\WINDOWS\system32\dekiua.dll
C:\WINDOWS\system32\ekkxjbas.dll
C:\WINDOWS\system32\eoyazn.dll
C:\WINDOWS\system32\exwbcuvf.ini
C:\WINDOWS\system32\fyrogx.dll
C:\WINDOWS\system32\gjlbfiel.ini
C:\WINDOWS\system32\iyvomlld.dll
C:\WINDOWS\system32\jmabsxvv.dll
C:\WINDOWS\system32\jsqvglpg.dll
C:\WINDOWS\system32\jtbqbhtw.dll
C:\WINDOWS\system32\kattukey.dll
C:\WINDOWS\system32\lgpkkbib.dll
C:\WINDOWS\system32\mpqss.bak1
C:\WINDOWS\system32\mpqss.bak2
C:\WINDOWS\system32\mpqss.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\npVvDJlm.ini
C:\WINDOWS\system32\npVvDJlm.ini2
C:\WINDOWS\system32\offtgrhf.dll
C:\WINDOWS\system32\oroflmof.dll
C:\WINDOWS\system32\oukejfwu.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\povodw.dll
C:\WINDOWS\system32\rpbgqj.dll
C:\WINDOWS\system32\rqtqdtqv.ini
C:\WINDOWS\system32\symspgge.dll
C:\WINDOWS\system32\ucbmcntn.ini
C:\WINDOWS\system32\vgfzpl.dll
C:\WINDOWS\system32\vqmvhvji.ini
C:\WINDOWS\system32\wbneoojy.dll
C:\WINDOWS\system32\wojkrklu.dll
C:\WINDOWS\system32\xqsvygir.ini
C:\WINDOWS\system32\yjooenbw.ini
C:\WINDOWS\system32\ynoalpyy.dll
C:\WINDOWS\system32\yrtnsd.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-08-05 to 2008-09-05 )))))))))))))))))))))))))))))))
.

