Answers to your tech questions
Computer forums for help with removing malicious software (malware) and improving computer security

Welcome Guest to What the Tech! ( Log In | Register ) We specialize in the removal of malicious software (malware), but here you'll find free help and support for all your tech questions. We invite you to ask questions, share experiences, and learn. Explore our message boards, or register now to post messages of your own. Please Start Here. Register today (registration removes advertising)

      
 
 Closed TopicStart new topic
> [Closed] been hijacked
sicklife
post Jul 21 2008, 09:43 PM
Post #1


New Member
*

Group: New Member
Posts: 3
Joined: 21-July 08
Member No.: 80,429
Operating System: windows xp
Logfile of HijackThis v1.99.1
Scan saved at 20:42: VIRUS ALERT!, on 7/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {03BB1EF4-4FC3-4B2E-AB6C-B976781B3AAE} - C:\WINDOWS\system32\fccDsTlJ.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
O2 - BHO: (no name) - {6A10732F-BDB9-48B3-9DF7-622478AD74FC} - C:\WINDOWS\system32\jkkLfEVM.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: QXK Olive - {812AE34E-162C-4C94-BAA1-A2C0431AEC84} - C:\WINDOWS\kgxmotapktx.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: qndsfmao - {3FCAEB7D-F8AE-4A67-AE6C-57EE1416BB6D} - C:\WINDOWS\qndsfmao.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [EPSON Stylus CX7800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P26 "EPSON Stylus CX7800 Series" /O6 "USB001" /M "Stylus CX7800"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=21871
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: jkkLfEVM - C:\WINDOWS\SYSTEM32\jkkLfEVM.dll
O21 - SSODL: kvxqmtre - {A9D64A39-6515-4989-8759-524DDB98DF9F} - C:\WINDOWS\kvxqmtre.dll (file missing)
O21 - SSODL: evgratsm - {E08642BD-D406-4550-AE35-FE554ECCDF7E} - C:\WINDOWS\evgratsm.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
Go to the top of the page
 
+Quote Post
Gary R
post Jul 22 2008, 04:00 AM
Post #2


Advanced Member
Group Icon

Group: Malware Team
Posts: 904
Joined: 25-July 06
From: Yorkshire, England
Member No.: 58,927
Operating System: XP
Looking over your log, back ASAP.
Go to the top of the page
 
+Quote Post
Gary R
post Jul 22 2008, 04:09 AM
Post #3


Advanced Member
Group Icon

Group: Malware Team
Posts: 904
Joined: 25-July 06
From: Yorkshire, England
Member No.: 58,927
Operating System: XP
QUOTE
Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.


Hi sicklife

I'm Gary R, I'll be glad to help you with your computer problems.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • Remember, absence of symptoms does not mean the infection is all gone.
  • Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.

If you can do these things, everything should go smoothly.
  • If you're using XP, you'll need Administrator privileges to perform the fixes. (XP accounts are Administrator by default)
  • If you're using Vista, it will be necessary to right click all tools we use and select ----> Run as Admistrator

QUOTE
It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


I can see at least 2 infections on your computer, so it'll take a few passes to get you fully cleaned up, stick with it and we should be able to get you running properly again.

OK, lets get started with the first.

There are some new infections that damage your ability to boot if they are removed. So before we go any further, I need you to install Recovery Console to your computer. This is purely a precautionary measure, I don't see signs of them on your computer, but it's better to be a little cautious now than regretful later.

Recovery Console gives us the ability to recover your computer if things go wrong.

  • Download combofix.exe by sUBs to your Desktop (it must be in this location).
  • Alternate Download
  • If you already have a previous version, delete it and download a new version.
  • Go to Microsoft's website
  • Select the download that's appropriate for your Operating System (if you have XP Media Centre, use download for XP Pro. If you have SP3, then use the download for SP2)




  • Download the file & save it as it's originally named, to your Desktop.

