The BullGuard products and services are part of NortonLifeLock Inc., a global leader in consumer Cyber Safety with a portofolio of brands including Norton, Avira and more. Learn more at NortonLifeLock.com

Avg says trojan downloader and trojan horses'

Posted 11/28/2008 2:51 AM
#69025
User avatar

keng53140 Advanced member

Date Joined Nov 2016
Total Posts: 77
Logfile of HijackThis v1.99.1
Scan saved at 8:48:56 PM, on 11/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\Program Files\ProtectTools\Embedded Security Software\SpTna.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTServs.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HPQ\HP wireless Assistant\HPQWA_UI.EXE
C:\Program Files\HPQ\HP wireless Assistant\HPQWA_UI.EXE
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = https://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url=https://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*https://www.yahoo.com]https://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*https://www.yahoo.com[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url=https://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*https://www.yahoo.com/ext/search/search.html]https://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*https://www.yahoo.com/ext/search/search.html[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url=https://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*https://www.yahoo.com]https://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*https://www.yahoo.com[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {ADA12CEB-64E9-494A-B404-D0ECF3065519} - C:\WINDOWS\system32\urqNGYQK.dll (file missing)
O2 - BHO: HP Credential Manager for ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll
O2 - BHO: (no name) - {F0BD6ABA-9FBC-4B7F-96CF-68375F3FF213} - C:\WINDOWS\system32\opnlLBQJ.dll (file missing)
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll,RegisterModule
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [4b43bd73] rundll32.exe "C:\WINDOWS\system32\mxivaenk.dll",b
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=https://www.hp.com
O16 - DPF: {0470E62C-C97E-4317-81E5-0774D8CBF7B7} (EndPointScan Class) - https://www.endpointscan.com/EndPointScan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - https://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - https://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.6.0.cab
O16 - DPF: {2FE68711-8830-417D-95E0-EAB307DB0447} (mpsPwLc7.PMWebSiteLogin) - https://prolog.tsargent.com/PW/mpsPwLc7.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - https://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {576756A1-D97C-45D0-A945-0324019A131E} (BOSIActiveFormX Control) -
O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - https://sp.emrsn.com/sharepoint_it/Portal/resources/msddsc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - https://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151025304987
O16 - DPF: {6AF2E1A7-A16E-4503-A440-07CA49122CCE} (BOSIRichEditActiveX Control) -
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - https://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - https://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183485533125
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - https://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Pepsi/Coupons.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {E7C44C86-0CD3-11D2-9311-00A0247A4E65} (SEAGULL J Walk ActiveX Client) - https://marketplace.doitbestcorp.com/JWALK/JWalkX/jwalkx.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,avgrsstx.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: hgdbxvv - hgdbxvv.dll (file missing)
O20 - Winlogon Notify: IfxWlxEN - C:\WINDOWS\SYSTEM32\IfxWlxEN.dll
O20 - Winlogon Notify: OneCard - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll
O20 - Winlogon Notify: urqNGYQK - urqNGYQK.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: GFI ReportCenter 3.5 (GFI_ReportCenter35) - Unknown owner - C:\Program Files\Common Files\GFI\ReportCenter\Framework v3.5\gfireporterservice.exe" -service (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
O23 - Service: SonicWall VPN Client Service (RampartSvc) - Unknown owner - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe (file missing)
Posted 11/28/2008 3:00 AM
#69026
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 11/28/2008 3:05 AM
#69028
User avatar

keng53140 Advanced member

Date Joined Nov 2016
Total Posts: 77
no this is my first post in here for ages
Posted 11/28/2008 3:09 AM
#69030
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
My bad - sorry. Your last post was posted in December 2007





Download this program: https://www.ctrlaltdel.dk/Fix_download.exe

and save it on the desktop. Then double click on it (Fix_download.exe).

You may have to allow the program to download files from the web!

The program download the necessary cleaning programs. Once the program
is downloaded, there will be a folder on your desktop named
Fix. – if the instructions not automatically opens, so
double-click "FIX_manual.htm" in Fix folder.

Please follow the instructions and copy the logs here, in this Topic.



Note : Fix_download.exe is detected by some antivirus programs as a "RiskTool" /infection; it is not a virus. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.







If necessary, temporarily disable your anti-virus, real-time protection before downloading

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 11/28/2008 3:13 AM
#69031
User avatar

keng53140 Advanced member

Date Joined Nov 2016
Total Posts: 77
i cannot download it it says access is denied
Posted 11/28/2008 3:19 AM
#69033
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Ok. We´ll step by step - >



[3][color=#222222>https://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;pop&cdlPid=10878968



Or here:

[url=https://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;pop&cdlPid=10878968]https://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;pop&cdlPid=10878968[/color][/url]


Save the file as setup.exe


Run the setup.exe file
When it gets to the final step of the installation it will seem like it froze....it hasn't but it will take anywhere from 15mins to an hour to get through that step so just let it do its thing.
Go into the Malware folder in through Program Files
Rename the mbam.exe or what not file to mab.exe and run it.
Do a full computer scan
Check all and remove/fix/delete them.


Restart your computer and post the log




[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 11/28/2008 3:25 AM
#69034
User avatar

keng53140 Advanced member

Date Joined Nov 2016
Total Posts: 77
ok i downloaded it and am running it now
Posted 11/28/2008 3:26 AM
#69036
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Ok :smile:

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 11/28/2008 5:54 AM
#69047
User avatar

keng53140 Advanced member

Date Joined Nov 2016
Total Posts: 77
Malwarebytes' Anti-Malware 1.30
Database version: 1430
Windows 5.1.2600 Service Pack 3

11/27/2008 11:50:04 PM
mbam-log-2008-11-27 (23-50-00).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 233526
Time elapsed: 1 hour(s), 55 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 47
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 9
Files Infected: 32

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ada12ceb-64e9-494a-b404-d0ecf3065519} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\urqngyqk (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{ada12ceb-64e9-494a-b404-d0ecf3065519} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\cpbrkpie.coupon6ctrl.1 (Adware.Coupons) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{6e780f0b-bcd6-40cb-b2db-7af47ab4d4a4} (Adware.Coupons) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{a138be8b-f051-4802-9a3f-a750a6d862d4} (Adware.Coupons) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{a85a5e6a-de2c-4f4e-99dc-f469df5a0eec} (Adware.Coupons) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.Antivirus2008) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4b43bd73 (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Host Process (Worm.IRCBot) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyWebSearch\bar\History (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> No action taken.
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> No action taken.
C:\Program Files\FunWebProducts\ScreenSaver (Adware.MyWebSearch) -> No action taken.
C:\Program Files\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch) -> No action taken.
C:\Program Files\FunWebProducts\Shared (Adware.MyWebSearch) -> No action taken.
C:\WINDOWS\Fonts\' (Trojan.Agent) -> Files: 9182 -> No action taken.

Files Infected:
C:\WINDOWS\system32\urqNGYQK.dll (Trojan.Vundo.H) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\ede0f230-89f3-46c9-b8af-f06f9dc33560.tmp (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LDEQOLMR\zc113432[1] (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP734\A0180644.exe (Adware.Webhancer) -> No action taken.
C:\WINDOWS\Fonts\Setup.exe (Trojan.Downloader) -> No action taken.
C:\Program Files\MyWebSearch\bar\History\search3 (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyWebSearch\bar\Settings\settings.dat (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> No action taken.
C:\Program Files\FunWebProducts\ScreenSaver\Images\07FA9A01.urr (Adware.MyWebSearch) -> No action taken.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\sstqo.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\gebca.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\gebcd.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\gebyy.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\jkkjj.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\pmkji.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\mljjh.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\awtqp.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\ssqrq.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\ssqrr.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\vtstt.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\mlljh.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\ddccb.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\pmnnn.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\awvtr.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\awvvu.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\awvvv.dll (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Owner\My Documents\My Music\My Music.url (Trojan.Zlob) -> No action taken.
C:\Documents and Settings\Owner\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\cmdinst.exe (Trojan.Agent) -> No action taken.
Posted 11/28/2008 6:06 AM
#69052
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
You were supposed to - "Check all and remove/fix/delete them."



Please download Combofix:

https://download.bleepingcomputer.com/subs/combofix.exe



And save to the desktop.


Close all other browser windows.



Please connect all your external hard drive/flash drive before running Combofix







Important-> Temporarily disable your anti-virus, real-time protection before performing a scan. They can interfere with combofix or remove some of its embedded files which may cause "unpredictable results".



Double-click on the combofix icon found on your desktop.



Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.


When finished, it will produce a logfile located at C:\combofix.txt.


Post the contents of that log in your next reply along with -> new malwarebyte log

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 11/28/2008 6:35 AM
#69053
User avatar

keng53140 Advanced member

Date Joined Nov 2016
Total Posts: 77
ComboFix 08-11-27.03 - Owner 2008-11-28 0:12:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1354 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


[COLOR=RED]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/COLOR]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\inst.exe
c:\documents and settings\Owner\Application Data\FunWebProducts
c:\documents and settings\Owner\My Documents\My Music\My Music.url
c:\documents and settings\Owner\My Documents\My Pictures\My Pictures.url
c:\program files\FunWebProducts
c:\program files\FunWebProducts\ScreenSaver\Images\07FA9A01.urr
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\History\search3
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\MyWebSearch\bar\Settings\setting2.htm
c:\program files\MyWebSearch\bar\Settings\settings.dat
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\tn3
c:\windows\Downloaded Program Files\setup.inf
c:\windows\Fonts\'
c:\windows\Fonts\a.zip
c:\windows\Fonts\Setup.exe
c:\windows\IE4 Error Log.txt
c:\windows\system32\awvvu.dll
c:\windows\system32\awvvv.dll
c:\windows\system32\Cache
c:\windows\system32\gebyy.dll
c:\windows\system32\jkkjj.dll
c:\windows\system32\JQBLlnpo.ini
c:\windows\system32\JQBLlnpo.ini2
c:\windows\system32\kneavixm.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\pac.txt
c:\windows\system32\ssqrq.dll
c:\windows\system32\ssqrr.dll
c:\windows\system32\sstqo.dll
c:\windows\Tasks\hckraxmo.job
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-28 )))))))))))))))))))))))))))))))
.