2008-09-05 14:36 . 2008-09-05 14:36 <DIR> d-------- C:\WINDOWS\LastGood
2008-09-05 14:31 . 2008-09-05 14:31 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-09-05 14:27 . 2008-09-05 14:27 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-05 14:27 . 2008-09-05 14:27 <DIR> d-------- C:\WINDOWS\system32\bits
2008-09-05 14:27 . 2008-09-05 14:27 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-05 14:26 . 2008-09-05 14:27 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-09-05 14:20 . 2008-09-05 14:20 <DIR> d-------- C:\WINDOWS\EHome
2008-09-05 14:17 . 2008-04-13 20:12 712,704 --------- C:\WINDOWS\system32\windowscodecs.dll
2008-09-05 14:17 . 2008-04-13 20:12 346,112 --------- C:\WINDOWS\system32\windowscodecsext.dll
2008-09-05 14:17 . 2008-04-13 20:12 276,992 --------- C:\WINDOWS\system32\wmphoto.dll
2008-09-05 14:17 . 2008-04-13 20:12 69,120 --------- C:\WINDOWS\system32\wlanapi.dll
2008-09-05 14:15 . 2008-04-13 20:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-09-05 10:55 . 2004-08-07 17:22 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-09-05 10:55 . 2004-08-08 10:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-09-05 10:55 . 2004-08-07 17:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-09-05 10:55 . 2004-08-07 17:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-09-05 10:55 . 2008-09-05 10:55 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-05 10:26 . 2008-09-05 10:31 <DIR> d-------- C:\Program Files\Registry Easy
2008-09-05 10:18 . 2008-09-05 10:18 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-09-05 09:33 . 2008-09-05 09:33 <DIR> d-------- C:\Program Files\Alwil Software
2008-09-03 16:21 . 2008-09-03 16:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-09-03 15:37 . 2008-09-03 15:37 <DIR> d-------- C:\Program Files\CCleaner
2008-09-03 15:22 . 2008-09-03 15:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-03 14:10 . 2008-09-03 11:34 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-09-03 13:47 . 2008-09-03 13:47 <DIR> d-------- C:\Program Files\Abexo
2008-09-03 13:31 . 2008-09-03 13:31 <DIR> d-------- C:\Program Files\Auslogics
2008-09-03 13:01 . 2008-09-03 13:01 26,624 --a------ C:\7d893d171d40.bup
2008-09-03 12:44 . 2008-09-03 13:31 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Auslogics
2008-09-03 12:04 . 2008-09-03 12:04 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-03 12:03 . 2008-09-03 12:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-03 11:34 . 2008-09-03 15:02 <DIR> d-------- C:\Documents and Settings\HP_Owner\.housecall6.6
2008-08-30 08:31 . 2008-08-30 08:31 92 --a------ C:\WINDOWS\system32\ikhcore.cfg
2008-08-30 00:16 . 2008-09-03 12:56 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-30 00:16 . 2008-09-03 12:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-29 23:42 . 2008-08-30 08:40 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-08-29 23:42 . 2008-08-30 08:40 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-29 21:04 . 2008-08-29 21:04 0 --a------ C:\WINDOWS\system32\A.tmp
2008-08-29 20:37 . 2008-08-29 20:37 0 --a------ C:\WINDOWS\system32\1A.tmp
2008-08-29 20:23 . 2008-08-29 20:23 0 --a------ C:\WINDOWS\system32\3.tmp
2008-08-29 16:14 . 2008-08-29 16:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-28 19:55 . 2008-08-28 19:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-08-28 19:52 . 2008-08-28 19:52 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2008-08-28 19:52 . 2008-08-28 19:52 <DIR> d-------- C:\Program Files\Comcast
2008-08-28 08:09 . 2008-08-28 08:09 <DIR> d-------- C:\WINDOWS\system32\wTR19
2008-08-28 08:09 . 2008-08-28 08:09 <DIR> d-------- C:\temp\dax41
2008-08-28 08:09 . 2008-08-28 18:55 422 --a------ C:\WINDOWS\VRM_Free.exe.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-05 18:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-05 18:10 --------- d-----w C:\Program Files\Disney Interactive
2008-09-05 18:09 --------- d-----w C:\Program Files\Comcast Rhapsody
2008-09-05 18:08 --------- d-----w C:\Program Files\Bonjour
2008-09-03 18:21 --------- d-----w C:\Program Files\Google
2008-09-03 17:04 --------- d-----w C:\Program Files\McAfee
2008-09-03 17:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-08-28 12:19 73,728 ----a-w C:\WINDOWS\ALCFDRTM.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-08-07 32881]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 118784]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 659456]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-07 180269]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 155648]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 C:\WINDOWS\AGRSMMSG.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-04-06 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-04-06 C:\WINDOWS\ALCWZRD.EXE]

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2005-12-14 225280]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL"= 0 (0x0)
"NoDevMgrPage"= 0 (0x0)
"NoConfigPage"= 0 (0x0)
"NoVirtMemPage"= 0 (0x0)
"NoFileSysPage"= 0 (0x0)
"NoNetSetup"= 0 (0x0)
"NoNetSetupIDPage"= 0 (0x0)
"NoNetSetupSecurityPage"= 0 (0x0)
"NoWorkgroupContents"= 0 (0x0)
"NoEntireNetwork"= 0 (0x0)
"NoFileSharingControl"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"RestrictRun"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRun"= 0 (0x0)
"NoLogOff"= 0 (0x0)
"NoFind"= 0 (0x0)
"NoClose"= 0 (0x0)
"NoSetFolders"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=eoyazn.dll dekiua.dll rpbgqj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-08 15:03 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 20:12 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-02-27 20:32 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{52d37b7b-1c33-49a1-b6f5-cb092a4bbfef} - C:\WINDOWS\system32\rpbgqj.dll
BHO-{88339CAA-2FFA-4884-9533-BE4465FA62AC} - C:\WINDOWS\system32\mlJDvVpn.dll
BHO-{AEA4DE5E-37ED-4A91-A883-6D8953A84614} - C:\WINDOWS\system32\fccyayaX.dll
BHO-{CD50BD1A-E86D-4C8F-8679-CAF2630FA223} - (no file)
BHO-{D07EC762-1EF6-48F1-A3A6-95A9B9B920D9} - (no file)
HKLM-Run-BM1f043a15 - C:\WINDOWS\system32\jtbqbhtw.dll
ShellExecuteHooks-{AEA4DE5E-37ED-4A91-A883-6D8953A84614} - C:\WINDOWS\system32\fccyayaX.dll
Notify-fccyayaX - fccyayaX.dll
Notify-ssqpm - (no file)