  • Next
    • Disconnect from the Internet.
    • Important! Temporarily disable your anti-virus, and anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its files which may cause unpredictable results.
    • Click here to see a list of programs that should be disabled (ignore the firewalls). The list is not all inclusive. If yours are not listed and you don't know how to disable them, please ask.




  • Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix.
  • When prompted, agree to the End-User License Agreement to install Microsoft Recovery Console.
  • When complete a mesage will pop up asking if you want to continue scanning for Malware.
    • Click Yes
      • Combofix will now run a scan. (Usually takes 15-20 mins, but could be slightly longer)
      • When finished, it will
        • Produce a log for you. (it can also be found at C:\Combofix.txt)
      • Post the log in your next reply please.
      • Now run a new HJT scan and send me the log from that as well please.
  • Don't forget to re-enable your anti-virus and anti-malware protection before re-connecting to the Internet.


IMPORTANT
  • Do not use your computer while Combofix is running.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • If you've lost your Internet connection when Combofix has completely finished, re-start your computer to restore it.

If you have any problems with these instructions, a detailed Tutorial for how to use Combofix is available here.
Go to the top of the page
 
+Quote Post
sicklife
post Jul 22 2008, 10:47 PM
Post #4


New Member
*

Group: New Member
Posts: 3
Joined: 21-July 08
Member No.: 80,429
Operating System: windows xp
Here is the first log.

ComboFix 08-07-21.2 - KG 2008-07-22 21:36:47.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.668 [GMT -7:00]
Running from: C:\Documents and Settings\KG\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\KG\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\KG\Application Data\ShoppingReport
C:\Documents and Settings\KG\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\KG\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\KG\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\KG\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\KG\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\KG\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\KG\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
C:\Documents and Settings\KG\Desktop\Error Cleaner.url
C:\Documents and Settings\KG\Desktop\Privacy Protector.url
C:\Documents and Settings\KG\Desktop\Spyware&Malware Protection.url
C:\Program Files\ShoppingReport
C:\Program Files\ShoppingReport\Uninst.exe
C:\WINDOWS\erms.exe
C:\WINDOWS\evgratsm.dll
C:\WINDOWS\qndsfmao.dll
C:\WINDOWS\system32\cbXOFxYP.dll
C:\WINDOWS\system32\jkkLfEVM.dll
C:\WINDOWS\system32\JlTsDccf.ini
C:\WINDOWS\system32\JlTsDccf.ini2

.
((((((((((((((((((((((((( Files Created from 2008-06-23 to 2008-07-23 )))))))))))))))))))))))))))))))
.