2008-11-27 21:22 . 2008-11-27 21:22 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-27 21:22 . 2008-11-27 21:22 d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2008-11-27 21:22 . 2008-11-27 21:22 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-27 21:22 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-27 21:22 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-26 12:45 . 2008-11-26 13:06 d-------- c:\documents and settings\Owner\Application Data\U3
2008-11-25 15:20 . 2008-11-27 22:30 d--h----- C:\$AVG8.VAULT$
2008-11-25 15:15 . 2008-11-27 21:58 d-------- c:\windows\system32\drivers\Avg
2008-11-25 15:15 . 2008-11-25 18:45 d-------- c:\documents and settings\Owner\Application Data\AVGTOOLBAR
2008-11-25 15:15 . 2008-11-25 15:15 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-25 15:15 . 2008-11-25 15:15 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-11-25 15:15 . 2008-11-25 15:15 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-25 15:14 . 2008-11-25 15:14 d-------- c:\program files\AVG
2008-11-25 15:14 . 2008-11-25 15:14 d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-25 15:12 . 2008-11-25 15:16 8,192 --a------ c:\documents and settings\JANDER~1
2008-11-25 15:12 . 2008-11-25 15:16 8,192 --a------ c:\documents and settings\ADMINI~1.EGS
2008-11-25 15:12 . 2008-11-25 15:16 8,192 --a------ c:\documents and settings\admin1
2008-11-25 15:04 . 2008-11-25 15:04 2,665 --a------ c:\windows\system32\codjuebw.dll
2008-11-25 14:41 . 2008-11-25 14:41 d-------- c:\program files\Common Files\Active Directory Management Pack Objects
2008-11-24 11:38 . 2008-11-24 11:38 147,456 --a------ c:\windows\system32\vbzip10.dll
2008-11-24 11:34 . 2008-11-26 00:09 d-------- c:\windows\system32\dPI02
2008-11-24 11:34 . 2008-11-24 11:34 d-------- c:\temp\FT62
2008-11-11 22:21 . 2008-10-24 05:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 22:20 . 2008-09-04 11:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 05:26 --------- d-----w c:\program files\Google
2008-11-26 04:52 --------- d-----w c:\program files\PrimoDVD (English)
2008-11-25 23:01 --------- d-----w c:\program files\Total Video Converter
2008-11-13 04:01 --------- d-----w c:\program files\Java
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 22:22 --------- d-----w c:\program files\V CAST Music with Rhapsody
2008-10-23 22:00 --------- d-----w c:\documents and settings\WellDoneWaterWorks\Application Data\ATI
2008-10-23 22:00 --------- d-----w c:\documents and settings\Owner\Application Data\ATI
2008-10-23 22:00 --------- d-----w c:\documents and settings\Administrator\Application Data\ATI
2008-10-23 21:56 --------- d-----w c:\program files\Common Files\Adobe
2008-10-23 21:48 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-23 02:19 --------- d-----w c:\program files\Real
2008-10-16 01:45 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-16 01:45 --------- d-----w c:\program files\LG Electronics
2008-10-16 01:14 --------- d-----w c:\program files\Common Files\Real
2008-05-27 01:38 47,360 ----a-w c:\documents and settings\Administrator\Application Data\pcouffin.sys
2006-06-30 15:10 22 --sha-w c:\windows\SMINST\HPCD.sys
2008-06-04 13:31 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008060420080605\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"PTHOSTTR"="c:\program files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2005-10-04 86016]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-31 122940]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-10 761945]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"CognizanceTS"="c:\progra~1\HPQ\IAM\Bin\AsTsVcc.dll" [2003-12-22 17920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-01-15 131072]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-01-23 802816]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-01-19 905216]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2005-11-08 184320]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-10-27 241726]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2006-10-30 131072]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-06-29 282624]
"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2004-11-17 1691648]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"MsmqIntCert"="mqrt.dll" [2008-04-13 c:\windows\system32\mqrt.dll]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-01-18 581693]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2006-06-23 184320]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2005-07-25 12:41 40960 c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
2005-08-19 07:52 389120 c:\windows\system32\IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= vdrcodec.dll
"VIDC.MJPG"= Pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli AsWlnPkg

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BearShare\\BearShare.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-25 97928]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2005-10-25 35488]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2004-08-04 14336]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-25 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-25 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-25 76040]
R2 MSExchangeMGMT;Microsoft Exchange Management;"c:\program files\Exchsrvr\bin\exmgmt.exe" [2006-04-17 3117568]
R2 NTPDA;NTPDA;c:\windows\system32\drivers\NTPDA.sys [2007-04-23 3446]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\DRIVERS\gtipci21.sys [2006-03-01 87936]
R3 IFXTPM;IFXTPM;c:\windows\system32\DRIVERS\IFXTPM.SYS [2005-06-10 35968]
R3 NWADI;NWADI Bus Enumerator;c:\windows\system32\DRIVERS\NWADIenum.sys [2005-04-15 11904]
R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\DRIVERS\rcvpn.sys [2006-06-23 23180]
S2 GFI_ReportCenter35;GFI ReportCenter 3.5;"c:\program files\Common Files\GFI\ReportCenter\Framework v3.5\gfireporterservice.exe" -service [2006-07-26 98304]
S3 avpnnic;AGN Virtual Network Adapter;c:\windows\system32\DRIVERS\avpnnic.sys [2007-07-20 11392]
S3 memcard;PCMCIA Memory Card Driver;c:\windows\system32\DRIVERS\memcard.sys [2006-12-06 8320]
S3 RimSerPort;RIM Virtual Serial Port;c:\windows\system32\DRIVERS\RimSerial.sys [2006-06-30 26368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASChannel
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c516544-bbea-11dd-93eb-006073e7389e}]
\Shell\AutoRun\command - F:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-17 c:\windows\Tasks\Account Status.job
- c:\program files\ARKAD\ARKADSchedule.exe []

2008-11-28 c:\windows\Tasks\B16E835491952BD0.job
- c:\docume~1\owner\applic~1\draweq~1\Grid Audio Funk.exe []

2008-11-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{ADA12CEB-64E9-494A-B404-D0ECF3065519} - c:\windows\system32\urqNGYQK.dll
BHO-{F0BD6ABA-9FBC-4B7F-96CF-68375F3FF213} - c:\windows\system32\opnlLBQJ.dll
HKCU-Run-WMPNSCFG - c:\program files\Windows Media Player\WMPNSCFG.exe
HKLM-Run-4b43bd73 - c:\windows\system32\mxivaenk.dll
ShellExecuteHooks-{ADA12CEB-64E9-494A-B404-D0ECF3065519} - c:\windows\system32\urqNGYQK.dll
Notify-hgdbxvv - hgdbxvv.dll
Notify-urqNGYQK - urqNGYQK.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*https://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\EPSData.zip - c:\windows\Downloaded Program Files\EndPointScannerEngine.dll
c:\windows\Downloaded Program Files\EPS.dll
O16 -: {0470E62C-C97E-4317-81E5-0774D8CBF7B7}
hxxp://www.endpointscan.com/EndPointScan.cab
c:\windows\Downloaded Program Files\eps.inf

c:\windows\system32\MSVBVM60.DLL - c:\windows\system32\OLEAUT32.DLL
c:\windows\system32\OLEPRO32.DLL
c:\windows\system32\ASYCFILT.DLL
c:\windows\system32\STDOLE2.TLB
c:\windows\system32\COMCAT.DLL
c:\windows\Downloaded Program Files\mpsPwLc7.ocx
O16 -: {2FE68711-8830-417D-95E0-EAB307DB0447}
hxxp://prolog.tsargent.com/PW/mpsPwLc7.CAB
c:\windows\Downloaded Program Files\mpsPwLc6.inf

c:\windows\Downloaded Program Files\BOSIActiveXGrid70.ocx - O16 -: {576756A1-D97C-45D0-A945-0324019A131E}
c:\windows\Downloaded Program Files\BOSIActiveXGrid.inf

c:\windows\Downloaded Program Files\MSDDSC.dll - O16 -: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F}
hxxp://sp.emrsn.com/sharepoint_it/Portal/resources/msddsc.cab
c:\windows\Downloaded Program Files\msddsc.inf

c:\windows\Downloaded Program Files\BOSIActiveXMemoControl70.ocx - O16 -: {6AF2E1A7-A16E-4503-A440-07CA49122CCE}
c:\windows\Downloaded Program Files\BOSIActiveXMemoControl.inf

c:\windows\s9sil.exe - c:\windows\Downloaded Program Files\JWalkX.ocx
O16 -: {E7C44C86-0CD3-11D2-9311-00A0247A4E65}
hxxp://marketplace.doitbestcorp.com/JWALK/JWalkX/jwalkx.cab
c:\windows\Downloaded Program Files\JWalkX.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2008-11-28 00:24:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????8???????P??|?p???? ?t?C?????????????xmC? ???8??