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = about:blank
R0 -: HKCU-Main,Default_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKLM-Main,Start Page = about:blank
R0 -: HKLM-Main,Search Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R0 -: HKLM-Main,Window Title = Microsoft Internet Explorer
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-05 15:13:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-09-05 15:16:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-05 19:16:19

Pre-Run: 176,113,156,096 bytes free
Post-Run: 176,057,430,016 bytes free

236 --- E O F --- 2008-09-05 18:32:07



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:19:31 PM, on 9/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1154782497203
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O20 - AppInit_DLLs: eoyazn.dll dekiua.dll rpbgqj.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe

--
End of file - 5956 bytes
  • 0

#4
IndiGenus

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
1. Open Notepad

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\VRM_Free.exe.ini
C:\WINDOWS\system32\A.tmp
C:\WINDOWS\system32\1A.tmp
C:\WINDOWS\system32\3.tmp

Folder::
C:\WINDOWS\system32\wTR19
C:\temp\dax41

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.


Let me know if the error is still occurring too.
  • 0

#5
cschaaf

cschaaf

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Things seem to be working much better now! AVG didn't pick up any viruses, and IE is behaving.

Thanks for your help!

Here are my new logs.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:05:46 PM, on 9/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1154782497203
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe

--
End of file - 5868 bytes


ComboFix 08-09-05.09 - HP_Owner 2008-09-08 10:40:05.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.235 [GMT -4:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\dax41
C:\WINDOWS\system32\1A.tmp
C:\WINDOWS\system32\3.tmp
C:\WINDOWS\system32\A.tmp
C:\WINDOWS\system32\wTR19
C:\WINDOWS\VRM_Free.exe.ini

.
((((((((((((((((((((((((( Files Created from 2008-08-08 to 2008-09-08 )))))))))))))))))))))))))))))))
.

2008-09-05 14:37 . 2008-04-11 15:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-09-05 14:37 . 2008-06-13 07:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-09-05 14:37 . 2008-05-08 10:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-09-05 14:27 . 2008-09-05 14:27 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-05 14:27 . 2008-09-05 14:27 <DIR> d-------- C:\WINDOWS\system32\bits
2008-09-05 14:27 . 2008-09-05 14:27 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-05 14:26 . 2008-09-05 14:27 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-09-05 14:20 . 2008-09-05 14:20 <DIR> d-------- C:\WINDOWS\EHome
2008-09-05 14:17 . 2008-04-13 20:12 712,704 --------- C:\WINDOWS\system32\windowscodecs.dll
2008-09-05 14:17 . 2008-04-13 20:12 346,112 --------- C:\WINDOWS\system32\windowscodecsext.dll
2008-09-05 14:17 . 2008-04-13 20:12 276,992 --------- C:\WINDOWS\system32\wmphoto.dll
2008-09-05 14:17 . 2008-04-13 20:12 69,120 --------- C:\WINDOWS\system32\wlanapi.dll
2008-09-05 14:15 . 2008-04-13 20:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-09-05 11:00 . 2008-07-18 22:09 25,800 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-09-05 10:55 . 2004-08-07 17:22 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-09-05 10:55 . 2004-08-08 10:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-09-05 10:55 . 2004-08-07 17:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-09-05 10:55 . 2004-08-07 17:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-09-05 10:55 . 2008-09-05 10:55 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-05 10:26 . 2008-09-05 10:31 <DIR> d-------- C:\Program Files\Registry Easy
2008-09-05 10:18 . 2008-09-05 10:18 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-09-05 09:33 . 2008-09-05 09:33 <DIR> d-------- C:\Program Files\Alwil Software
2008-09-03 16:21 . 2008-09-03 16:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-09-03 15:37 . 2008-09-03 15:37 <DIR> d-------- C:\Program Files\CCleaner
2008-09-03 15:22 . 2008-09-03 15:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-03 14:10 . 2008-09-03 11:34 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-09-03 13:47 . 2008-09-03 13:47 <DIR> d-------- C:\Program Files\Abexo
2008-09-03 13:31 . 2008-09-03 13:31 <DIR> d-------- C:\Program Files\Auslogics
2008-09-03 13:01 . 2008-09-03 13:01 26,624 --a------ C:\7d893d171d40.bup
2008-09-03 12:44 . 2008-09-03 13:31 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Auslogics
2008-09-03 12:04 . 2008-09-03 12:04 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-03 12:03 . 2008-09-03 12:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-03 11:34 . 2008-09-03 15:02 <DIR> d-------- C:\Documents and Settings\HP_Owner\.housecall6.6
2008-08-30 08:31 . 2008-08-30 08:31 92 --a------ C:\WINDOWS\system32\ikhcore.cfg
2008-08-30 00:16 . 2008-09-03 12:56 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-30 00:16 . 2008-09-03 12:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-29 23:42 . 2008-08-30 08:40 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-08-29 23:42 . 2008-08-30 08:40 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-29 16:14 . 2008-08-29 16:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-28 19:55 . 2008-08-28 19:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-08-28 19:52 . 2008-08-28 19:52 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2008-08-28 19:52 . 2008-08-28 19:52 <DIR> d-------- C:\Program Files\Comcast