2008-07-21 20:16 . 2008-07-21 18:07 <DIR> d-------- C:\Documents and Settings\Administrator.KG-CD51E3DE9B9B\Application Data\Apple Computer
2008-07-21 20:16 . 2008-07-21 20:16 <DIR> d-------- C:\Documents and Settings\Administrator.KG-CD51E3DE9B9B
2008-07-21 20:13 . 2008-07-21 20:13 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2008-07-21 19:57 . 2008-07-21 18:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-07-21 19:57 . 2008-07-21 20:10 <DIR> d---s---- C:\Documents and Settings\Administrator
2008-07-21 19:19 . 2008-07-21 19:55 <DIR> d-------- C:\$AVG8.VAULT$
2008-07-21 19:16 . 2008-07-21 19:18 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg(2)
2008-07-21 19:16 . 2008-07-21 20:10 <DIR> d-------- C:\Program Files\AVG(2)
2008-07-21 19:16 . 2008-07-21 20:10 <DIR> d-------- C:\Documents and Settings\KG\Application Data\AVGTOOLBAR
2008-07-21 19:16 . 2008-07-21 20:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8(2)
2008-07-21 17:55 . 2008-07-21 17:55 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-07-21 17:55 . 2008-07-21 20:12 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-07-21 17:53 . 2008-07-21 20:13 <DIR> d-------- C:\Program Files\Symantec
2008-07-21 17:53 . 2008-07-21 20:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-21 17:50 . 2008-07-21 20:13 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-21 16:55 . 2008-07-21 16:55 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-07-21 16:41 . 2008-07-17 03:14 155,648 --a------ C:\WINDOWS\agpqlrfm.exe
2008-07-10 20:36 . 2008-07-10 20:36 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-07-10 20:33 . 2003-05-01 13:26 5,220 -ra------ C:\WINDOWS\system32\drivers\CVirtA.sys
2008-07-10 20:32 . 2008-07-10 20:32 <DIR> d-------- C:\Program Files\Common Files\Deterministic Networks
2008-07-10 20:32 . 2008-07-10 20:32 <DIR> d-------- C:\Program Files\Cisco Systems
2008-07-10 20:32 . 2004-02-02 12:29 139,604 --a------ C:\WINDOWS\system32\drivers\dne2000.sys
2008-07-10 20:32 . 2004-02-02 12:29 113,596 --a------ C:\WINDOWS\system32\dneinobj.dll
2008-06-30 20:24 . 2005-02-25 00:00 46,080 --a------ C:\WINDOWS\system32\escimgd.dll
2008-06-30 20:24 . 2005-02-25 00:00 29,696 --a------ C:\WINDOWS\system32\escwiad.dll
2008-06-30 20:24 . 2005-02-25 00:00 22,016 --a------ C:\WINDOWS\system32\esccmd.dll
2008-06-30 20:24 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-06-30 20:24 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-06-30 20:23 . 2008-06-30 20:24 <DIR> d-------- C:\Program Files\EPSON
2008-06-30 20:23 . 2008-06-30 20:24 <DIR> d-------- C:\epson
2008-06-30 20:17 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-06-30 20:17 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-06-30 20:16 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-06-30 20:16 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-06-29 13:02 . 2007-07-30 14:44 3,518,464 --a------ C:\WINDOWS\system32\cdintf300.dll
2008-06-29 13:02 . 2007-06-28 14:09 1,843,200 --a------ C:\WINDOWS\system32\acXMLParser.dll
2008-06-29 12:56 . 2008-06-29 12:56 <DIR> d-------- C:\Program Files\Intuit
2008-06-29 12:56 . 2008-06-29 12:59 <DIR> d-------- C:\Program Files\Common Files\Intuit
2008-06-29 12:56 . 2008-06-30 20:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intuit
2008-06-29 12:55 . 2008-06-29 12:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\COMMON FILES
2008-06-29 12:54 . 2008-06-29 12:54 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-06-29 12:49 . 2008-06-29 12:49 376 --a------ C:\WINDOWS\ODBC.INI
2008-06-29 12:48 . 2008-06-29 12:48 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-06-29 12:47 . 2008-06-29 12:48 <DIR> d-------- C:\WINDOWS\ShellNew
2008-06-29 11:40 . 2008-06-29 11:40 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-06-29 11:40 . 2008-06-29 11:40 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-06-29 11:40 . 2001-08-17 14:00 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2008-06-29 11:40 . 2001-08-17 14:00 54,272 --a--c--- C:\WINDOWS\system32\dllcache\swmidi.sys
2008-06-29 11:40 . 2004-08-03 23:07 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2008-06-29 11:40 . 2004-08-03 23:07 52,864 --a--c--- C:\WINDOWS\system32\dllcache\dmusic.sys
2008-06-29 11:40 . 2004-08-03 23:07 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2008-06-29 11:40 . 2004-08-03 23:07 6,400 --a--c--- C:\WINDOWS\system32\dllcache\splitter.sys
2008-06-29 11:36 . 2008-06-29 11:36 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-06-29 11:36 . 2004-08-03 23:15 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2008-06-29 11:36 . 2004-08-03 23:15 82,944 --a--c--- C:\WINDOWS\system32\dllcache\wdmaud.sys
2008-06-29 11:34 . 2008-06-29 11:34 <DIR> d-------- C:\Program Files\Realtek
2008-06-29 11:34 . 2008-06-29 11:34 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-06-29 10:00 . 2008-06-29 10:00 <DIR> d-------- C:\Program Files\iTunes
2008-06-29 10:00 . 2008-06-29 10:00 <DIR> d-------- C:\Program Files\iPod
2008-06-29 10:00 . 2008-06-29 10:00 <DIR> d-------- C:\Documents and Settings\KG\Application Data\Apple Computer
2008-06-29 09:59 . 2008-06-29 09:59 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-06-29 09:59 . 2008-06-29 09:59 <DIR> d-------- C:\Program Files\QuickTime
2008-06-29 09:59 . 2008-06-29 09:59 <DIR> d-------- C:\Program Files\Bonjour
2008-06-29 09:59 . 2008-06-29 09:59 <DIR> d-------- C:\Program Files\Apple Software Update
2008-06-29 09:59 . 2008-06-29 10:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-29 09:58 . 2008-06-29 09:58 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-06-29 09:58 . 2008-06-29 09:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-29 18:35 0 ----a-w C:\WINDOWS\system32\drivers\SET1133.tmp
2008-06-29 18:34 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-06-29 18:34 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-10 02:23 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-09 01:51 --------- d-----w C:\Program Files\Google
2008-06-09 01:38 --------- d-----w C:\Program Files\Java
2008-06-09 01:37 --------- d-----w C:\Program Files\Common Files\Java
2008-06-03 04:54 --------- d-----w C:\Program Files\PCDR5
2008-06-03 04:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC-Doctor
2008-05-24 23:47 --------- d-----w C:\Program Files\Broadcom
2008-05-24 22:57 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-13 20:06 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 10:37 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 05:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-10-12 16:28 1282048]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 13:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 13:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 13:17 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 11:13 267048]
"AzMixerSel"="C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2007-08-23 14:48 53248]
"EPSON Stylus CX7800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE" [2005-04-07 04:00 98304]
"RTHDCPL"="RTHDCPL.EXE" [2007-08-10 15:21 16384000 C:\WINDOWS\RTHDCPL.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-11-12 21:41:42 972064]
VPN Client.lnk - C:\WINDOWS\Installer\{3E5562ED-69AB-4CEC-91E2-64E18EC5ACC6}\Icon3E5562ED7.ico [2008-07-10 20:34:05 6144]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=