scanning hidden files ...


c:\windows\system32\wbem\Performance\WmiApRpl_new.h 357 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1064)
c:\windows\system32\Ati2evxx.dll
c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll
c:\windows\system32\IfxWlxEN.dll

- - - - - - - > 'lsass.exe'(1120)
c:\program files\HPQ\IAM\bin\AsWlnPkg.dll
c:\windows\system32\EntApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Windows Defender\MsMpEng.exe
c:\windows\system32\IFXTCS.exe
c:\windows\system32\ati2evxx.exe
c:\program files\HPQ\IAM\Bin\asghost.exe
c:\windows\system32\scardsvr.exe
c:\windows\system32\msdtc.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\IFXSPMGT.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\Mcshield.exe
c:\program files\Network Associates\VirusScan\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\program files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\mqsvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\mqtgsvc.exe
c:\program files\ProtectTools\Embedded Security Software\PSDrt.exe
c:\program files\ProtectTools\Embedded Security Software\SpTNA.exe
c:\program files\HPQ\HP ProtectTools Security Manager\PTServs.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-11-28 0:28:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-28 06:28:49

Pre-Run: 40,749,879,296 bytes free
Post-Run: 44,110,393,344 bytes free

295 --- E O F --- 2008-11-27 17:47:22



the new malwarebytes log will be next im scanning it now
Posted 11/28/2008 6:35 AM
#69054
User avatar

keng53140 Advanced member

Date Joined Nov 2016
Total Posts: 77
ComboFix 08-11-27.03 - Owner 2008-11-28 0:12:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1354 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


[COLOR=RED]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/COLOR]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\inst.exe
c:\documents and settings\Owner\Application Data\FunWebProducts
c:\documents and settings\Owner\My Documents\My Music\My Music.url
c:\documents and settings\Owner\My Documents\My Pictures\My Pictures.url
c:\program files\FunWebProducts
c:\program files\FunWebProducts\ScreenSaver\Images\07FA9A01.urr
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\History\search3
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\MyWebSearch\bar\Settings\setting2.htm
c:\program files\MyWebSearch\bar\Settings\settings.dat
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\tn3
c:\windows\Downloaded Program Files\setup.inf
c:\windows\Fonts\'
c:\windows\Fonts\a.zip
c:\windows\Fonts\Setup.exe
c:\windows\IE4 Error Log.txt
c:\windows\system32\awvvu.dll
c:\windows\system32\awvvv.dll
c:\windows\system32\Cache
c:\windows\system32\gebyy.dll
c:\windows\system32\jkkjj.dll
c:\windows\system32\JQBLlnpo.ini
c:\windows\system32\JQBLlnpo.ini2
c:\windows\system32\kneavixm.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\pac.txt
c:\windows\system32\ssqrq.dll
c:\windows\system32\ssqrr.dll
c:\windows\system32\sstqo.dll
c:\windows\Tasks\hckraxmo.job
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-28 )))))))))))))))))))))))))))))))
.

2008-11-27 21:22 . 2008-11-27 21:22 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-27 21:22 . 2008-11-27 21:22 d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2008-11-27 21:22 . 2008-11-27 21:22 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-27 21:22 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-27 21:22 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-26 12:45 . 2008-11-26 13:06 d-------- c:\documents and settings\Owner\Application Data\U3
2008-11-25 15:20 . 2008-11-27 22:30 d--h----- C:\$AVG8.VAULT$
2008-11-25 15:15 . 2008-11-27 21:58 d-------- c:\windows\system32\drivers\Avg
2008-11-25 15:15 . 2008-11-25 18:45 d-------- c:\documents and settings\Owner\Application Data\AVGTOOLBAR
2008-11-25 15:15 . 2008-11-25 15:15 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-25 15:15 . 2008-11-25 15:15 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-11-25 15:15 . 2008-11-25 15:15 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-25 15:14 . 2008-11-25 15:14 d-------- c:\program files\AVG
2008-11-25 15:14 . 2008-11-25 15:14 d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-25 15:12 . 2008-11-25 15:16 8,192 --a------ c:\documents and settings\JANDER~1
2008-11-25 15:12 . 2008-11-25 15:16 8,192 --a------ c:\documents and settings\ADMINI~1.EGS
2008-11-25 15:12 . 2008-11-25 15:16 8,192 --a------ c:\documents and settings\admin1
2008-11-25 15:04 . 2008-11-25 15:04 2,665 --a------ c:\windows\system32\codjuebw.dll
2008-11-25 14:41 . 2008-11-25 14:41 d-------- c:\program files\Common Files\Active Directory Management Pack Objects
2008-11-24 11:38 . 2008-11-24 11:38 147,456 --a------ c:\windows\system32\vbzip10.dll
2008-11-24 11:34 . 2008-11-26 00:09 d-------- c:\windows\system32\dPI02
2008-11-24 11:34 . 2008-11-24 11:34 d-------- c:\temp\FT62
2008-11-11 22:21 . 2008-10-24 05:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 22:20 . 2008-09-04 11:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 05:26 --------- d-----w c:\program files\Google
2008-11-26 04:52 --------- d-----w c:\program files\PrimoDVD (English)
2008-11-25 23:01 --------- d-----w c:\program files\Total Video Converter
2008-11-13 04:01 --------- d-----w c:\program files\Java
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 22:22 --------- d-----w c:\program files\V CAST Music with Rhapsody
2008-10-23 22:00 --------- d-----w c:\documents and settings\WellDoneWaterWorks\Application Data\ATI
2008-10-23 22:00 --------- d-----w c:\documents and settings\Owner\Application Data\ATI
2008-10-23 22:00 --------- d-----w c:\documents and settings\Administrator\Application Data\ATI
2008-10-23 21:56 --------- d-----w c:\program files\Common Files\Adobe
2008-10-23 21:48 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-23 02:19 --------- d-----w c:\program files\Real
2008-10-16 01:45 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-16 01:45 --------- d-----w c:\program files\LG Electronics
2008-10-16 01:14 --------- d-----w c:\program files\Common Files\Real
2008-05-27 01:38 47,360 ----a-w c:\documents and settings\Administrator\Application Data\pcouffin.sys
2006-06-30 15:10 22 --sha-w c:\windows\SMINST\HPCD.sys
2008-06-04 13:31 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008060420080605\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"PTHOSTTR"="c:\program files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2005-10-04 86016]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-31 122940]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-10 761945]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"CognizanceTS"="c:\progra~1\HPQ\IAM\Bin\AsTsVcc.dll" [2003-12-22 17920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-01-15 131072]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-01-23 802816]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-01-19 905216]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2005-11-08 184320]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-10-27 241726]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2006-10-30 131072]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-06-29 282624]
"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2004-11-17 1691648]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"MsmqIntCert"="mqrt.dll" [2008-04-13 c:\windows\system32\mqrt.dll]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-01-18 581693]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2006-06-23 184320]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2005-07-25 12:41 40960 c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
2005-08-19 07:52 389120 c:\windows\system32\IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= vdrcodec.dll
"VIDC.MJPG"= Pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli AsWlnPkg

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BearShare\\BearShare.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-25 97928]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2005-10-25 35488]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2004-08-04 14336]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-25 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-25 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-25 76040]
R2 MSExchangeMGMT;Microsoft Exchange Management;"c:\program files\Exchsrvr\bin\exmgmt.exe" [2006-04-17 3117568]
R2 NTPDA;NTPDA;c:\windows\system32\drivers\NTPDA.sys [2007-04-23 3446]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\DRIVERS\gtipci21.sys [2006-03-01 87936]
R3 IFXTPM;IFXTPM;c:\windows\system32\DRIVERS\IFXTPM.SYS [2005-06-10 35968]
R3 NWADI;NWADI Bus Enumerator;c:\windows\system32\DRIVERS\NWADIenum.sys [2005-04-15 11904]
R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\DRIVERS\rcvpn.sys [2006-06-23 23180]
S2 GFI_ReportCenter35;GFI ReportCenter 3.5;"c:\program files\Common Files\GFI\ReportCenter\Framework v3.5\gfireporterservice.exe" -service [2006-07-26 98304]
S3 avpnnic;AGN Virtual Network Adapter;c:\windows\system32\DRIVERS\avpnnic.sys [2007-07-20 11392]
S3 memcard;PCMCIA Memory Card Driver;c:\windows\system32\DRIVERS\memcard.sys [2006-12-06 8320]
S3 RimSerPort;RIM Virtual Serial Port;c:\windows\system32\DRIVERS\RimSerial.sys [2006-06-30 26368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASChannel
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c516544-bbea-11dd-93eb-006073e7389e}]
\Shell\AutoRun\command - F:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-17 c:\windows\Tasks\Account Status.job
- c:\program files\ARKAD\ARKADSchedule.exe []

2008-11-28 c:\windows\Tasks\B16E835491952BD0.job
- c:\docume~1\owner\applic~1\draweq~1\Grid Audio Funk.exe []