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-05 18:30 98,304 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\PluginCtrl.dll
2008-09-05 18:30 69,632 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\msxmlwrapper.dll
2008-09-05 18:30 5,632 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\GUI.dll
2008-09-05 18:30 4,096 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\winverifytrustwrapper.dll
2008-09-05 18:30 356,352 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\client_motkt.dll
2008-09-05 18:30 315,392 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\pchmsxml.dll
2008-09-05 18:30 3,072 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\pchealthde.exe
2008-09-05 18:30 282,624 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\clientutil52.dll
2008-09-05 18:30 213,089 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\jsharpde\motive.zip
2008-09-05 18:30 139,264 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPHWWBF4Duet\plugin\bin\ContentUpdater.exe
2008-09-05 18:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-05 18:10 --------- d-----w C:\Program Files\Disney Interactive
2008-09-05 18:09 --------- d-----w C:\Program Files\Comcast Rhapsody
2008-09-05 18:08 --------- d-----w C:\Program Files\Bonjour
2008-09-03 18:21 --------- d-----w C:\Program Files\Google
2008-09-03 17:04 --------- d-----w C:\Program Files\McAfee
2008-09-03 17:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-08-28 12:19 73,728 ----a-w C:\WINDOWS\ALCFDRTM.EXE
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
.