S3 PCD5SRVC{DF187064-5DA14001-05040000};PCD5SRVC{DF187064-5DA14001-05040000} - PCDR Kernel Mode Service Helper Driver;C:\PROGRA~1\PCDR5\PCD5SRVC.pkms [2007-12-10 13:20]
.
Contents of the 'Scheduled Tasks' folder
"2008-06-29 16:59:13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-22 01:01:02 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - KG.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
- - - - ORPHANS REMOVED - - - -

BHO-{03BB1EF4-4FC3-4B2E-AB6C-B976781B3AAE} - C:\WINDOWS\system32\fccDsTlJ.dll
BHO-{812AE34E-162C-4C94-BAA1-A2C0431AEC84} - C:\WINDOWS\kgxmotapktx.dll
Toolbar-{3FCAEB7D-F8AE-4A67-AE6C-57EE1416BB6D} - C:\WINDOWS\qndsfmao.dll
SSODL-kvxqmtre-{A9D64A39-6515-4989-8759-524DDB98DF9F} - C:\WINDOWS\kvxqmtre.dll
SSODL-evgratsm-{E08642BD-D406-4550-AE35-FE554ECCDF7E} - C:\WINDOWS\evgratsm.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.azcentral.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-22 21:41:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCD5SRVC{DF187064-5DA14001-05040000}]
"ImagePath"="\??\C:\PROGRA~1\PCDR5\PCD5SRVC.pkms"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-07-22 21:44:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-23 04:44:16

Pre-Run: 64,789,372,928 bytes free
Post-Run: 65,249,640,448 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

