[Resolved] Laptop totally FUBAR

Computer forums for help with removing malicious software (malware) and improving computer security

Welcome Guest to What the Tech! ( Log In | Register ) We specialize in the removal of malicious software (malware), but here you'll find free help and support for all your tech questions. We invite you to ask questions, share experiences, and learn. Explore our message boards, or register now to post messages of your own. Please Start Here. Register today (registration removes advertising)

What the Tech > Spyware / Malware / Virus Removal > HijackThis™ Logs and Infections Removal

2 Pages

1 2 >

[Resolved] Laptop totally FUBAR, Can't even run HJT or other Programs

Options

Jayyness View Member Profile	Jul 16 2008, 01:44 PM Post #1
New Member Group: New Member Posts: 14 Joined: 16-July 08 Member No.: 80,329 Operating System: Win XP Media Center	Hello, I recently got a virus that is the worst I have ever seen. In the past I got a virus on my wifes computer and I was able to use HJT as well as other programs to help diagnose and remove the virus from her computer (as well as advice from others) This time I am at a total loss, though. Here is the situation. Laptop - Windows XP Media Edition Symptoms: - "VIRUS ALERT" Displayed in the System Tray by the Clock. - Pop ups all the time to buy a virus remover program very cleverly disguised to look like it is MicroSoft Endorsed. - Can not go to ANY websites. Everytime I try to get to a website I am redirected to "www.asiouqgusdbaksd.com/.." that sends me to random search engines and websites selling random products. - The only web browser I can open is IE. If I try to open up Mozilla Firefox, it will never open. - Task Manager disabled - Even if I boot in SAFE MODE all of the above still happens. - Popups constantly saying that BHO change made but when I say to NOT make the change, it just keeps popping up. - Somestimes the Popups for the BHO change only give me the option of ALLOW CHANGE and DENY is greyed out. - Constant Registry change alerts that I say to NOT allow but they constantly keep popping up. - There are NO System Restore points. I KNOW that I had this turned on but Windows shows NO previous Restore Points. Attempted Fixes so far: - Ran AdAware and it finds stuff but doesn't seem to remove anything. - Scanned computer with AVG AntiVirus and it finds Virtumonde but will not remove it. - Downloaded HJT on another computer and put it on my desktop but the computer won't run HJT at all, not even in Safe Mode. - I have tried to run some other programs to help diagnose/fix the problem but the computer won't even allow me to run those. - Tried to restore the registry using a different RegCleaner program that I had a Registry Backup with but it didn't seem to do anything. I am pulling out my hair and any help or advice on what you guys think this is and what I can do to start to fix it would be fantastic. TIA! Jay

Scotty View Member Profile	Jul 16 2008, 02:20 PM Post #2
Always Happy Group: Malware Team Posts: 3,782 Joined: 9-December 06 From: Haggistown, Kiltland Member No.: 65,226 Operating System: XP Pro Ubuntu 8.04	Hi Rename HijackThis Right-click on HijackThis.exe & select Rename to iseeu.com and try running Hijackthis.

Jayyness View Member Profile	Jul 17 2008, 09:45 AM Post #3
New Member Group: New Member Posts: 14 Joined: 16-July 08 Member No.: 80,329 Operating System: Win XP Media Center	Ok, I think we are making SOME progress! I wrote everything down I did last night but then forgot to bring it to work with me. Am going to try to remember the steps I took to the best of my knowledge. - Renamed HJTInstall.EXE to iseeu.com and the program installed and ran. - When i clicked Scan and Log it ran but gave an Error when trying to open Notepad claiming DEP shut down Notepad to 'protect me" - Booted into Safe Mode and ran HJT and was able to get a Log. - Rebooted into Normal mode and got an error saying something to the Effect of RUNDLL ERROR and that it couldn't load a particular DLL. I just left that alone and then I got some BHO change warnings and Registry Change Warnings. I didn't mess with those either. - Ran HJT again and same error but this time I clicked on "What is this?" in the error window which Directed me how to get into the DEP Console. - Changed the Radio button to only allow programs I select to run and saw that Notepad was in there twice. I removed the entries and it asked for a reboot. - Ran HJT again and got the same result as above but this time there was an option to "Change Settings" so I clicked on that and I saw that Notepad was again in the list. Instead of deleting it this time, I checked the box that was next to it. Clicked OK out of that and then Notepad opened with the HJT Log. Great Suggestion on renaming HJTInstall. Keep those coming YEAH. So here is my HJT log so far! Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 22:25: VIRUS ALERT!, on 7/16/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [b0247bdc] rundll32.exe "C:\WINDOWS\system32\tcvuidii.dll",b O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://www.taylorbeanonline.com/scriptx/smsx.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} (AxLoaderPassword Class) - http://www.blackberry.com/devicesoftware/AxLoader.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F126} - http://www.swiftview.com/product/public/sv...all_a_green.exe O16 - DPF: {FF1CD9A3-00CD-45C1-8182-4EEC229A182D} (Plaxo Auto-Import Utility) - https://www.plaxo.com/activex/plx_upldr-2k-xp.cab O21 - SSODL: fsrpknov - {CFA23A78-B3FF-47C4-8D27-5D684EE0C7CB} - C:\WINDOWS\fsrpknov.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- End of file - 10140 bytes