((((((((((((((((((((((((((((( [email protected]_15.15.53.71 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-13 11:05:51 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
+ 2008-06-20 11:40:08 138,496 -c----w C:\WINDOWS\system32\dllcache\afd.sys
+ 2008-06-20 17:46:57 147,968 -c----w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2008-07-07 20:26:58 253,952 -c----w C:\WINDOWS\system32\dllcache\es.dll
- 2008-05-01 14:30:33 331,776 -c--a-w C:\WINDOWS\system32\dllcache\msadce.dll
+ 2008-05-01 14:33:02 331,776 -c--a-w C:\WINDOWS\system32\dllcache\msadce.dll
+ 2008-06-24 16:43:16 74,240 -c----w C:\WINDOWS\system32\dllcache\mscms.dll
+ 2008-06-20 17:46:57 245,248 -c----w C:\WINDOWS\system32\dllcache\mswsock.dll
+ 2008-05-07 05:12:40 1,288,192 -c----w C:\WINDOWS\system32\dllcache\quartz.dll
+ 2008-06-20 11:51:12 361,600 -c----w C:\WINDOWS\system32\dllcache\tcpip.sys
+ 2008-06-20 11:08:27 225,856 -c----w C:\WINDOWS\system32\dllcache\tcpip6.sys
- 2007-07-30 23:19:28 203,096 -c--a-w C:\WINDOWS\system32\dllcache\wuweb.dll
+ 2008-07-19 02:09:44 205,000 -c--a-w C:\WINDOWS\system32\dllcache\wuweb.dll
- 2008-04-14 00:11:52 147,968 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2008-06-20 17:46:57 147,968 ----a-w C:\WINDOWS\system32\dnsapi.dll
- 2008-04-13 19:19:23 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
+ 2008-06-20 11:40:08 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
- 2008-04-13 18:46:32 273,024 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
+ 2008-06-13 11:05:51 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
- 2008-04-13 18:55:08 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
+ 2008-05-08 14:02:52 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
- 2008-04-13 19:20:16 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
+ 2008-06-20 11:51:12 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
- 2008-04-13 19:00:02 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
+ 2008-06-20 11:08:27 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
- 2008-04-14 00:11:54 691,712 ----a-w C:\WINDOWS\system32\inetcomm.dll
+ 2008-04-11 19:04:26 691,712 ----a-w C:\WINDOWS\system32\inetcomm.dll
- 2008-04-14 00:12:03 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
+ 2008-05-07 05:12:40 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
- 2007-11-30 12:39:22 17,272 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w C:\WINDOWS\system32\spmsg.dll
+ 2008-09-08 13:36:11 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_500.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-08-07 32881]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 118784]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 659456]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-07 180269]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 155648]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 C:\WINDOWS\AGRSMMSG.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-04-06 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-04-06 C:\WINDOWS\ALCWZRD.EXE]

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2005-12-14 225280]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL"= 0 (0x0)
"NoDevMgrPage"= 0 (0x0)
"NoConfigPage"= 0 (0x0)
"NoVirtMemPage"= 0 (0x0)
"NoFileSysPage"= 0 (0x0)
"NoNetSetup"= 0 (0x0)
"NoNetSetupIDPage"= 0 (0x0)
"NoNetSetupSecurityPage"= 0 (0x0)
"NoWorkgroupContents"= 0 (0x0)
"NoEntireNetwork"= 0 (0x0)
"NoFileSharingControl"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"RestrictRun"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRun"= 0 (0x0)
"NoLogOff"= 0 (0x0)
"NoFind"= 0 (0x0)
"NoClose"= 0 (0x0)
"NoSetFolders"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-08 15:03 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 20:12 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-02-27 20:32 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-08 10:41:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-08 10:42:32
ComboFix-quarantined-files.txt 2008-09-08 14:42:28
ComboFix2.txt 2008-09-05 19:16:26

Pre-Run: 175,943,045,120 bytes free
Post-Run: 175,955,931,136 bytes free

215 --- E O F --- 2008-09-08 13:34:22
  • 0

#6
IndiGenus

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
Hi,

Glad to hear it's running better. Some more work to do though...

Run HijackThis. (Vista users, please right click on HijackThis.exe and select "Run as an Administrator")
Click Do a System Scan Only. Put a Check in the box on the left side on these:

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} -
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} -

Then close all windows except HijackThis and press Fix checked.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Update Java Runtime:

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 7.
  • Go to the Sun Java Website
  • Click on the download button next to Java Runtime Environment (JRE) 6 Update 7
  • Check the circle next to I agree to the Java SE Runtime Environment 6 License Agreement.
  • Click on the link Windows Offline Installation, Multi-language and save the downloaded file to your hard disk.
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all old versions of Java (Java 2 Runtime Environment, JRE or JSE)
  • Reboot your computer
  • Delete the folder C:\Program Files\Java if present
  • Install the new version by running the newly-downloaded file, and follow the on-screen instructions.
  • Reboot your computer

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

First, use Use ATF Cleaner to remove temp files,
cookies, cache, ect...

Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply along with a Hijackthis log.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

Edited by IndiGenus, 08 September 2008 - 02:18 PM.