2008-11-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{ADA12CEB-64E9-494A-B404-D0ECF3065519} - c:\windows\system32\urqNGYQK.dll
BHO-{F0BD6ABA-9FBC-4B7F-96CF-68375F3FF213} - c:\windows\system32\opnlLBQJ.dll
HKCU-Run-WMPNSCFG - c:\program files\Windows Media Player\WMPNSCFG.exe
HKLM-Run-4b43bd73 - c:\windows\system32\mxivaenk.dll
ShellExecuteHooks-{ADA12CEB-64E9-494A-B404-D0ECF3065519} - c:\windows\system32\urqNGYQK.dll
Notify-hgdbxvv - hgdbxvv.dll
Notify-urqNGYQK - urqNGYQK.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*https://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\EPSData.zip - c:\windows\Downloaded Program Files\EndPointScannerEngine.dll
c:\windows\Downloaded Program Files\EPS.dll
O16 -: {0470E62C-C97E-4317-81E5-0774D8CBF7B7}
hxxp://www.endpointscan.com/EndPointScan.cab
c:\windows\Downloaded Program Files\eps.inf

c:\windows\system32\MSVBVM60.DLL - c:\windows\system32\OLEAUT32.DLL
c:\windows\system32\OLEPRO32.DLL
c:\windows\system32\ASYCFILT.DLL
c:\windows\system32\STDOLE2.TLB
c:\windows\system32\COMCAT.DLL
c:\windows\Downloaded Program Files\mpsPwLc7.ocx
O16 -: {2FE68711-8830-417D-95E0-EAB307DB0447}
hxxp://prolog.tsargent.com/PW/mpsPwLc7.CAB
c:\windows\Downloaded Program Files\mpsPwLc6.inf

c:\windows\Downloaded Program Files\BOSIActiveXGrid70.ocx - O16 -: {576756A1-D97C-45D0-A945-0324019A131E}
c:\windows\Downloaded Program Files\BOSIActiveXGrid.inf

c:\windows\Downloaded Program Files\MSDDSC.dll - O16 -: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F}
hxxp://sp.emrsn.com/sharepoint_it/Portal/resources/msddsc.cab
c:\windows\Downloaded Program Files\msddsc.inf

c:\windows\Downloaded Program Files\BOSIActiveXMemoControl70.ocx - O16 -: {6AF2E1A7-A16E-4503-A440-07CA49122CCE}
c:\windows\Downloaded Program Files\BOSIActiveXMemoControl.inf

c:\windows\s9sil.exe - c:\windows\Downloaded Program Files\JWalkX.ocx
O16 -: {E7C44C86-0CD3-11D2-9311-00A0247A4E65}
hxxp://marketplace.doitbestcorp.com/JWALK/JWalkX/jwalkx.cab
c:\windows\Downloaded Program Files\JWalkX.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2008-11-28 00:24:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????8???????P??|?p???? ?t?C?????????????xmC? ???8??

scanning hidden files ...


c:\windows\system32\wbem\Performance\WmiApRpl_new.h 357 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1064)
c:\windows\system32\Ati2evxx.dll
c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll
c:\windows\system32\IfxWlxEN.dll

- - - - - - - > 'lsass.exe'(1120)
c:\program files\HPQ\IAM\bin\AsWlnPkg.dll
c:\windows\system32\EntApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Windows Defender\MsMpEng.exe
c:\windows\system32\IFXTCS.exe
c:\windows\system32\ati2evxx.exe
c:\program files\HPQ\IAM\Bin\asghost.exe
c:\windows\system32\scardsvr.exe
c:\windows\system32\msdtc.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\IFXSPMGT.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\Mcshield.exe
c:\program files\Network Associates\VirusScan\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\program files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\mqsvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\mqtgsvc.exe
c:\program files\ProtectTools\Embedded Security Software\PSDrt.exe
c:\program files\ProtectTools\Embedded Security Software\SpTNA.exe
c:\program files\HPQ\HP ProtectTools Security Manager\PTServs.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-11-28 0:28:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-28 06:28:49

Pre-Run: 40,749,879,296 bytes free
Post-Run: 44,110,393,344 bytes free

295 --- E O F --- 2008-11-27 17:47:22



the new malwarebytes log will be next im scanning it now
Posted 11/28/2008 6:41 AM
#69055
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Ok :smile:


Looks like you have a Lop/Cid infection as well -



Download LopSD by Eric_71 and save it to your desktop.
Lop S&D will only run on Windows XP and Windows Vista

Disable your antivirus and antimalware programs so they do not interfere with the running of Lop S&D.
Double-click LopSD.exe



  • Choose the language by typing of the corresponding letter and press Enter
  • Click OK at the informative window
  • Type 2 to choose Option 2 (Fix + Hosts), then press Enter
  • Wait until the end of the scan
  • A report will be generated, post the contents of it in your next reply, along with a new combofix log.






It can be found here: C:lopR txt

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 11/28/2008 8:04 AM
#69063
User avatar

keng53140 Advanced member

Date Joined Nov 2016
Total Posts: 77
Malwarebytes' Anti-Malware 1.30
Database version: 1430
Windows 5.1.2600 Service Pack 3

11/28/2008 2:04:21 AM
mbam-log-2008-11-28 (02-04-17).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 189261
Time elapsed: 1 hour(s), 29 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 25
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\cpbrkpie.coupon6ctrl.1 (Adware.Coupons) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{6e780f0b-bcd6-40cb-b2db-7af47ab4d4a4} (Adware.Coupons) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{a138be8b-f051-4802-9a3f-a750a6d862d4} (Adware.Coupons) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{a85a5e6a-de2c-4f4e-99dc-f469df5a0eec} (Adware.Coupons) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.Antivirus2008) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\Fonts\Setup.exe.vir (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP734\A0180644.exe (Adware.Webhancer) -> No action taken.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP740\A0183035.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\gebca.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\gebcd.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\pmkji.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\mljjh.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\awtqp.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\vtstt.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\mlljh.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\ddccb.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\pmnnn.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\awvtr.dll (Trojan.Vundo) -> No action taken.
Posted 11/28/2008 8:10 AM
#69064
User avatar

keng53140 Advanced member

Date Joined Nov 2016
Total Posts: 77
--------------------\\ Lop S&D 4.2.4-9c XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3
X86-based PC ( Multiprocessor Free : Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz )
BIOS : KBC Version 54.3C
USER : Owner ( Administrator )
BOOT : Normal boot
Antivirus : AVG Anti-Virus Free 8.0 (Activated)
C:\ (Local Disk) - NTFS - Total:84 Go (Free:41 Go)
D:\ (CD or DVD) - CDUDF - Total:4 Go (Free:4 Go)
E:\ (Local Disk) - FAT32 - Total:8 Go (Free:2 Go)
F:\ (USB) - FAT - Total:954 Mo (Free:0 Go)

"C:\Lop SD" ( MAJ : 01-11-2008|16:30 )
Option : [2] ( Fri 11/28/2008| 2:06 )


\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ FIX

Deleted! - C:\WINDOWS\Tasks\B16E835491952BD0.job
Deleted! - C:\DOCUME~1\Owner\Cookies\owner@adultfriendfinder[2].txt
Deleted! - C:\DOCUME~1\Owner\Cookies\owner@advertising[2].txt
Deleted! - C:\DOCUME~1\Owner\Cookies\owner@game-advertising-online[1].txt
Deleted! - C:\DOCUME~1\Owner\Cookies\owner@adopt.euroclick[1].txt
Deleted! - C:\DOCUME~1\Owner\APPLIC~1\draweq~1

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Deleted! - C:\Program Files\Viewpoint

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\


--------------------\\ Listing folders in APPLIC~1

[10/23/2008|04:00] C:\DOCUME~1\ADMINI~1\APPLIC~1\ ATI
[05/26/2008|07:45] C:\DOCUME~1\ADMINI~1\APPLIC~1\ Google
[03/01/2006|08:53] C:\DOCUME~1\ADMINI~1\APPLIC~1\ Identities
[03/01/2006|08:53] C:\DOCUME~1\ADMINI~1\APPLIC~1\ Infineon
[06/23/2006|09:46] C:\DOCUME~1\ADMINI~1\APPLIC~1\ Macromedia
[11/25/2008|03:13] C:\DOCUME~1\ADMINI~1\APPLIC~1\ Microsoft
[10/13/2006|03:02] C:\DOCUME~1\ADMINI~1\APPLIC~1\ Research In Motion
[03/01/2006|08:53] C:\DOCUME~1\ADMINI~1\APPLIC~1\ SampleView
[05/26/2008|07:38] C:\DOCUME~1\ADMINI~1\APPLIC~1\ Vso

[06/13/2007|09:48] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Adobe
[06/27/2007|05:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Adobe Systems
[12/11/2007|02:41] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ ADVSoft
[10/31/2007|03:24] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ AGNS
[06/29/2006|01:01] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Apple Computer
[11/25/2008|03:14] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ avg8
[11/01/2006|09:13] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ DVD Shrink
[06/05/2008|06:52] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ FaxCtr
[11/25/2008|11:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Google
[04/25/2007|08:11] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Hewlett-Packard
[03/01/2006|08:54] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ hpqLog
[03/01/2006|08:54] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Infineon
[03/01/2006|08:54] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ InstallShield
[06/23/2006|09:27] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Macromedia
[11/27/2008|09:22] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Malwarebytes
[11/08/2007|02:13] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Maxtor
[08/26/2008|10:57] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Microsoft
[05/26/2008|07:40] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Network Associates
[01/02/2008|09:54] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Office Genuine Advantage
[08/26/2008|11:51] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ PC Drivers HeadQuarters
[12/13/2006|01:35] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Pinnacle
[12/13/2006|08:49] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Pinnacle Studio
[06/26/2006|08:57] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ QuickTime
[02/26/2008|01:34] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Radar Website Monitor
[08/14/2006|03:02] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Roxio
[03/01/2006|08:54] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ SBSI
[12/13/2006|08:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ SmartSound Software Inc
[05/26/2008|08:03] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Symantec
[05/14/2007|09:37] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ TEMP
[02/28/2007|11:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Ulead Systems
[06/22/2006|07:19] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Windows Genuine Advantage
[08/04/2008|08:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Yahoo!
[08/04/2008|08:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ Yahoo! Companion