211 --- E O F --- 2008-06-03 04:37:49
Go to the top of the page
 
+Quote Post
sicklife
post Jul 22 2008, 10:47 PM
Post #5


New Member
*

Group: New Member
Posts: 3
Joined: 21-July 08
Member No.: 80,429
Operating System: windows xp
and the second

Logfile of HijackThis v1.99.1
Scan saved at 21:47, on 7/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.azcentral.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [EPSON Stylus CX7800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P26 "EPSON Stylus CX7800 Series" /O6 "USB001" /M "Stylus CX7800"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=21871
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
Go to the top of the page
 
+Quote Post
Gary R
post Jul 23 2008, 03:44 AM
Post #6


Advanced Member
Group Icon

Group: Malware Team
Posts: 904
Joined: 25-July 06
From: Yorkshire, England
Member No.: 58,927
Operating System: XP
OK, looking a lot better, still a little work to do.

Download OTMoveIt2 by Old Timer and save it to your Desktop.
  • Double-click OTMoveIt2.exe to run it.
  • Copy the lines in the codebox below.

CODE
C:\WINDOWS\agpqlrfm.exe
C:\WINDOWS\system32\drivers\SET1133.tmp

  • Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt2


Next

Run a scan with HJT and when finished check the following items (if found).

O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\WINDOWS\system32\shdocvw.dll

O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)



Now close all open windows and click Fix Checked to remove them.

Next

  • Click Start > Run and type cleanmgr then click OK.
  • This will bring up the Disk Cleanup window.
  • Check the following entries.
    • Temporary Internet Files.
    • Recycle Bin.
    • Temporary Files.
  • Click OK.
  • When a prompt pops up click Yes.


Then

Please download Malwarebytes' Anti-Malware to your Desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.


  • Click on the Malwarebytes' Anti-Malware icon to launch the programme.
    • Click the Updates tab.
      • Click Check for Updates and allow the programme to download the latest definitions.
    • Click the Scanner tab.
      • Check Perform Full Scan.
      • Click Scan and wait for the scan to complete.
      • When the scan is complete, click OK, then Show Results.
      • Ensure all items are checked then click Remove Selected.
        • A box will pop-up telling you that files have been quarantined.
        • A log will pop-up.
      • Post the log in your next reply please.


You can also access the log by doing the following
  • Click on the Logs tab.
    • Click on the log at the bottom of those listed to highlight it.
    • Click Open


Finally

Run a new scan with HJT and post me the log please.

Summary of the logs I need from you in your next post:
  • OTMoveIt log
  • MBAM log
  • New HJT log


Please post each log separately to prevent them being cut off by the forum post size limiter.
Go to the top of the page
 
+Quote Post
Gary R
post Jul 28 2008, 03:57 PM
Post #7


Advanced Member
Group Icon

Group: Malware Team
Posts: 904
Joined: 25-July 06
From: Yorkshire, England
Member No.: 58,927
Operating System: XP
Due to inactivity this topic will be closed.
If you need help please start a new thread and post a new HJT log
Go to the top of the page
 
+Quote Post
Gary R
post Jul 28 2008, 03:57 PM
Post #8


Advanced Member
Group Icon

Group: Malware Team
Posts: 904
Joined: 25-July 06
From: Yorkshire, England
Member No.: 58,927
Operating System: XP
Due to inactivity this topic will be closed.
If you need help please start a new thread and post a new HJT log
Go to the top of the page
 
+Quote Post
« Next Oldest · HijackThis™ Logs and Infections Removal · Next Newest »
 

Closed TopicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 
RSS Time is now: 21st August 2008 - 02:28 PM
Advertisements do not imply our endorsement of that product or service. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk.
Member site: Alliance of Security Analysis Professionals | UNITE Against Malware
© Geeks to Go, Inc. | All Rights Reserved | Privacy Policy
Powered By IP.Board © 2008  IPS, Inc.