  • 0

#7
cschaaf

cschaaf

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Okay, here are my logs. Also, I have some Windows updates that won't install (Outlook 2003 Junk Mail, Security update for MS Office 03, and Secutiry update for Office 03)

Thanks

Malwarebytes' Anti-Malware 1.28
Database version: 1137
Windows 5.1.2600 Service Pack 3

9/10/2008 2:38:38 PM
mbam-log-2008-09-10 (14-38-38).txt

Scan type: Quick Scan
Objects scanned: 50623
Time elapsed: 20 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:30:52 PM, on 9/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/a/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1154782497203
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe

--
End of file - 6205 bytes



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, September 11, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, September 10, 2008 14:56:32
Records in database: 1207325
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
H:\
I:\
J:\
K:\

Scan statistics:
Files scanned: 89747
Threat name: 6
Infected objects: 23
Suspicious objects: 0
Duration of the scan: 01:48:05


File name / Threat name / Threats count
C:\Documents and Settings\HP_Owner\.housecall6.6\Quarantine\2.tmp.bac_a02304 Infected: not-a-virus:FraudTool.Win32.XPAntivirus.qj 1
C:\Documents and Settings\HP_Owner\.housecall6.6\Quarantine\A0072966.exe.bac_a02304 Infected: not-a-virus:FraudTool.Win32.AntivirusXP2008.aa 1
C:\Documents and Settings\HP_Owner\.housecall6.6\Quarantine\A0072972.exe.bac_a02304 Infected: Trojan.Win32.Agent.absy 1
C:\Documents and Settings\HP_Owner\.housecall6.6\Quarantine\lcxdtqca.dll.bac_a02304 Infected: Trojan.Win32.Monder.mel 1
C:\QooBox\Quarantine\C\WINDOWS\system32\cwpuxhsm.dll.vir Infected: Trojan.Win32.Monder.mew 1
C:\QooBox\Quarantine\C\WINDOWS\system32\dekiua.dll.vir Infected: Trojan.Win32.Monder.mew 1
C:\QooBox\Quarantine\C\WINDOWS\system32\eoyazn.dll.vir Infected: Trojan.Win32.Monder.mew 1
C:\QooBox\Quarantine\C\WINDOWS\system32\fyrogx.dll.vir Infected: Trojan.Win32.Monder.mew 1
C:\QooBox\Quarantine\C\WINDOWS\system32\iyvomlld.dll.vir Infected: Trojan.Win32.Monder.mew 1
C:\QooBox\Quarantine\C\WINDOWS\system32\jmabsxvv.dll.vir Infected: Trojan.Win32.Monder.mew 1
C:\QooBox\Quarantine\C\WINDOWS\system32\jtbqbhtw.dll.vir Infected: Trojan.Win32.Monder.mel 1
C:\QooBox\Quarantine\C\WINDOWS\system32\rpbgqj.dll.vir Infected: Trojan.Win32.Monder.mew 1
C:\QooBox\Quarantine\C\WINDOWS\system32\wojkrklu.dll.vir Infected: Trojan.Win32.Monder.mew 1
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP850\A0074023.exe Infected: Trojan.Win32.Agent.accw 1
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP862\A0080782.dll Infected: Trojan.Win32.Monder.mew 1
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP862\A0080783.dll Infected: Trojan.Win32.Monder.mew 1
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP862\A0080785.dll Infected: Trojan.Win32.Monder.mew 1
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP862\A0080786.dll Infected: Trojan.Win32.Monder.mew 1
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP862\A0080787.dll Infected: Trojan.Win32.Monder.mew 1
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP862\A0080788.dll Infected: Trojan.Win32.Monder.mew 1
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP862\A0080790.dll Infected: Trojan.Win32.Monder.mel 1
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP862\A0080796.dll Infected: Trojan.Win32.Monder.mew 1
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP862\A0080800.dll Infected: Trojan.Win32.Monder.mew 1

The selected area was scanned.
  • 0

#8
IndiGenus

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
Hi,
At this point I am pretty confident you are all clean. Some traces picked up by MBAM were removed, and Kaspersky found items in System Restore and combofix's quarantine. We'll clean those out in a minute. You can also empty TM's quarantine.

C:\Documents and Settings\HP_Owner\.housecall6.6\Quarantine\2.tmp.bac_a02304 Infected: not-a-virus:FraudTool.Win32.XPAntivirus.qj 1
C:\Documents and Settings\HP_Owner\.housecall6.6\Quarantine\A0072966.exe.bac_a02304 Infected: not-a-virus:FraudTool.Win32.AntivirusXP2008.aa 1
C:\Documents and Settings\HP_Owner\.housecall6.6\Quarantine\A0072972.exe.bac_a02304 Infected: Trojan.Win32.Agent.absy 1
C:\Documents and Settings\HP_Owner\.housecall6.6\Quarantine\lcxdtqca.dll.bac_a02304 Infected: Trojan.Win32.Monder.mel 1


Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.


  • Posted Image
The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.

I have some Windows updates that won't install (Outlook 2003 Junk Mail, Security update for MS Office 03, and Secutiry update for Office 03)


Are you getting an error when trying to update? What happens? I'll try to help you sort it out here but if we determine you are all clean and I am not able to help, then I can refer you over to another area of the forums here. But let's see if we can work it out here first.
  • 0

#9
cschaaf

cschaaf

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Okay, I cleared all of that.

I don't get any specific errors, but during the normal update install, it shows 'Failed!' next to those entries. At the end, a window comes up and says: Some updates could not be installed' then it lists the three entries.

Thanks for your help, again!
  • 0

#10
IndiGenus

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
Which updates specifically are failing to install? Name, number, ect....
  • 0

Advertisements


#11
cschaaf

cschaaf

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
The three that won't update are:

Security Update for Microsoft Office 2003 (KB953404)

Update for Outlook 2003 Junk E-mail Filter (KB956077)

Security Update for Office 2003 (KB954478)
  • 0

#12
IndiGenus

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
Hi,

Let's try this for those updates....

Unregister Windows Installer, and then reregister Windows Installer. To do this, follow these steps:

1. On the "Start" menu, click "Run"

2. In the "Open" box, type "msiexec /unreg", and then press ENTER.

3. On the "Start" menu, click "Run".

4. In the "Open" box, type "msiexec /regserver", and then press ENTER.

Let me know how you make out.
  • 0

#13
cschaaf

cschaaf

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Tried that, they still didn't go. I also tried to individually download them from MS site and try to install them that way... still no luck.

Thanks
  • 0

#14
IndiGenus

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts

I also tried to individually download them from MS site and try to install them that way... still no luck


Hmm...that was my next suggestion. At this point in time I think we've verified you're clean and I will refer you to another section of the forums here that deal with issues other than malware.

http://www.geekstogo...2003-NT-f5.html

Just let them know you were here, give them the link, and give them some details of what's going on. They should be able to get you straightened out.

In addition to updating and using what you currently have you may want to consider the following:

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some free and evalutation versions that provide
better security than the Windows Firewall. Comodo
Outpost Firewall
For a tutorial on Firewalls and a listing of some other available ones see the link below:
Understanding and Using Firewalls

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly or set your computer to receive automatic updates. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Spybot - Search and Destroy - Spybot: Search And Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
A tutorial on installing & using this product can be found here:
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Install Ad-Aware - Ad-Aware SE You should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

Install SpywareGuard - SpywareGuard provides a real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.
A tutorial on installing & using this product can be found here:
Using SpywareGuard to protect your computer from Spyware and Malware

Use Zoned Out -
Zoned Out will block access to malicious websites so you cannot be redirected to them from an infected site or email. Instructions for set up and use can be found at the website.

Update all of your Anti-Malware programs regularly - Make sure you update all the programs I have listed and the ones you are currently running regularly. Without regular updates you Will Not be protected when new malicious programs are released.

I'll leave the thread open a few days in case you have questions or issues.

Regards,
Dave
  • 0

#15
cschaaf

cschaaf

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Thanks for all of your help! I'll head over to the other board to see if we can fix the update issue.

Thanks, again!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP