Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Crippled laptop due to malware?


  • Please log in to reply

#1
rdwong

rdwong

    New Member

  • Member
  • Pip
  • 3 posts
Hi,

A couple of days ago, I downloaded a flashplayer to play a file, only to find that it was infected with some virus. Don't know what it is? Tried Norton antivirus scan, but got an error message stating that definitions are outdated. Now, I have pop-ups galore and no web browser functionality (currently using a friends comp). I was able to run Combofix and generate this log. Can you point me in the right direction as to what I need to do to get my comp up and running normally again. Any help will be appreciated.

Combo fix log:
ComboFix 08-12-04.03 - Thi Nguyen 2008-12-04 12:40:56.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.538 [GMT -8:00]
Running from: E:\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Thi Nguyen\My Documents\My Documents.url
c:\documents and settings\Thi Nguyen\My Documents\My Music\My Music.url
c:\documents and settings\Thi Nguyen\My Documents\My Pictures\My Pictures.url
c:\program files\TinyProxy
c:\program files\TinyProxy\tinyproxy.exe
c:\windows\fmark2.dat
c:\windows\system32\351631
c:\windows\system32\351631\351631.dll
c:\windows\system32\AutoRun.inf

.
((((((((((((((((((((((((( Files Created from 2008-11-04 to 2008-12-04 )))))))))))))))))))))))))))))))
.

2008-12-03 16:25 . 2008-12-03 16:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trend Micro
2008-12-03 16:23 . 2008-12-03 16:23 <DIR> d-------- c:\program files\Trend Micro
2008-12-02 12:14 . 2008-12-02 12:31 <DIR> d-------- c:\program files\AnvTrgrsoftware
2008-12-02 12:14 . 2008-12-04 12:39 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-02 12:13 . 2008-12-02 16:12 <DIR> d-------- c:\program files\WebMediaViewer
2008-12-02 12:13 . 2008-12-02 12:13 1 ---h----- c:\windows\f49f4daa.dat
2008-12-02 12:12 . 2008-12-02 12:12 22,016 ---h----- c:\windows\ugo02.exe
2008-12-02 12:12 . 2008-12-02 12:12 1 ---h----- c:\windows\frmark2.dat
2008-12-02 12:12 . 2008-12-02 12:12 1 ---h----- c:\windows\bemark2.dat
2008-11-25 14:05 . 2008-12-02 01:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-02 23:53 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-02 23:53 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-02 20:12 15,360 --s-a-w c:\windows\system32\pbhha.dll
2008-11-25 22:09 --------- d-----w c:\program files\Google
2008-11-24 11:03 --------- d-----w c:\documents and settings\Thi Nguyen\Application Data\Move Networks
2008-10-23 09:22 --------- d-----w c:\documents and settings\Thi Nguyen\Application Data\U3
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64466B8E-20A7-4A4A-AFF4-AAD9CA68B52C}]
2008-12-04 12:39 37175 --a------ c:\program files\WebMediaViewer\hpmun.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95E9BCC0-2E84-4500-8A9C-0B7A96769124}]
2008-12-02 03:42 177152 --a------ c:\program files\AnvTrgrsoftware\AnvTrgrWarning.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Aim6"="c:\program files\AIM6\aim6.exe" [2007-04-27 50736]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 68856]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"AnvTrgr"="c:\program files\AnvTrgrsoftware\AnvTrgr.exe" [2008-12-02 1679360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-08-03 1032192]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-11-27 236544]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2006-08-22 184320]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-16 57344]
"Lexmark 1200 Series"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2006-07-12 57344]
"StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864]
"TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 155648]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe" [2007-07-24 98304]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"eFax 4.3"="c:\program files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 116224]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-15 1398024]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"QuickTime Task"="c:\program files\WebMediaViewer\qttask.exe" [2008-12-02 65693]
"VMware hptray"="c:\program files\WebMediaViewer\hpmon.exe" [2008-12-02 88296]

c:\documents and settings\Thi Nguyen\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-27 24576]
eFax 4.3.lnk - c:\program files\eFax Messenger 4.3\J2GTray.exe [2008-05-02 629248]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 81920]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{51e7273d-911a-445a-bf46-bd4b86b0e87b}"= "c:\windows\system32\pbhha.dll" [2008-12-02 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=

R2 EEDDE1D810E77F68;EEDDE1D810E77F68;\??\c:\documents and settings\Thi Nguyen\Desktop\EEDDE1D810E77F68\EEDDE1D810E77F68 []
R2 SpotGPSMaxim;Spot GPS Maxim;"c:\program files\CoPilot\Navigator9\App\Spot2741.exe" [2006-03-30 651385]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-03-12 24652]
S2 DCOM Server Process Launcher (DcomLaunch) ;DCOM Server Process Launcher (DcomLaunch) ;c:\program files\tinyproxy\tinyproxy.exe []
S3 spotJ;Spot Software GPS USB Driver;c:\windows\system32\Drivers\spotJ.sys [2006-12-24 34304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{83a5c6e1-438a-11dc-94eb-0015c5a60aa1}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d94c757-dbb1-11db-942c-0018f3d68656}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a421ba4b-dd6f-11db-942e-0015c5a60aa1}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
- - - - ORPHANS REMOVED - - - -