[10/23/2008|04:00] C:\DOCUME~1\DEFAUL~1\APPLIC~1\ ATI
[03/01/2006|08:53] C:\DOCUME~1\DEFAUL~1\APPLIC~1\ Identities
[03/01/2006|08:53] C:\DOCUME~1\DEFAUL~1\APPLIC~1\ Infineon
[03/01/2006|08:53] C:\DOCUME~1\DEFAUL~1\APPLIC~1\ Microsoft
[03/01/2006|08:53] C:\DOCUME~1\DEFAUL~1\APPLIC~1\ SampleView

[11/25/2008|03:13] C:\DOCUME~1\LOCALS~1\APPLIC~1\ Microsoft

[11/25/2008|03:13] C:\DOCUME~1\NETWOR~1\APPLIC~1\ Microsoft

[09/10/2008|09:16] C:\DOCUME~1\Owner\APPLIC~1\ Adobe
[07/21/2008|07:59] C:\DOCUME~1\Owner\APPLIC~1\ Apple Computer
[10/23/2008|04:00] C:\DOCUME~1\Owner\APPLIC~1\ ATI
[11/25/2008|06:45] C:\DOCUME~1\Owner\APPLIC~1\ AVGTOOLBAR
[06/04/2008|08:58] C:\DOCUME~1\Owner\APPLIC~1\ DivX
[06/05/2008|08:11] C:\DOCUME~1\Owner\APPLIC~1\ FaxCtr
[10/18/2008|05:58] C:\DOCUME~1\Owner\APPLIC~1\ Google
[03/01/2006|08:53] C:\DOCUME~1\Owner\APPLIC~1\ Identities
[03/01/2006|08:53] C:\DOCUME~1\Owner\APPLIC~1\ Infineon
[06/01/2008|10:26] C:\DOCUME~1\Owner\APPLIC~1\ InterVideo
[07/21/2008|10:39] C:\DOCUME~1\Owner\APPLIC~1\ Leadertech
[05/31/2008|08:08] C:\DOCUME~1\Owner\APPLIC~1\ Macromedia
[11/27/2008|09:22] C:\DOCUME~1\Owner\APPLIC~1\ Malwarebytes
[11/25/2008|03:13] C:\DOCUME~1\Owner\APPLIC~1\ Microsoft
[07/28/2008|03:14] C:\DOCUME~1\Owner\APPLIC~1\ MySpace
[10/15/2008|07:13] C:\DOCUME~1\Owner\APPLIC~1\ Real
[07/22/2008|11:44] C:\DOCUME~1\Owner\APPLIC~1\ Roxio
[03/01/2006|08:53] C:\DOCUME~1\Owner\APPLIC~1\ SampleView
[07/21/2008|10:40] C:\DOCUME~1\Owner\APPLIC~1\ Sonic
[06/02/2008|10:14] C:\DOCUME~1\Owner\APPLIC~1\ Sun
[11/26/2008|01:06] C:\DOCUME~1\Owner\APPLIC~1\ U3
[08/04/2008|08:45] C:\DOCUME~1\Owner\APPLIC~1\ Yahoo!

[06/04/2008|02:57] C:\DOCUME~1\WELLDO~1\APPLIC~1\ Adobe
[10/23/2008|04:00] C:\DOCUME~1\WELLDO~1\APPLIC~1\ ATI
[07/19/2008|05:45] C:\DOCUME~1\WELLDO~1\APPLIC~1\ FaxCtr
[03/01/2006|08:53] C:\DOCUME~1\WELLDO~1\APPLIC~1\ Identities
[03/01/2006|08:53] C:\DOCUME~1\WELLDO~1\APPLIC~1\ Infineon
[07/19/2008|07:32] C:\DOCUME~1\WELLDO~1\APPLIC~1\ InterVideo
[06/04/2008|02:57] C:\DOCUME~1\WELLDO~1\APPLIC~1\ Macromedia
[11/25/2008|03:13] C:\DOCUME~1\WELLDO~1\APPLIC~1\ Microsoft
[03/01/2006|08:53] C:\DOCUME~1\WELLDO~1\APPLIC~1\ SampleView

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[11/17/2008 08:15 AM][--a------] C:\WINDOWS\tasks\Account Status.job
[11/28/2008 01:45 AM][--ah-----] C:\WINDOWS\tasks\MP Scheduled Scan.job
[11/28/2008 12:21 AM][--ah-----] C:\WINDOWS\tasks\SA.DAT
[08/04/2004 02:00 AM][-rah-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[05/26/2008|07:31] C:\Program Files\ Admin Report Kit
[10/23/2008|03:56] C:\Program Files\ Adobe
[12/13/2006|09:45] C:\Program Files\ AdorageI-GfxDatas
[12/13/2006|09:44] C:\Program Files\ AdorageI-SAL
[08/14/2006|02:10] C:\Program Files\ Ahead
[03/01/2006|08:55] C:\Program Files\ Analog Devices
[06/26/2006|08:46] C:\Program Files\ Apache Group
[06/26/2006|09:10] C:\Program Files\ Apoint
[11/19/2007|10:11] C:\Program Files\ Audible
[06/23/2006|02:52] C:\Program Files\ AuthenTec
[11/25/2008|03:14] C:\Program Files\ AVG
[07/21/2008|04:26] C:\Program Files\ BearShare
[07/24/2008|09:27] C:\Program Files\ Broadcom
[11/28/2008|12:15] C:\Program Files\ Common Files
[03/01/2006|08:57] C:\Program Files\ ComPlus Applications
[03/01/2006|08:57] C:\Program Files\ CONEXANT
[09/06/2007|04:16] C:\Program Files\ Corel
[02/26/2008|01:38] C:\Program Files\ Creative
[01/01/2008|01:38] C:\Program Files\ DivX
[08/09/2006|08:44] C:\Program Files\ Exchsrvr
[03/01/2006|08:57] C:\Program Files\ Fingerprint Sensor
[11/25/2008|11:26] C:\Program Files\ Google
[03/01/2006|08:57] C:\Program Files\ Hewlett-Packard
[06/06/2007|10:19] C:\Program Files\ Hp
[06/23/2006|02:55] C:\Program Files\ HPQ
[10/15/2008|07:45] C:\Program Files\ InstallShield Installation Information
[10/16/2008|06:08] C:\Program Files\ Internet Explorer
[06/23/2006|02:54] C:\Program Files\ InterVideo
[05/11/2007|08:40] C:\Program Files\ Jasc Software Inc
[11/12/2008|10:01] C:\Program Files\ Java
[06/26/2006|08:47] C:\Program Files\ JavaSoft
[06/05/2008|07:18] C:\Program Files\ Lexmark Toolbar
[10/15/2008|07:45] C:\Program Files\ LG Electronics
[08/26/2008|10:14] C:\Program Files\ lx_cats
[11/27/2008|09:22] C:\Program Files\ Malwarebytes' Anti-Malware
[08/14/2008|06:12] C:\Program Files\ Messenger
[06/22/2006|07:45] C:\Program Files\ Microsoft ActiveSync
[05/14/2007|02:38] C:\Program Files\ Microsoft CAPICOM 2.1.0.2
[06/26/2006|08:47] C:\Program Files\ Microsoft Digital Image 10
[03/01/2006|08:58] C:\Program Files\ microsoft frontpage
[06/26/2006|08:47] C:\Program Files\ Microsoft Integration
[05/26/2008|07:24] C:\Program Files\ Microsoft MapPoint
[05/01/2007|01:24] C:\Program Files\ Microsoft Office
[05/26/2008|08:16] C:\Program Files\ Microsoft Office Communicator
[10/23/2008|03:48] C:\Program Files\ Microsoft Silverlight
[06/22/2006|07:45] C:\Program Files\ Microsoft Visual Studio
[06/22/2006|07:53] C:\Program Files\ Microsoft Works
[06/22/2006|07:44] C:\Program Files\ Microsoft.NET
[06/26/2006|08:47] C:\Program Files\ Modem Helper
[06/04/2008|07:21] C:\Program Files\ Movie Maker
[03/02/2007|02:13] C:\Program Files\ MSBuild
[05/01/2007|12:40] C:\Program Files\ MSECache
[10/27/2008|01:24] C:\Program Files\ MSN
[03/01/2006|08:58] C:\Program Files\ MSN Gaming Zone
[10/16/2006|07:04] C:\Program Files\ MSXML 4.0
[05/03/2007|09:58] C:\Program Files\ MSXML 6.0
[07/28/2008|03:14] C:\Program Files\ MySpace
[06/04/2008|07:15] C:\Program Files\ NetMeeting
[06/26/2006|09:12] C:\Program Files\ NetWaiting
[05/26/2008|07:39] C:\Program Files\ Network Associates
[04/23/2007|08:58] C:\Program Files\ NTPDA
[03/01/2006|08:58] C:\Program Files\ Online Services
[06/04/2008|07:15] C:\Program Files\ Outlook Express
[12/13/2006|09:03] C:\Program Files\ Pinnacle
[11/25/2008|10:52] C:\Program Files\ PrimoDVD (English)
[12/13/2006|09:52] C:\Program Files\ proDAD
[06/23/2006|02:50] C:\Program Files\ Program Shortcuts
[03/01/2006|08:58] C:\Program Files\ ProtectTools
[06/29/2006|01:02] C:\Program Files\ QuickTime
[10/22/2008|08:19] C:\Program Files\ Real
[03/02/2007|02:09] C:\Program Files\ Reference Assemblies
[06/30/2006|09:43] C:\Program Files\ Research In Motion
[05/27/2008|08:22] C:\Program Files\ Roland VersaWorks
[06/26/2006|08:53] C:\Program Files\ Roxio
[07/30/2007|01:14] C:\Program Files\ SEAGULL
[02/26/2008|01:34] C:\Program Files\ SiteSentry
[12/13/2006|08:53] C:\Program Files\ SmartSound Software
[06/26/2006|08:54] C:\Program Files\ Sonic
[10/24/2006|08:32] C:\Program Files\ SureThing
[03/01/2006|08:59] C:\Program Files\ Synaptics
[01/01/2008|03:10] C:\Program Files\ TESTOUT
[01/21/2007|11:07] C:\Program Files\ The Rosetta Stone
[11/25/2008|05:01] C:\Program Files\ Total Video Converter
[08/31/2006|07:30] C:\Program Files\ Uninstall Information
[10/23/2008|04:22] C:\Program Files\ V CAST Music with Rhapsody
[06/26/2006|08:54] C:\Program Files\ Web Site Downloader
[06/23/2006|02:56] C:\Program Files\ WIDCOMM
[06/26/2006|09:19] C:\Program Files\ WinAVI VideoConverter
[11/16/2006|09:19] C:\Program Files\ Windows Defender
[06/22/2006|07:26] C:\Program Files\ Windows Media Connect
[07/26/2008|03:31] C:\Program Files\ Windows Media Connect 2
[10/15/2008|07:16] C:\Program Files\ Windows Media Player
[06/04/2008|07:15] C:\Program Files\ Windows NT
[03/01/2006|08:59] C:\Program Files\ WindowsUpdate
[02/26/2008|01:42] C:\Program Files\ WinRAR
[02/28/2007|11:20] C:\Program Files\ WinZip
[03/01/2006|08:59] C:\Program Files\ xerox
[08/04/2008|08:32] C:\Program Files\ Yahoo!
[07/13/2007|02:23] C:\Program Files\ Zero G Registry