Scotty View Member Profile	Jul 17 2008, 09:51 AM Post #4
Always Happy Group: Malware Team Posts: 3,782 Joined: 9-December 06 From: Haggistown, Kiltland Member No.: 65,226 Operating System: XP Pro Ubuntu 8.04	Hi We need to do more renaming . The HJT installer was renamed allowing it to install, but the actual program is using it's standard name. Rename HijackThis There is a possibility an infection which is hiding part of the HijackThis log because it's called hijackthis.exe. Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe Right-click on HijackThis.exe & select Rename to iseeu.com and post back a new Hijackthis log.

Jayyness View Member Profile	Jul 17 2008, 12:26 PM Post #5
New Member Group: New Member Posts: 14 Joined: 16-July 08 Member No.: 80,329 Operating System: Win XP Media Center	Ok, thankyou Scotty. I did think that HJT log did look a little short from the last time I had to run a HJT on another computer. I don't have the Laptop here with me at work so I will have to wait until I get home tonight to do this. With that in mind, though, do you recommend that, while I am here at work and I do have access to the internet, I d/l any other programs to put onto my USB drive to take home with me? Either way I will report back tomorrow to let you know if I was able to make any more progress. I was pretty happy about figuring out how to get Notepad to work

Scotty View Member Profile	Jul 17 2008, 12:46 PM Post #6
Always Happy Group: Malware Team Posts: 3,782 Joined: 9-December 06 From: Haggistown, Kiltland Member No.: 65,226 Operating System: XP Pro Ubuntu 8.04	Until i see the full log, I cant really say what exactly we will need, or how we do it. If another computer is to be needed, is work the only other access you have?

Jayyness View Member Profile	Jul 17 2008, 12:56 PM Post #7
New Member Group: New Member Posts: 14 Joined: 16-July 08 Member No.: 80,329 Operating System: Win XP Media Center	At the moment, yes. Sorry that it is creating such delays. Hopefully after the next few steps we might be in a position that I can get a little control back of my web browser and I will be able to get to websites I want to go to versus whatever thing this is sending me to random websites.

Scotty View Member Profile	Jul 17 2008, 01:48 PM Post #8
Always Happy Group: Malware Team Posts: 3,782 Joined: 9-December 06 From: Haggistown, Kiltland Member No.: 65,226 Operating System: XP Pro Ubuntu 8.04	Hi While you are at work, it would be best to download this program, as your infected computer may be blocked from doing so. Right click on the link below and select Save Target As... Click here In the window that opens select Desktop for where to save to. At the bottom rename it Combo-fix.exe. Then save it. Now move it onto the USB stick. You will have to move the saved file onto the infected pc's Desktop before running it. If it does not run, let me know and I will provide instructions on getting into Safe Mode, if needed. If you know how, then just proceed to run it in Safe Mode. After using the USB stick do not use it in another computer until we have checked it is clean. Leave it in the pc. This post has been edited by Scotty: Jul 17 2008, 01:49 PM

Jayyness View Member Profile	Jul 17 2008, 02:10 PM Post #9
New Member Group: New Member Posts: 14 Joined: 16-July 08 Member No.: 80,329 Operating System: Win XP Media Center	Ok, thanks. File d/led and renamed and on my USB stick. When I get home tonight I will rename the HijackThis.exe to iseeu.com and run that to try and get a more complete log. I will then move the Combo-Fix.exe file off my USB to the Desktop and run that. If that doesn't run then I will boot the Safe Mode and try to run the Combo-Fix.exe in Safe-Mode. I will report back tomorrow. Thankyou.

Jayyness View Member Profile	Jul 17 2008, 10:34 PM Post #10
New Member Group: New Member Posts: 14 Joined: 16-July 08 Member No.: 80,329 Operating System: Win XP Media Center	OK, making some good progress tonight. Actually posting this from my laptop. - Renamed HijackThis.exe to iseeu.com and ran it. It gave me a much more comprehensive log. - Ran Combo-Fix. Combo-Fix rebooted my computer. Computer booted and a lot of the previous issues seemed to be gone but Spyware Guard was constantly stopping changes to registry. So I figured I would run Combo-Fix again, what the heck. - Computer rebooted and it seems like everything is stable now. Am able to get onto the web (obviously) and I am not getting bombarded with BHO and Registry change alerts. - Ran HJT again to have the most current HJT after the ComboFix. ComboFix and HJT Logs are below. What next? ComboFix 08-07-15.4 - USER 2008-07-17 21:01:15.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.514 [GMT -7:00] Running from: C:\Documents and Settings\USER\Desktop\Combo-Fix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_CLBDRIVER ((((((((((((((((((((((((( Files Created from 2008-06-18 to 2008-07-18 ))))))))))))))))))))))))))))))) . 2008-07-17 20:54 . 2008-07-17 20:55 <DIR> d-------- C:\Program Files\Windows Live Safety Center 2008-07-17 20:43 . 2008-07-17 20:43 <DIR> d--h----- C:\WINDOWS\PIF 2008-07-16 21:07 . 2008-07-16 21:07 <DIR> d-------- C:\Program Files\Trend Micro 2008-07-13 21:25 . 2008-07-13 21:25 <DIR> d-------- C:\Deckard 2008-07-13 10:49 . 2008-07-13 10:49 <DIR> d-------- C:\Documents and Settings\Jay S Howard\Application Data\Sammsoft 2008-07-13 10:48 . 2008-07-13 10:48 <DIR> d-------- C:\Program Files\Advanced Registry Optimizer 2008-07-13 03:24 . 2008-07-13 03:24 <DIR> d-------- C:\Program Files\Enigma Software Group 2008-07-13 02:05 . 2004-10-08 05:01 4,224 --a------ C:\WINDOWS\system32\beep.sys 2008-06-25 21:31 . 2008-07-12 07:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-06-25 21:31 . 2008-06-25 21:31 1,409 --a------ C:\WINDOWS\QTFont.for 2008-06-20 10:46 . 2008-06-20 10:46 245,248 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll 2008-06-20 10:46 . 2008-06-20 10:46 147,968 -----c--- C:\WINDOWS\system32\dllcache\dnsapi.dll 2008-06-20 04:51 . 2008-06-20 04:51 361,600 -----c--- C:\WINDOWS\system32\dllcache\tcpip.sys 2008-06-20 04:40 . 2008-06-20 04:40 138,496 -----c--- C:\WINDOWS\system32\dllcache\afd.sys 2008-06-20 04:08 . 2008-06-20 04:08 225,856 -----c--- C:\WINDOWS\system32\dllcache\tcpip6.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-18 03:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7 2008-07-13 10:09 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-07-13 09:33 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-07-13 02:43 --------- d-----w C:\Program Files\FlashFXP 2008-07-03 05:38 --------- d-----w C:\Program Files\Common Files\Research In Motion 2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-18 06:55 --------- d-----w C:\Program Files\Mobipocket.com 2008-06-18 06:55 --------- d-----w C:\Program Files\Common Files\Mobipocket Shared 2008-06-18 06:39 --------- d-----w C:\Documents and Settings\USER\Application Data\Mobipocket 2008-06-14 15:39 --------- d-----w C:\Documents and Settings\USER\Application Data\Blackberry Desktop 2008-06-14 15:38 --------- d-----w C:\Program Files\palmOne 2008-06-14 15:24 --------- d-----w C:\Documents and Settings\USER\Application Data\Roxio 2008-06-14 15:24 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Roxio 2008-06-14 15:21 --------- d-----w C:\Documents and Settings\USER\Application Data\Research In Motion 2008-06-14 15:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Roxio 2008-06-14 15:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sonic 2008-06-14 15:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield 2008-06-14 15:15 --------- d-----w C:\Program Files\Common Files\Sonic Shared 2008-06-14 15:14 --------- d-----w C:\Program Files\Roxio 2008-06-14 15:13 --------- d-----w C:\Program Files\Common Files\Roxio Shared 2008-06-14 15:07 --------- d-----w C:\Program Files\Research In Motion 2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys 2008-06-08 21:13 --------- d-----w C:\Program Files\NewsLeecher 2008-06-05 10:03 --------- d-----w C:\Program Files\Microsoft ActiveSync 2008-05-27 05:06 --------- d-----w C:\Documents and Settings\USER\Application Data\NewsLeecher 2008-05-23 04:06 --------- d-----w C:\Documents and Settings\USER\Application Data\GSplit 2008-05-23 04:05 --------- d-----w C:\Program Files\GSplit 2008-05-22 07:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\FlashFXP . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 23:36 1207080] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488] "msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184] "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 12:37 667718] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 11:41 602182] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-20 23:26 761945] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-06-28 01:11 580096] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-10 14:10 219136] C:\Documents and Settings\Jay S Howard\Start Menu\Programs\Startup\ HControl.lnk - C:\WINDOWS\ATK0100\HControl.exe [2006-06-26 17:08:23 106496] HotSync Manager.LNK - C:\Program Files\palmOne\Hotsync.exe [2008-01-03 18:28:08 1392640] C:\Documents and Settings\USER\Start Menu\Programs\Startup\ SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoResolveTrack"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoResolveTrack"= 1 (0x1) "NoThumbnailCache"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.YV12"= yv12vfw.