BHO-{6A26574A-DD6D-4382-8C76-0DF06C478D3A} - c:\windows\system32\351631\351631.dll
HKLM-Run-PRISMSVR.EXE - c:\windows\system32\PRISMSVR.EXE


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3061127
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=127.0.0.1:9090
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.expressto...om/redirect.php
IE: {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.expressto...om/redirect.php -

c:\windows\Downloaded Program Files\FotkiUploader.ocx - O16 -: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3}
hxxp://images.fotki.com/activex/FotkiUploader.cab
c:\windows\Downloaded Program Files\FotkiUploader.inf
FireFox -: Profile - c:\documents and settings\Thi Nguyen\Application Data\Mozilla\Firefox\Profiles\tbnj6ekn.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-04 12:43:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\EEDDE1D810E77F68]
"ImagePath"="\??\c:\documents and settings\Thi Nguyen\Desktop\EEDDE1D810E77F68\EEDDE1D810E77F68"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\EEDDE1D810E77F68]
"ImagePath"="\??\c:\documents and settings\Thi Nguyen\Desktop\EEDDE1D810E77F68\EEDDE1D810E77F68"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2008-12-04 12:44:41
ComboFix-quarantined-files.txt 2008-12-04 20:43:38

Pre-Run: 27,994,263,552 bytes free
Post-Run: 27,979,083,776 bytes free

185 --- E O F --- 2008-04-09 06:03:57

Thanks in advance for your help!
  • 0

Advertisements


#2
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.co...cle.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Then,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\system32\pbhha.dll
c:\windows\f49f4daa.dat
c:\windows\ugo02.exe
c:\windows\frmark2.dat
c:\windows\bemark2.dat
Dirlook::
c:\documents and settings\Thi Nguyen\Desktop\EEDDE1D810E77F68
Folder::
c:\program files\AnvTrgrsoftware
c:\program files\WebMediaViewer
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64466B8E-20A7-4A4A-AFF4-AAD9CA68B52C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95E9BCC0-2E84-4500-8A9C-0B7A96769124}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnvTrgr"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{51e7273d-911a-445a-bf46-bd4b86b0e87b}"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Extra note...

In case you lost internet access after performing above instructions:

In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.
In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection.
  • 0

#3
rdwong

rdwong

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
i followed the instructions. combofix was running midway and it suddenly just froze on the blue screen, as if attempting to reboot. so i manually rebooted after the screen sat there forever. now when i try to rerun combofix, i get a blank blue screen and must alt+ctrl+del to end the program. the program never produced a new combofix.txt for me either, so i have nothing to copy n paste as results in here.

however, the one good thing is that after rebooting, my anti-virus trigger (the virus program) didn't load up. just that i still can't access anything else on my laptop. please help?
  • 0

#4
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Please try it from Windows safe mode, but create this cfscript now and drag it into Combofix in Windows safe mode:

File::
c:\windows\system32\pbhha.dll
c:\windows\f49f4daa.dat
c:\windows\ugo02.exe
c:\windows\frmark2.dat
c:\windows\bemark2.dat
Driver::
EEDDE1D810E77F68
Folder::
c:\program files\AnvTrgrsoftware
c:\program files\WebMediaViewer
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64466B8E-20A7-4A4A-AFF4-AAD9CA68B52C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95E9BCC0-2E84-4500-8A9C-0B7A96769124}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnvTrgr"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{51e7273d-911a-445a-bf46-bd4b86b0e87b}"=-


  • 0

#5
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

#6
admin

admin

    Founder Geek

  • Community Leader
  • 24,575 posts
Topic opened at starters request.
  • 0

#7
rdwong

rdwong

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
after running combo fix once again, it produced a message in the blue box = "Almost done.. This window will close in a short while. Please wait a few seconds for the report log to pop up

ComboFix's log shall be located at C:\COMBOFIX.TXT"

a log never popped up and instead of being location at C:\Combofix.txt, a COMBOFIX folder was created on the C drive and in there, was the Combofix.txt. Not sure if that makes a difference but wanted to make exact note.