--------------------\\ Listing Folders in C:\Program Files\Common Files

[11/25/2008|02:41] C:\Program Files\Common Files\ Active Directory Management Pack Objects
[10/23/2008|03:56] C:\Program Files\Common Files\ Adobe
[06/27/2007|05:19] C:\Program Files\Common Files\ Adobe Systems Shared
[06/22/2006|08:19] C:\Program Files\Common Files\ Ahead
[06/22/2006|08:13] C:\Program Files\Common Files\ Cisco Systems
[08/31/2006|07:30] C:\Program Files\Common Files\ Crystal Decisions
[01/13/2008|07:26] C:\Program Files\Common Files\ DeLorme
[08/29/2007|02:17] C:\Program Files\Common Files\ Designer
[04/04/2007|01:31] C:\Program Files\Common Files\ GFI
[03/01/2006|08:57] C:\Program Files\Common Files\ InstallShield
[03/01/2006|08:57] C:\Program Files\Common Files\ Java
[06/22/2006|07:46] C:\Program Files\Common Files\ L&H
[06/06/2007|12:25] C:\Program Files\Common Files\ LightScribe
[05/26/2008|07:24] C:\Program Files\Common Files\ Microsoft Shared
[03/01/2006|08:57] C:\Program Files\Common Files\ MSSoap
[05/26/2008|07:40] C:\Program Files\Common Files\ Network Associates
[02/26/2008|01:35] C:\Program Files\Common Files\ Numara Software
[03/01/2006|08:57] C:\Program Files\Common Files\ ODBC
[10/24/2006|08:39] C:\Program Files\Common Files\ PrimoDVD
[10/15/2008|07:14] C:\Program Files\Common Files\ Real
[08/14/2006|03:06] C:\Program Files\Common Files\ Roxio Shared
[06/26/2006|09:11] C:\Program Files\Common Files\ Services
[03/01/2006|08:57] C:\Program Files\Common Files\ Sonic Shared
[03/01/2006|08:57] C:\Program Files\Common Files\ SpeechEngines
[03/01/2006|08:57] C:\Program Files\Common Files\ SureThing Shared
[02/26/2008|01:31] C:\Program Files\Common Files\ Symantec Shared
[06/04/2008|07:15] C:\Program Files\Common Files\ System
[03/01/2006|08:57] C:\Program Files\Common Files\ TiVo Shared
[04/04/2007|01:31] C:\Program Files\Common Files\ Wise Installation Wizard

--------------------\\ Process

( 75 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

No Lop folder found !

--------------------\\ Searching within the Registry

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2008-11-28 02:08:27
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 0

--------------------\\ Searching for other infections


No other infections found !

[F:4][D:0]-> C:\DOCUME~1\Owner\LOCALS~1\Temp
[F:697][D:0]-> C:\DOCUME~1\Owner\Cookies
[F:63][D:12]-> C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - Fri 11/28/2008| 2:09 - Option : [2]

--------------------\\ Scan completed at 2:09:24




combofix is next running it now
Posted 11/28/2008 8:22 AM
#69066
User avatar

keng53140 Advanced member

Date Joined Nov 2016
Total Posts: 77
ComboFix 08-11-27.03 - Owner 2008-11-28 2:12:20.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1231 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
* Resident AV is active


[COLOR=RED]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/COLOR]
.

((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-28 )))))))))))))))))))))))))))))))
.

2008-11-28 02:06 . 2008-11-28 02:09 d-------- C:\Lop SD
2008-11-27 21:22 . 2008-11-27 21:22 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-27 21:22 . 2008-11-27 21:22 d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2008-11-27 21:22 . 2008-11-27 21:22 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-27 21:22 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-27 21:22 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-26 12:45 . 2008-11-26 13:06 d-------- c:\documents and settings\Owner\Application Data\U3
2008-11-25 15:20 . 2008-11-27 22:30 d--h----- C:\$AVG8.VAULT$
2008-11-25 15:15 . 2008-11-27 21:58 d-------- c:\windows\system32\drivers\Avg
2008-11-25 15:15 . 2008-11-25 18:45 d-------- c:\documents and settings\Owner\Application Data\AVGTOOLBAR
2008-11-25 15:15 . 2008-11-25 15:15 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-25 15:15 . 2008-11-25 15:15 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-11-25 15:15 . 2008-11-25 15:15 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-25 15:14 . 2008-11-25 15:14 d-------- c:\program files\AVG
2008-11-25 15:14 . 2008-11-25 15:14 d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-25 15:12 . 2008-11-25 15:16 8,192 --a------ c:\documents and settings\JANDER~1
2008-11-25 15:12 . 2008-11-25 15:16 8,192 --a------ c:\documents and settings\ADMINI~1.EGS
2008-11-25 15:12 . 2008-11-25 15:16 8,192 --a------ c:\documents and settings\admin1
2008-11-25 15:04 . 2008-11-25 15:04 2,665 --a------ c:\windows\system32\codjuebw.dll
2008-11-25 14:41 . 2008-11-25 14:41 d-------- c:\program files\Common Files\Active Directory Management Pack Objects
2008-11-24 11:38 . 2008-11-24 11:38 147,456 --a------ c:\windows\system32\vbzip10.dll
2008-11-24 11:34 . 2008-11-26 00:09 d-------- c:\windows\system32\dPI02
2008-11-24 11:34 . 2008-11-24 11:34 d-------- c:\temp\FT62
2008-11-11 22:21 . 2008-10-24 05:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 22:20 . 2008-09-04 11:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 05:26 --------- d-----w c:\program files\Google
2008-11-26 04:52 --------- d-----w c:\program files\PrimoDVD (English)
2008-11-25 23:01 --------- d-----w c:\program files\Total Video Converter
2008-11-13 04:01 --------- d-----w c:\program files\Java
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 22:22 --------- d-----w c:\program files\V CAST Music with Rhapsody
2008-10-23 22:00 --------- d-----w c:\documents and settings\WellDoneWaterWorks\Application Data\ATI
2008-10-23 22:00 --------- d-----w c:\documents and settings\Owner\Application Data\ATI
2008-10-23 22:00 --------- d-----w c:\documents and settings\Administrator\Application Data\ATI
2008-10-23 21:56 --------- d-----w c:\program files\Common Files\Adobe
2008-10-23 21:48 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-23 02:19 --------- d-----w c:\program files\Real
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 01:45 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-16 01:45 --------- d-----w c:\program files\LG Electronics
2008-10-16 01:14 --------- d-----w c:\program files\Common Files\Real
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-15 12:12 1,846,400 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll
2008-09-08 10:41 333,824 ------w c:\windows\system32\dllcache\srv.sys
2008-09-06 05:30 241,704 ------w c:\windows\system32\dllcache\wgaLogon.dll
2008-09-06 05:29 917,032 ------w c:\windows\system32\dllcache\WgaTray.exe
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-28 07:46 74,752 ----a-w c:\windows\system32\msw3prt.dll
2008-08-28 07:46 74,752 ------w c:\windows\system32\dllcache\msw3prt.dll
2008-08-28 07:46 104,960 ----a-w c:\windows\system32\win32spl.dll
2008-08-28 07:46 104,960 ------w c:\windows\system32\dllcache\win32spl.dll
2008-05-27 01:38 47,360 ----a-w c:\documents and settings\Administrator\Application Data\pcouffin.sys
2006-06-30 15:10 22 --sha-w c:\windows\SMINST\HPCD.sys
2008-06-04 13:31 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008060420080605\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-11-28_ 0.28.16.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-28 06:22:51 234,045 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2008-11-28 08:18:36 234,043 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"PTHOSTTR"="c:\program files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2005-10-04 86016]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-31 122940]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-10 761945]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"CognizanceTS"="c:\progra~1\HPQ\IAM\Bin\AsTsVcc.dll" [2003-12-22 17920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-01-15 131072]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-01-23 802816]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-01-19 905216]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2005-11-08 184320]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-10-27 241726]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2006-10-30 131072]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-06-29 282624]
"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2004-11-17 1691648]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"MsmqIntCert"="mqrt.dll" [2008-04-13 c:\windows\system32\mqrt.dll]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-01-18 581693]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2006-06-23 184320]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2005-07-25 12:41 40960 c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
2005-08-19 07:52 389120 c:\windows\system32\IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= vdrcodec.dll
"VIDC.MJPG"= Pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli AsWlnPkg

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BearShare\\BearShare.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-25 97928]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2005-10-25 35488]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2004-08-04 14336]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-25 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-25 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-25 76040]
R2 MSExchangeMGMT;Microsoft Exchange Management;"c:\program files\Exchsrvr\bin\exmgmt.exe" [2006-04-17 3117568]
R2 NTPDA;NTPDA;c:\windows\system32\drivers\NTPDA.sys [2007-04-23 3446]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\DRIVERS\gtipci21.sys [2006-03-01 87936]
R3 IFXTPM;IFXTPM;c:\windows\system32\DRIVERS\IFXTPM.SYS [2005-06-10 35968]
R3 NWADI;NWADI Bus Enumerator;c:\windows\system32\DRIVERS\NWADIenum.sys [2005-04-15 11904]
R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\DRIVERS\rcvpn.sys [2006-06-23 23180]
S2 GFI_ReportCenter35;GFI ReportCenter 3.5;"c:\program files\Common Files\GFI\ReportCenter\Framework v3.5\gfireporterservice.exe" -service [2006-07-26 98304]
S3 avpnnic;AGN Virtual Network Adapter;c:\windows\system32\DRIVERS\avpnnic.sys [2007-07-20 11392]
S3 memcard;PCMCIA Memory Card Driver;c:\windows\system32\DRIVERS\memcard.sys [2006-12-06 8320]
S3 RimSerPort;RIM Virtual Serial Port;c:\windows\system32\DRIVERS\RimSerial.sys [2006-06-30 26368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASChannel
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c516544-bbea-11dd-93eb-006073e7389e}]
\Shell\AutoRun\command - F:\LaunchU3.exe

*Newly Created Service* - ENTDRV51
.
Contents of the 'Scheduled Tasks' folder

2008-11-17 c:\windows\Tasks\Account Status.job
- c:\program files\ARKAD\ARKADSchedule.exe []

2008-11-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*https://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\EPSData.zip - c:\windows\Downloaded Program Files\EndPointScannerEngine.dll
c:\windows\Downloaded Program Files\EPS.dll
O16 -: {0470E62C-C97E-4317-81E5-0774D8CBF7B7}
hxxp://www.endpointscan.com/EndPointScan.cab
c:\windows\Downloaded Program Files\eps.inf

c:\windows\system32\MSVBVM60.DLL - c:\windows\system32\OLEAUT32.DLL
c:\windows\system32\OLEPRO32.DLL
c:\windows\system32\ASYCFILT.DLL
c:\windows\system32\STDOLE2.TLB
c:\windows\system32\COMCAT.DLL
c:\windows\Downloaded Program Files\mpsPwLc7.ocx
O16 -: {2FE68711-8830-417D-95E0-EAB307DB0447}
hxxp://prolog.tsargent.com/PW/mpsPwLc7.CAB
c:\windows\Downloaded Program Files\mpsPwLc6.inf

c:\windows\Downloaded Program Files\BOSIActiveXGrid70.ocx - O16 -: {576756A1-D97C-45D0-A945-0324019A131E}
c:\windows\Downloaded Program Files\BOSIActiveXGrid.inf

c:\windows\Downloaded Program Files\MSDDSC.dll - O16 -: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F}
hxxp://sp.emrsn.com/sharepoint_it/Portal/resources/msddsc.cab
c:\windows\Downloaded Program Files\msddsc.inf

c:\windows\Downloaded Program Files\BOSIActiveXMemoControl70.ocx - O16 -: {6AF2E1A7-A16E-4503-A440-07CA49122CCE}
c:\windows\Downloaded Program Files\BOSIActiveXMemoControl.inf

c:\windows\s9sil.exe - c:\windows\Downloaded Program Files\JWalkX.ocx
O16 -: {E7C44C86-0CD3-11D2-9311-00A0247A4E65}
hxxp://marketplace.doitbestcorp.com/JWALK/JWalkX/jwalkx.cab
c:\windows\Downloaded Program Files\JWalkX.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2008-11-28 02:16:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????|??????P??|?????? ?t?C?????????????xmC? ????|?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1060)
c:\windows\system32\Ati2evxx.dll
c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll
c:\windows\system32\IfxWlxEN.dll

- - - - - - - > 'lsass.exe'(1116)
c:\program files\HPQ\IAM\bin\AsWlnPkg.dll
c:\windows\system32\EntApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Windows Defender\MsMpEng.exe
c:\windows\system32\IFXTCS.exe
c:\windows\system32\ati2evxx.exe
c:\program files\HPQ\IAM\Bin\asghost.exe
c:\windows\system32\scardsvr.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\rundll32.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\IFXSPMGT.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\Mcshield.exe
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\program files\Network Associates\VirusScan\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
c:\windows\system32\mqsvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\mqtgsvc.exe
c:\program files\ProtectTools\Embedded Security Software\PSDrt.exe
c:\program files\ProtectTools\Embedded Security Software\SpTNA.exe
c:\program files\HPQ\HP ProtectTools Security Manager\PTServs.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
.
**************************************************************************
.
Completion time: 2008-11-28 2:21:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-28 08:21:28
ComboFix2.txt 2008-11-28 06:28:58

Pre-Run: 44,123,344,896 bytes free
Post-Run: 44,105,560,064 bytes free

284 --- E O F --- 2008-11-27 17:47:22
Posted 11/28/2008 9:06 AM
#69067
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Copy the entire contents of the Quote Box below to Notepad.
Name the file as CFScript
and Save it on the desktop


QUOTE:


Killall::



Snapshot::



File::
C:\WINDOWS\system32\gebca.dll
C:\WINDOWS\system32\gebcd.dll
C:\WINDOWS\system32\pmkji.dll
C:\WINDOWS\system32\mljjh.dll


C:\WINDOWS\system32\awtqp.dll
C:\WINDOWS\system32\vtstt.dll


C:\WINDOWS\system32\mlljh.dll

C:\WINDOWS\system32\ddccb.dll

C:\WINDOWS\system32\pmnnn.dll
C:\WINDOWS\system32\awvtr.dll


c:\windows\system32\codjuebw.dll

c:\windows\system32\IfxWlxEN.dll

c:\windows\Tasks\Account Status.job



FileLook::

c:\documents and settings\admin1



Folder::

C:\documents and settings\ADMINI~1.EGS



Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]





https://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif



Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report, along with a hijackthis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 11/28/2008 8:13 PM
#69092
User avatar

keng53140 Advanced member

Date Joined Nov 2016
Total Posts: 77
ComboFix 08-11-27.03 - Owner 2008-11-28 14:03:40.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1514 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point

[COLOR=RED]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/COLOR]

FILE ::
c:\windows\system32\awtqp.dll
c:\windows\system32\awvtr.dll
c:\windows\system32\codjuebw.dll
c:\windows\system32\ddccb.dll
c:\windows\system32\gebca.dll
c:\windows\system32\gebcd.dll
c:\windows\system32\IfxWlxEN.dll
c:\windows\system32\mljjh.dll
c:\windows\system32\mlljh.dll
c:\windows\system32\pmkji.dll
c:\windows\system32\pmnnn.dll
c:\windows\system32\vtstt.dll
c:\windows\Tasks\Account Status.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\ADMINI~1.EGS\
c:\windows\system32\awtqp.dll
c:\windows\system32\awvtr.dll
c:\windows\system32\codjuebw.dll
c:\windows\system32\ddccb.dll
c:\windows\system32\gebca.dll
c:\windows\system32\gebcd.dll
c:\windows\system32\IfxWlxEN.dll
c:\windows\system32\mljjh.dll
c:\windows\system32\mlljh.dll
c:\windows\system32\pmkji.dll
c:\windows\system32\pmnnn.dll
c:\windows\system32\vtstt.dll
c:\windows\Tasks\Account Status.job

.
((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-28 )))))))))))))))))))))))))))))))
.

2008-11-28 02:06 . 2008-11-28 02:09 d-------- C:\Lop SD
2008-11-27 21:22 . 2008-11-27 21:22 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-27 21:22 . 2008-11-27 21:22 d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2008-11-27 21:22 . 2008-11-27 21:22 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-27 21:22 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-27 21:22 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-26 12:45 . 2008-11-26 13:06 d-------- c:\documents and settings\Owner\Application Data\U3
2008-11-25 15:20 . 2008-11-28 07:40 d--h----- C:\$AVG8.VAULT$
2008-11-25 15:15 . 2008-11-28 08:25 d-------- c:\windows\system32\drivers\Avg
2008-11-25 15:15 . 2008-11-25 18:45 d-------- c:\documents and settings\Owner\Application Data\AVGTOOLBAR
2008-11-25 15:15 . 2008-11-25 15:15 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-25 15:15 . 2008-11-25 15:15 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-11-25 15:15 . 2008-11-25 15:15 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-25 15:14 . 2008-11-25 15:14 d-------- c:\program files\AVG
2008-11-25 15:14 . 2008-11-25 15:14 d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-25 15:12 . 2008-11-25 15:16 8,192 --a------ c:\documents and settings\JANDER~1
2008-11-25 15:12 . 2008-11-25 15:16 8,192 --a------ c:\documents and settings\ADMINI~1.EGS
2008-11-25 15:12 . 2008-11-25 15:16 8,192 --a------ c:\documents and settings\admin1
2008-11-25 14:41 . 2008-11-25 14:41 d-------- c:\program files\Common Files\Active Directory Management Pack Objects
2008-11-24 11:38 . 2008-11-24 11:38 147,456 --a------ c:\windows\system32\vbzip10.dll
2008-11-24 11:34 . 2008-11-26 00:09 d-------- c:\windows\system32\dPI02
2008-11-24 11:34 . 2008-11-24 11:34 d-------- c:\temp\FT62
2008-11-11 22:21 . 2008-10-24 05:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 22:20 . 2008-09-04 11:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 05:26 --------- d-----w c:\program files\Google
2008-11-26 04:52 --------- d-----w c:\program files\PrimoDVD (English)
2008-11-25 23:01 --------- d-----w c:\program files\Total Video Converter
2008-11-13 04:01 --------- d-----w c:\program files\Java
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 22:22 --------- d-----w c:\program files\V CAST Music with Rhapsody
2008-10-23 22:00 --------- d-----w c:\documents and settings\WellDoneWaterWorks\Application Data\ATI
2008-10-23 22:00 --------- d-----w c:\documents and settings\Owner\Application Data\ATI
2008-10-23 22:00 --------- d-----w c:\documents and settings\Administrator\Application Data\ATI
2008-10-23 21:56 --------- d-----w c:\program files\Common Files\Adobe
2008-10-23 21:48 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-23 02:19 --------- d-----w c:\program files\Real
2008-10-16 01:45 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-16 01:45 --------- d-----w c:\program files\LG Electronics
2008-10-16 01:14 --------- d-----w c:\program files\Common Files\Real
2008-05-27 01:38 47,360 ----a-w c:\documents and settings\Administrator\Application Data\pcouffin.sys
2006-06-30 15:10 22 --sha-w c:\windows\SMINST\HPCD.sys
2008-06-04 13:31 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008060420080605\index.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\admin1 -- Not a PE file.
MD5: f1aab67982df49484bc24bca4f44d596


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"PTHOSTTR"="c:\program files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2005-10-04 86016]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-31 122940]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-10 761945]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"CognizanceTS"="c:\progra~1\HPQ\IAM\Bin\AsTsVcc.dll" [2003-12-22 17920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-01-15 131072]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-01-23 802816]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-01-19 905216]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2005-11-08 184320]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-10-27 241726]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2006-10-30 131072]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-06-29 282624]
"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2004-11-17 1691648]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"MsmqIntCert"="mqrt.dll" [2008-04-13 c:\windows\system32\mqrt.dll]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-01-18 581693]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2006-06-23 184320]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2005-07-25 12:41 40960 c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= vdrcodec.dll
"VIDC.MJPG"= Pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli AsWlnPkg

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BearShare\\BearShare.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-25 97928]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2005-10-25 35488]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2004-08-04 14336]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-25 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-25 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-25 76040]
R2 MSExchangeMGMT;Microsoft Exchange Management;"c:\program files\Exchsrvr\bin\exmgmt.exe" [2006-04-17 3117568]
R2 NTPDA;NTPDA;c:\windows\system32\drivers\NTPDA.sys [2007-04-23 3446]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\DRIVERS\gtipci21.sys [2006-03-01 87936]
R3 IFXTPM;IFXTPM;c:\windows\system32\DRIVERS\IFXTPM.SYS [2005-06-10 35968]
R3 NWADI;NWADI Bus Enumerator;c:\windows\system32\DRIVERS\NWADIenum.sys [2005-04-15 11904]
R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\DRIVERS\rcvpn.sys [2006-06-23 23180]
S2 GFI_ReportCenter35;GFI ReportCenter 3.5;"c:\program files\Common Files\GFI\ReportCenter\Framework v3.5\gfireporterservice.exe" -service [2006-07-26 98304]
S3 avpnnic;AGN Virtual Network Adapter;c:\windows\system32\DRIVERS\avpnnic.sys [2007-07-20 11392]
S3 memcard;PCMCIA Memory Card Driver;c:\windows\system32\DRIVERS\memcard.sys [2006-12-06 8320]
S3 RimSerPort;RIM Virtual Serial Port;c:\windows\system32\DRIVERS\RimSerial.sys [2006-06-30 26368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASChannel
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c516544-bbea-11dd-93eb-006073e7389e}]
\Shell\AutoRun\command - F:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2008-11-28 14:07:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????|??????P??|?????? ?t?C?????????????xmC? ????|?

scanning hidden files ...


c:\windows\TEMP\TMP0000004638C58D1AAE80C3FA 524288 bytes executable
c:\windows\system32\chg.exe 114688 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1056)
c:\windows\system32\Ati2evxx.dll
c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll

- - - - - - - > 'lsass.exe'(1112)
c:\program files\HPQ\IAM\bin\AsWlnPkg.dll
c:\windows\system32\EntApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Windows Defender\MsMpEng.exe
c:\windows\system32\IFXTCS.exe
c:\windows\system32\ati2evxx.exe
c:\program files\HPQ\IAM\Bin\asghost.exe
c:\windows\system32\scardsvr.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\rundll32.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\IFXSPMGT.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\Mcshield.exe
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\program files\Network Associates\VirusScan\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
c:\windows\system32\mqsvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\mqtgsvc.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
.
**************************************************************************
.
Completion time: 2008-11-28 14:12:21 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-11-28 20:12:15
ComboFix2.txt 2008-11-28 08:21:37
ComboFix3.txt 2008-11-28 06:28:58

Pre-Run: 44,034,445,312 bytes free
Post-Run: 44,024,963,072 bytes free

243 --- E O F --- 2008-11-27 17:47:22



the hijackthis log is on its way
Posted 11/28/2008 8:14 PM
#69093
User avatar

keng53140 Advanced member

Date Joined Nov 2016
Total Posts: 77
Logfile of HijackThis v1.99.1
Scan saved at 2:14:26 PM, on 11/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = https://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*https://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: HP Credential Manager for ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll,RegisterModule
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=https://www.hp.com
O16 - DPF: {0470E62C-C97E-4317-81E5-0774D8CBF7B7} (EndPointScan Class) - https://www.endpointscan.com/EndPointScan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - https://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - https://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.6.0.cab
O16 - DPF: {2FE68711-8830-417D-95E0-EAB307DB0447} (mpsPwLc7.PMWebSiteLogin) - https://prolog.tsargent.com/PW/mpsPwLc7.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - https://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {576756A1-D97C-45D0-A945-0324019A131E} (BOSIActiveFormX Control) -
O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - https://sp.emrsn.com/sharepoint_it/Portal/resources/msddsc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - https://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151025304987
O16 - DPF: {6AF2E1A7-A16E-4503-A440-07CA49122CCE} (BOSIRichEditActiveX Control) -
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - https://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - https://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183485533125
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {E7C44C86-0CD3-11D2-9311-00A0247A4E65} (SEAGULL J Walk ActiveX Client) - https://marketplace.doitbestcorp.com/JWALK/JWalkX/jwalkx.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: OneCard - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: GFI ReportCenter 3.5 (GFI_ReportCenter35) - Unknown owner - C:\Program Files\Common Files\GFI\ReportCenter\Framework v3.5\gfireporterservice.exe" -service (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
O23 - Service: SonicWall VPN Client Service (RampartSvc) - Unknown owner - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe (file missing)
Posted 11/29/2008 4:07 AM
#69104
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Please upload and have this file scanned:

c:\windows\system32\chg.exe

Here



[color=#0000ff>https://virusscan.jotti.org/
[/url] - https://www.virustotal.com/en/indexf.html[/color]




Post back the results

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 11/29/2008 5:48 AM
#69115
User avatar

keng53140 Advanced member

Date Joined Nov 2016
Total Posts: 77
that file is not on this computer at all
Posted 11/29/2008 5:51 AM
#69117
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
It can be hidden:

Show hidden files and folders

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 11/29/2008 5:56 AM
#69118
User avatar

keng53140 Advanced member

Date Joined Nov 2016
Total Posts: 77
yeah i did that and its not there
Posted 11/29/2008 6:14 AM
#69121
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Ok. Seems to chg.exe is responsible for launching PCAngel.exe when required. PCAngel is a rollback tool and is a part of the HP Protected Tools suite. That´s probably why you can´t find it.

The log looks clean then.

How are things running now ?

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 11/29/2008 6:21 AM
#69122
User avatar

keng53140 Advanced member

Date Joined Nov 2016
Total Posts: 77
the cpu seems to be running smooth i ran avg a few hours ago and i had nothing wrong so hopefully it will stay that way
  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Thursday, August 18, 2022, 5:47 AM (GMT +2)
There are a total of 61,974 posts in 13,697 threads.
In the last 3 days there were 0 new threads and 0 reply posts.

Who's online

This forum has 38,573 registered members. Please welcome our newest member, iAwake.
29 Guest(s), 0 Registered Member(s) are currently online.