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk] backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk] backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax 4.3.lnk] backup=C:\WINDOWS\pss\eFax 4.3.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SJphone.lnk] backup=C:\WINDOWS\pss\SJphone.lnkCommon Startup path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SJphone.lnk [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sprint Mobile Broadband (Novatel Wireless).LNK] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Sprint Mobile Broadband (Novatel Wireless).LNK backup=C:\WINDOWS\pss\Sprint Mobile Broadband (Novatel Wireless).LNKCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Jay S Howard^Start Menu^Programs^Startup^Shortcut to HControl.lnk] backup=C:\WINDOWS\pss\Shortcut to Hcontrol.lnkStartup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k [X] HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_SL.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite] --a------ 2008-01-17 09:51 486856 C:\Program Files\DAEMON Tools\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.3] --a------ 2007-03-06 10:21 116224 C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent] --a------ 2006-06-20 23:36 1207080 C:\Program Files\Microsoft ActiveSync\wcescomm.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hcontrol] --a------ 2002-01-08 15:22 53248 C:\WINDOWS\Hcontrol.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2008-04-13 17:12 1695232 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray] --a------ 2007-08-16 08:56 236016 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2007-12-14 03:42 144784 C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] --a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL] -r------- 2006-01-11 02:23 15961088 C:\WINDOWS\RTHDCPL.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL] --a------ 2006-01-19 21:34 544768 C:\WINDOWS\sm56hlpr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Themes"=2 (0x2) "Schedule"=2 (0x2) "NProtectService"=2 (0x2) "ERSvc"=2 (0x2) "WMPNetworkSvc"=3 (0x3) "WinVNC4"=2 (0x2) "ose"=3 (0x3) "BlueSoleil Hid Service"=2 (0x2) "iPod Service"=3 (0x3) "StarWindServiceAE"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "C:\\Program Files\\FlashFXP\\FlashFXP.exe"= "C:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"= "C:\\Program Files\\palmOne\\Hotsync.exe"= "C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "C:\\Program Files\\DiskTrix\\UltimateDefrag\\UDefrag.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP::Disabled:@xpsp2res.dll,-22009 "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2008-01-30 12:28] R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2007-09-06 15:30] R3 SscRdBus;Virtual bus device (SuperSpeed Software, Inc.);C:\WINDOWS\system32\DRIVERS\SscRdBus.sys [2005-04-08 12:38] S3 hafvg;hafvg;C:\Documents and Settings\USER\Desktop\New Folder\hafvg.sys [] S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;C:\WINDOWS\system32\DRIVERS\nwusbser2.sys [2007-10-12 16:04] S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\drivers\PCASp50.sys [2007-08-16 15:24] S3 SscRdFdo;RAM Disk (SuperSpeed Software, Inc.);C:\WINDOWS\system32\DRIVERS\SscRdFdo.sys [2005-03-31 12:25] . Contents of the 'Scheduled Tasks' folder "2007-12-31 23:03:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-02-24 04:22:32 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE . *********************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-17 21:06:06 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}] "ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl" . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ati2evxx.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\WINDOWS\ehome\ehrecvr.exe C:\WINDOWS\ehome\ehSched.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\ati2evxx.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\SpywareGuard\sgbhp.exe . ************************************************************************ . Completion time: 2008-07-17 21:09:13 - machine was rebooted ComboFix-quarantined-files.txt 2008-07-18 04:09:10 ComboFix2.txt 2008-07-18 03:30:52 Pre-Run: 39,449,550,848 bytes free Post-Run: 39,460,155,392 bytes free 237 --- E O F --- 2008-07-11 03:47:58 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:19, on 7/17/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\WINDOWS\explorer.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\iseeu.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU) O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://www.taylorbeanonline.com/scriptx/smsx.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} (AxLoaderPassword Class) - http://www.blackberry.com/devicesoftware/AxLoader.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F126} - http://www.swiftview.com/product/public/sv...all_a_green.exe O16 - DPF: {FF1CD9A3-00CD-45C1-8182-4EEC229A182D} (Plaxo Auto-Import Utility) - https://www.plaxo.com/activex/plx_upldr-2k-xp.cab O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- End of file - 10357 bytes

Scotty View Member Profile	Jul 18 2008, 07:13 AM Post #11
Always Happy Group: Malware Team Posts: 3,782 Joined: 9-December 06 From: Haggistown, Kiltland Member No.: 65,226 Operating System: XP Pro Ubuntu 8.04	Hi I didnt mean for you to run Combofix right away, but no matter. Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop. If the above link doesnt work use this alternative ATF (Atribune Temp File) Cleaner© by Atribune Double-click ATF Cleaner.exe to open it. Under Main choose: Windows Temp Current User Temp All Users Temp Cookies Temporary Internet Files Prefetch Java Cache The other boxes are optional Then click the Empty Selected button. Firefox: Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click NO at the prompt. Opera: Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click NO at the prompt. Click Exit on the Main menu to close the program. Note If you do not have Firefox or Opera, those options will be greyed out. Lets run an F-Secure online scan it will scan for Viruses, Spyware and RootKits: Click HERE Scroll to the bottom of the page and click the Start Scanning button. A window will pop up. Allow the Active X control to be installed on your computer, then click the Accept button Click Full System Scan and allow the components to download and the scan to complete. If malware is found, check Submit samples to F-Secure then select Automatic cleaning When cleaning has finished, click Show report (this will open an Internet Explorer window containing the report) Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan When the cleaning option is presented, Uncheck Submit samples to F-Secure Click Automatic cleaning When cleaning has finished, click Show report (this will open an Internet Explorer window containing the report) Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post with a new Hijackthis log. Note: This scan will only work with Internet Explorer. You must be logged on a administrator rights to run this scan. The scan may take a few hours.

Jayyness View Member Profile	Jul 18 2008, 08:42 AM Post #12
New Member Group: New Member Posts: 14 Joined: 16-July 08 Member No.: 80,329 Operating System: Win XP Media Center	DOH, I am sorry Scotty. I read your post as Combofix as the next logical step IF I could get HJT to work. My fault for assuming and jumping ahead. I am up to the F-Secure portion of your next set of instructions and it is downloading the appropriate information. I have about an hour before I have to leave for work so hopefully the scan will be done. I WILL be taking my laptop with me to work today, though.. Now that my laptop can get onto the internet (and fridays are a more casual day) I can work on it a little there. Especially if I have to do any scans that will take some time. Also, I have a wireless mobile card so I won't be plugging my laptop into the work network. I know that would be incredibly foolish. Oh, one last thing. AVG did a scan last night and came up with about 25 hits. I don't know if it cleaned them or not or is just letting me know that it found them (is the free version). I can get to the log within AVG but I don't know how to get the log to print to file.