below is the combofix.txt

------------------------

ComboFix 08-12-04.03 - Administrator 2009-01-09 12:57:41.4 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.815 [GMT -8:00]
Running from: E:\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\WebMediaViewer
c:\program files\WebMediaViewer\hpmom.exe
c:\program files\WebMediaViewer\hpmun.dll
.
---- Previous Run -------
.
c:\program files\AnvTrgrsoftware
c:\program files\AnvTrgrsoftware\AnvTrgr.exe
c:\program files\AnvTrgrsoftware\AnvTrgrWarning.dll
c:\program files\WebMediaViewer\browseu.exe
c:\program files\WebMediaViewer\browseul.dll
c:\program files\WebMediaViewer\hpmom.exe
c:\program files\WebMediaViewer\hpmon.exe
c:\program files\WebMediaViewer\hpmun.dll
c:\program files\WebMediaViewer\hpmun.exe
c:\program files\WebMediaViewer\myd.ico
c:\program files\WebMediaViewer\mym.ico
c:\program files\WebMediaViewer\myp.ico
c:\program files\WebMediaViewer\myv.ico
c:\program files\WebMediaViewer\ot.ico
c:\program files\WebMediaViewer\qttask.exe
c:\program files\WebMediaViewer\qttaskm.exe
c:\program files\WebMediaViewer\qttasku.exe
c:\program files\WebMediaViewer\ts.ico

.
((((((((((((((((((((((((( Files Created from 2008-12-09 to 2009-01-09 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 22:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-12-09 22:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-12-09 22:12 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-12-04 21:08 --------- d-----w C:\Documents and Settings\Thi Nguyen\Application Data\AdwareAlert
2008-12-04 21:01 --------- d-----w C:\Program Files\AdwareAlert
2008-12-04 00:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-12-04 00:23 --------- d-----w C:\Program Files\Trend Micro
2008-12-02 23:53 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-12-02 23:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-12-02 20:12 22,016 ---h--w C:\WINDOWS\ugo02.exe
2008-11-25 22:09 --------- d-----w C:\Program Files\Google
2008-11-24 11:03 --------- d-----w C:\Documents and Settings\Thi Nguyen\Application Data\Move Networks
.

((((((((((((((((((((((((((((( [email protected]_12.43.21.82 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-09 21:01:39 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_2cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 00:24 20480]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 03:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24 1694208]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 13:17 50736]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 20:27 68856]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 17:16 454784]
"AdwareAlert"="C:\Program Files\AdwareAlert\AdwareAlert.exe" [2008-12-02 06:09 9093120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 12:01 67584]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 21:44 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 21:41 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 21:45 118784]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 13:08 1347584]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-08-03 16:51 1032192]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 16:48 761947]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-05 23:05 127035]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 14:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 14:50 81920]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-11-27 12:28 236544]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2006-08-22 13:32 184320]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-16 01:37 57344]
"Lexmark 1200 Series"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [2006-07-12 21:22 57344]
"StatusClient"="C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 15:51 36864]
"TomcatStartup"="C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 18:28 155648]
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe" [2007-07-24 17:15 98304]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 20:34 49152]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 22:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 09:36 267048]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 09:21 116224]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-15 07:02 1398024]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 21:30 282624 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\Thi Nguyen\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 20:05:26 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-11-27 12:20:25 24576]
eFax 4.3.lnk - C:\Program Files\eFax Messenger 4.3\J2GTray.exe [2008-05-02 10:11:36 629248]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 20:26:24 210520]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 06:56:20 73728]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 12:05:56 65588]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 20:07:32 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=

R2 EEDDE1D810E77F68;EEDDE1D810E77F68;\??\C:\Documents and Settings\Thi Nguyen\Desktop\EEDDE1D810E77F68\EEDDE1D810E77F68 []
R2 SpotGPSMaxim;Spot GPS Maxim;"C:\Program Files\CoPilot\Navigator9\App\Spot2741.exe" [2006-03-30 14:44:18 651385]
S2 DCOM Server Process Launcher (DcomLaunch) ;DCOM Server Process Launcher (DcomLaunch) ;C:\Program Files\tinyproxy\tinyproxy.exe []
S3 spotJ;Spot Software GPS USB Driver;C:\WINDOWS\system32\Drivers\spotJ.sys [2006-12-24 20:42:44 34304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{83a5c6e1-438a-11dc-94eb-0015c5a60aa1}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d94c757-dbb1-11db-942c-0018f3d68656}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a421ba4b-dd6f-11db-942e-0015c5a60aa1}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-09 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job
- C:\Program Files\AdwareAlert\AdwareAlert.exe [2008-12-02 06:09]

2009-01-09 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job
- C:\Program Files\AdwareAlert [2008-12-04 13:01]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Explorer_Run-QuickTime Task - C:\Program Files\WebMediaViewer\qttask.exe
HKLM-Explorer_Run-VMware hptray - C:\Program Files\WebMediaViewer\hpmon.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3061127
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=127.0.0.1:9090
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.expressto...om/redirect.php
IE: {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.expressto...om/redirect.php -

C:\WINDOWS\Downloaded Program Files\FotkiUploader.ocx - O16 -: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3}
hxxp://images.fotki.com/activex/FotkiUploader.cab
C:\WINDOWS\Downloaded Program Files\FotkiUploader.inf
FireFox -: Profile - C:\Documents and Settings\Thi Nguyen\Application Data\Mozilla\Firefox\Profiles\tbnj6ekn.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com
.
-----------------------------

i restarted the computer and still the cpu activity jumps from 3% to 40%. i can open up microsoft word but nothing else....
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP