Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91844 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] I have had the kavo.exe, tavo.exe ect. now other compute


  • This topic is locked This topic is locked
21 replies to this topic

#1 webgirl

webgirl

    New Member

  • New Member
  • Pip
  • 10 posts

Posted 28 March 2008 - 05:17 PM

Hi I have been having trouble for a couple of weeks trying to get rid of the kavo.exe etc.
It didn't get picked up by AVG so I uninstalled it and put on a Trend Micro. At first it didn't pick it up and someone told me to run msconfig and stop the kavo.exe and the tavo.exe from the window start-up. I did that then did a scan with Trend Micro. It found them but couldn't clean them so I deleted them.
Next I went into the regedit and removed the kavo.exe from the Windows Current Version Run.
It hasn't come back from there but the Trend Micro picks up AUTORUN.inf and same thing it can't clean so I deleted from the computer.
Now Trend Micro is prompting several IP addresses trying to log onto my computer and they are not any IP addresses I know. So I put a do not trust on them.
I downloaded the Hijack This and this is the log file.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:06:43 AM, on 29/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\webserver\wampmanager.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\webserver\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\mqsvc.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\webserver\apache2\bin\httpd.exe
C:\WINDOWS\System32\svchost.exe
C:\webserver\apache2\bin\httpd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\TRENDM~3\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Nanny\My Documents\Downloads\tmicro\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hairbeautyjobs.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\ntsock.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O3 - Toolbar: PayPal Toolbar - {C8390328-1270-436B-A76F-D85B0E8F3F34} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: WampServer.lnk = C:\webserver\wampmanager.exe
O4 - Startup: WinMySQLadmin.lnk = C:\wamp\mysql\bin\winmysqladmin.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {4B521767-E7AC-453B-BC7A-58015434AAF5} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra 'Tools' menuitem: PayPal Help - {4B521767-E7AC-453B-BC7A-58015434AAF5} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra button: (no name) - {583A3218-0C83-473D-B2DF-C1A4C367166F} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra 'Tools' menuitem: PayPal TipJar Now Button - {583A3218-0C83-473D-B2DF-C1A4C367166F} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {92BBF3D3-5B26-4354-B814-D46EE2F6F9C5} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra 'Tools' menuitem: PayPal Donate Now Button - {92BBF3D3-5B26-4354-B814-D46EE2F6F9C5} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra button: (no name) - {D6993FBC-85E1-4CE2-BE1E-768B7D77AB40} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra 'Tools' menuitem: PayPal Buy Now Button - {D6993FBC-85E1-4CE2-BE1E-768B7D77AB40} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {E4D60AD3-9F9F-42F7-BCC9-F1FF81B43267} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra 'Tools' menuitem: PayPal Subscribe Now Button - {E4D60AD3-9F9F-42F7-BCC9-F1FF81B43267} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~3\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: wampapache - Apache Software Foundation - C:\webserver\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - C:\webserver\mysql\bin\mysqld-nt.exe

--
End of file - 9232 bytes

I hope somebody can help me please.......... do I need to get a new hard drive because it is too late?

    Advertisements

Register to Remove


#2 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,171 posts

Posted 06 April 2008 - 03:13 PM

Posted Image

Sorry about the delay in responding :(

If you still need help, Scan again with HijackThis, and copy/paste" a new log file into this thread.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 webgirl

webgirl

    New Member

  • New Member
  • Pip
  • 10 posts

Posted 06 April 2008 - 07:13 PM

Hi I am having trouble with Trend Micro actually finishing a scan it gets stuck and won't let me shut my computer down. I have to turn it off at the wall. The firewall had shown a different IP address than any of the computers we have in the house but since I placed a do not trust on all computers it hasn't occurred since. My computer is running extremely slow.
The Trend Micro keeps saying it has security problems and I send a report but it still continues.
My hijackthis log is this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:53:12 AM, on 7/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\webserver\wampmanager.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\webserver\apache2\bin\httpd.exe
C:\webserver\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\mqsvc.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\webserver\apache2\bin\httpd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\TRENDM~3\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Nanny\My Documents\Downloads\tmicro\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hairbeautyjobs.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\ntsock.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O3 - Toolbar: PayPal Toolbar - {C8390328-1270-436B-A76F-D85B0E8F3F34} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: WampServer.lnk = C:\webserver\wampmanager.exe
O4 - Startup: WinMySQLadmin.lnk = C:\wamp\mysql\bin\winmysqladmin.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {4B521767-E7AC-453B-BC7A-58015434AAF5} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra 'Tools' menuitem: PayPal Help - {4B521767-E7AC-453B-BC7A-58015434AAF5} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra button: (no name) - {583A3218-0C83-473D-B2DF-C1A4C367166F} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra 'Tools' menuitem: PayPal TipJar Now Button - {583A3218-0C83-473D-B2DF-C1A4C367166F} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {92BBF3D3-5B26-4354-B814-D46EE2F6F9C5} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra 'Tools' menuitem: PayPal Donate Now Button - {92BBF3D3-5B26-4354-B814-D46EE2F6F9C5} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra button: (no name) - {D6993FBC-85E1-4CE2-BE1E-768B7D77AB40} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra 'Tools' menuitem: PayPal Buy Now Button - {D6993FBC-85E1-4CE2-BE1E-768B7D77AB40} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {E4D60AD3-9F9F-42F7-BCC9-F1FF81B43267} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra 'Tools' menuitem: PayPal Subscribe Now Button - {E4D60AD3-9F9F-42F7-BCC9-F1FF81B43267} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~3\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: wampapache - Apache Software Foundation - C:\webserver\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - C:\webserver\mysql\bin\mysqld-nt.exe

--
End of file - 9504 bytes

Thanks for your help - I can't see anything nasty there so maybe you can.

#4 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,171 posts

Posted 06 April 2008 - 07:17 PM

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.

Next:

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.


(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

Next:

Download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, please delete it from your desktop and download this new version . It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
  • Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
  • WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
  • Please do not re-connect your machine back to the Internet until Combofix has completely finished.
--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Give it atleast 20-30 minutes to finish

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#5 webgirl

webgirl

    New Member

  • New Member
  • Pip
  • 10 posts

Posted 06 April 2008 - 08:30 PM

Hi thanks for your help
I have the ComboFix.txt
I must say that on completion my Trend Micro sent popups which it blocked Nircmd.exe from Windows and didn't like catchme.cfexe from ComboFix in C files.
ComboFix 08-04-06.1 - Nanny 2008-04-07 11:38:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.16 [GMT 10:00]Running from: C:\Documents and Settings\Nanny\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\bobsaver.exe
C:\WINDOWS\bobsaver.scr
C:\WINDOWS\hosts
C:\WINDOWS\secure32.html
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\dlh9jkd1q8.exe
C:\WINDOWS\system32\paytime.exe
C:\WINDOWS\system32\tavo1.dll
C:\WINDOWS\tool1.exe
C:\WINDOWS\tool2.exe
C:\WINDOWS\tool3.exe
C:\WINDOWS\tool4.exe
C:\WINDOWS\tool5.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2008-03-07 to 2008-04-07 )))))))))))))))))))))))))))))))
.

2008-03-29 09:27 . 2007-11-27 22:51 35,216 --a------ C:\WINDOWS\system32\drivers\TMPassthru.sys
2008-03-29 09:26 . 2008-03-29 09:26 <DIR> d-------- C:\Documents and Settings\Nanny\Application Data\InstallShield
2008-03-21 19:44 . 2008-03-21 21:54 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2008-03-21 18:32 . 2008-02-15 23:39 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-03-21 18:32 . 2008-02-15 23:39 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-03-21 18:32 . 2008-02-15 23:39 52,240 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-03-21 18:30 . 2008-03-29 08:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-03-21 18:29 . 2008-03-29 09:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-21 18:27 . 2008-03-21 18:27 <DIR> d-------- C:\Program Files\Trend Micro Internet Security
2008-03-21 15:52 . 2008-03-21 15:53 <DIR> d-------- C:\Program Files\TrendMicro Internet Security Trial

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 06:40 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-03-28 23:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-21 13:44 --------- d-----w C:\Program Files\Lavasoft
2008-03-21 08:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-19 22:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-12 09:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-15 13:39 65,936 ----a-w C:\WINDOWS\system32\drivers\tmtdi.sys
2008-02-15 13:39 35,856 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-02-15 13:39 333,328 ----a-w C:\WINDOWS\system32\drivers\TM_CFW.sys
2008-02-15 13:39 202,768 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-02-15 13:39 1,126,072 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2007-03-03 22:05 51,517 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2007_03_03_09_39_04_small.dmp.zip
2007-03-03 22:05 40,463 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2007_03_03_09_38_17_small.dmp.zip
2006-12-15 20:08 16,830,635 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_12_15_19_29_28_full.dmp.zip
2006-11-03 01:40 7,168 --sha-w C:\Program Files\Thumbs.db
2000-10-12 03:54 405,654 ------w C:\Program Files\rdb.bmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{C8390328-1270-436B-A76F-D85B0E8F3F34}"= "C:\Program Files\WebAssist\PayPal\PPBar.dll" [2007-06-14 18:31 696320]

[HKEY_CLASSES_ROOT\clsid\{c8390328-1270-436b-a76f-d85b0e8f3f34}]
[HKEY_CLASSES_ROOT\PPBar.PPBarBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{C8390328-1270-436B-A76F-D85B0E8F3F37}]
[HKEY_CLASSES_ROOT\PPBar.PPBarBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 08:57 143360]
"SiS Tray"="C:\WINDOWS\System32\sistray.EXE" [2003-10-30 14:10 667648]
"SiS Windows KeyHook"="C:\WINDOWS\System32\keyhook.exe" [2003-10-30 14:09 249856]
"HTpatch"="C:\WINDOWS\htpatch.exe" [2003-03-27 15:50 28672]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-10 04:50 155648]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [ ]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-20 00:43 57344]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-03-09 19:15 155648]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 17:35 32768]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 00:56 1398024]
"TMRUBottedTray"="C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe" [2007-12-19 00:18 288088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

C:\Documents and Settings\Nanny\Start Menu\Programs\Startup\
WampServer.lnk - C:\webserver\wampmanager.exe [2007-02-18 18:07:00 1141760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI1"= SYNCOR11.DLL
"vidc.tscc"= tsccvid.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kava]
C:\WINDOWS\system32\kavo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tava]
C:\WINDOWS\system32\tavo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

R2 RUBotted;Trend Micro RUBotted Service;"C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe" [2007-12-19 00:18]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe [2004-08-04 00:56]
R2 wampapache;wampapache;"C:\webserver\apache2\bin\httpd.exe" -k runservice []
R2 wampmysqld;wampmysqld;C:\webserver\mysql\bin\mysqld-nt.exe [2007-05-04 10:00]
R3 TMPassthruMP;TMPassthruMP;C:\WINDOWS\system32\DRIVERS\TMPassthru.sys [2007-11-27 22:51]
S3 bDMusicb;bDMusicb;C:\DOCUME~1\Nanny\LOCALS~1\Temp\bDMusicb.sys []
S3 TMPassthru;Trend Micro Passthru Ndis Service;C:\WINDOWS\system32\DRIVERS\TMPassthru.sys [2007-11-27 22:51]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7ada662-9b2d-11dc-ae31-000ea696053e}]
\Shell\AutoRun\command - F:\0wk2.cmd
\Shell\explore\Command - F:\0wk2.cmd
\Shell\open\Command - F:\0wk2.cmd

.
Contents of the 'Scheduled Tasks' folder
"2008-04-06 23:37:22 C:\WINDOWS\Tasks\User_Feed_Synchronization-{34DCFB12-058F-457A-BC92-871173ECA6DB}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-07 11:59:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\mqsvc.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\PROGRA~1\TRENDM~3\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
.
**************************************************************************
.
Completion time: 2008-04-07 12:09:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-07 02:08:23
Pre-Run: 26,519,838,720 bytes free
Post-Run: 26,633,809,920 bytes free
.
2008-03-12 09:31:14 --- E O F ---

I also noticed there is still the quarantine files in C:\QooBox not sure if they are meant to stay there.
Then I did HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:15:36 PM, on 7/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\webserver\apache2\bin\httpd.exe
C:\webserver\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\mqsvc.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\webserver\apache2\bin\httpd.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\webserver\wampmanager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\TRENDM~3\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Nanny\My Documents\Downloads\tmicro\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hairbeautyjobs.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O3 - Toolbar: PayPal Toolbar - {C8390328-1270-436B-A76F-D85B0E8F3F34} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: WampServer.lnk = C:\webserver\wampmanager.exe
O4 - Startup: WinMySQLadmin.lnk = C:\wamp\mysql\bin\winmysqladmin.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {4B521767-E7AC-453B-BC7A-58015434AAF5} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra 'Tools' menuitem: PayPal Help - {4B521767-E7AC-453B-BC7A-58015434AAF5} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra button: (no name) - {583A3218-0C83-473D-B2DF-C1A4C367166F} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra 'Tools' menuitem: PayPal TipJar Now Button - {583A3218-0C83-473D-B2DF-C1A4C367166F} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {92BBF3D3-5B26-4354-B814-D46EE2F6F9C5} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra 'Tools' menuitem: PayPal Donate Now Button - {92BBF3D3-5B26-4354-B814-D46EE2F6F9C5} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra button: (no name) - {D6993FBC-85E1-4CE2-BE1E-768B7D77AB40} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra 'Tools' menuitem: PayPal Buy Now Button - {D6993FBC-85E1-4CE2-BE1E-768B7D77AB40} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {E4D60AD3-9F9F-42F7-BCC9-F1FF81B43267} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra 'Tools' menuitem: PayPal Subscribe Now Button - {E4D60AD3-9F9F-42F7-BCC9-F1FF81B43267} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~3\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: wampapache - Apache Software Foundation - C:\webserver\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - C:\webserver\mysql\bin\mysqld-nt.exe

--
End of file - 9261 bytes

Thanks again...

#6 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,171 posts

Posted 07 April 2008 - 05:40 AM

Download & run this file
http://www.techsuppo...Disinfector.exe

Be sure to insert any flash drives or USB devices that you use.

Next:

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\kavo.exe
C:\WINDOWS\system32\tavo.exe
C:\DOCUME~1\Nanny\LOCALS~1\Temp\bDMusicb.sys
F:\0wk2.cmd

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kava]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tava]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7ada662-9b2d-11dc-ae31-000ea696053e}]


Save this as CFScript.txt


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#7 webgirl

webgirl

    New Member

  • New Member
  • Pip
  • 10 posts

Posted 08 April 2008 - 02:57 AM

Hi Thanks again for your help:
The combofix is:
ComboFix 08-04-06.1 - Nanny 2008-04-07 11:38:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.16 [GMT 10:00]Running from: C:\Documents and Settings\Nanny\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\bobsaver.exe
C:\WINDOWS\bobsaver.scr
C:\WINDOWS\hosts
C:\WINDOWS\secure32.html
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\dlh9jkd1q8.exe
C:\WINDOWS\system32\paytime.exe
C:\WINDOWS\system32\tavo1.dll
C:\WINDOWS\tool1.exe
C:\WINDOWS\tool2.exe
C:\WINDOWS\tool3.exe
C:\WINDOWS\tool4.exe
C:\WINDOWS\tool5.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2008-03-07 to 2008-04-07 )))))))))))))))))))))))))))))))
.

2008-03-29 09:27 . 2007-11-27 22:51 35,216 --a------ C:\WINDOWS\system32\drivers\TMPassthru.sys
2008-03-29 09:26 . 2008-03-29 09:26 <DIR> d-------- C:\Documents and Settings\Nanny\Application Data\InstallShield
2008-03-21 19:44 . 2008-03-21 21:54 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2008-03-21 18:32 . 2008-02-15 23:39 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-03-21 18:32 . 2008-02-15 23:39 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-03-21 18:32 . 2008-02-15 23:39 52,240 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-03-21 18:30 . 2008-03-29 08:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-03-21 18:29 . 2008-03-29 09:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-21 18:27 . 2008-03-21 18:27 <DIR> d-------- C:\Program Files\Trend Micro Internet Security
2008-03-21 15:52 . 2008-03-21 15:53 <DIR> d-------- C:\Program Files\TrendMicro Internet Security Trial

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 06:40 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-03-28 23:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-21 13:44 --------- d-----w C:\Program Files\Lavasoft
2008-03-21 08:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-19 22:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-12 09:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-15 13:39 65,936 ----a-w C:\WINDOWS\system32\drivers\tmtdi.sys
2008-02-15 13:39 35,856 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-02-15 13:39 333,328 ----a-w C:\WINDOWS\system32\drivers\TM_CFW.sys
2008-02-15 13:39 202,768 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-02-15 13:39 1,126,072 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2007-03-03 22:05 51,517 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2007_03_03_09_39_04_small.dmp.zip
2007-03-03 22:05 40,463 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2007_03_03_09_38_17_small.dmp.zip
2006-12-15 20:08 16,830,635 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_12_15_19_29_28_full.dmp.zip
2006-11-03 01:40 7,168 --sha-w C:\Program Files\Thumbs.db
2000-10-12 03:54 405,654 ------w C:\Program Files\rdb.bmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{C8390328-1270-436B-A76F-D85B0E8F3F34}"= "C:\Program Files\WebAssist\PayPal\PPBar.dll" [2007-06-14 18:31 696320]

[HKEY_CLASSES_ROOT\clsid\{c8390328-1270-436b-a76f-d85b0e8f3f34}]
[HKEY_CLASSES_ROOT\PPBar.PPBarBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{C8390328-1270-436B-A76F-D85B0E8F3F37}]
[HKEY_CLASSES_ROOT\PPBar.PPBarBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 08:57 143360]
"SiS Tray"="C:\WINDOWS\System32\sistray.EXE" [2003-10-30 14:10 667648]
"SiS Windows KeyHook"="C:\WINDOWS\System32\keyhook.exe" [2003-10-30 14:09 249856]
"HTpatch"="C:\WINDOWS\htpatch.exe" [2003-03-27 15:50 28672]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-10 04:50 155648]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [ ]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-20 00:43 57344]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-03-09 19:15 155648]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 17:35 32768]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 00:56 1398024]
"TMRUBottedTray"="C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe" [2007-12-19 00:18 288088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

C:\Documents and Settings\Nanny\Start Menu\Programs\Startup\
WampServer.lnk - C:\webserver\wampmanager.exe [2007-02-18 18:07:00 1141760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI1"= SYNCOR11.DLL
"vidc.tscc"= tsccvid.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kava]
C:\WINDOWS\system32\kavo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tava]
C:\WINDOWS\system32\tavo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

R2 RUBotted;Trend Micro RUBotted Service;"C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe" [2007-12-19 00:18]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe [2004-08-04 00:56]
R2 wampapache;wampapache;"C:\webserver\apache2\bin\httpd.exe" -k runservice []
R2 wampmysqld;wampmysqld;C:\webserver\mysql\bin\mysqld-nt.exe [2007-05-04 10:00]
R3 TMPassthruMP;TMPassthruMP;C:\WINDOWS\system32\DRIVERS\TMPassthru.sys [2007-11-27 22:51]
S3 bDMusicb;bDMusicb;C:\DOCUME~1\Nanny\LOCALS~1\Temp\bDMusicb.sys []
S3 TMPassthru;Trend Micro Passthru Ndis Service;C:\WINDOWS\system32\DRIVERS\TMPassthru.sys [2007-11-27 22:51]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7ada662-9b2d-11dc-ae31-000ea696053e}]
\Shell\AutoRun\command - F:\0wk2.cmd
\Shell\explore\Command - F:\0wk2.cmd
\Shell\open\Command - F:\0wk2.cmd

.
Contents of the 'Scheduled Tasks' folder
"2008-04-06 23:37:22 C:\WINDOWS\Tasks\User_Feed_Synchronization-{34DCFB12-058F-457A-BC92-871173ECA6DB}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-07 11:59:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\mqsvc.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\PROGRA~1\TRENDM~3\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
.
**************************************************************************
.
Completion time: 2008-04-07 12:09:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-07 02:08:23
Pre-Run: 26,519,838,720 bytes free
Post-Run: 26,633,809,920 bytes free
.
2008-03-12 09:31:14 --- E O F ---

And the Hijack This:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:47:13 PM, on 8/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\webserver\wampmanager.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\webserver\apache2\bin\httpd.exe
C:\webserver\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\mqsvc.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\webserver\apache2\bin\httpd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\TRENDM~3\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Nanny\My Documents\Downloads\tmicro\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hairbeautyjobs.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O3 - Toolbar: PayPal Toolbar - {C8390328-1270-436B-A76F-D85B0E8F3F34} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: WampServer.lnk = C:\webserver\wampmanager.exe
O4 - Startup: WinMySQLadmin.lnk = C:\wamp\mysql\bin\winmysqladmin.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {4B521767-E7AC-453B-BC7A-58015434AAF5} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra 'Tools' menuitem: PayPal Help - {4B521767-E7AC-453B-BC7A-58015434AAF5} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra button: (no name) - {583A3218-0C83-473D-B2DF-C1A4C367166F} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra 'Tools' menuitem: PayPal TipJar Now Button - {583A3218-0C83-473D-B2DF-C1A4C367166F} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {92BBF3D3-5B26-4354-B814-D46EE2F6F9C5} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra 'Tools' menuitem: PayPal Donate Now Button - {92BBF3D3-5B26-4354-B814-D46EE2F6F9C5} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra button: (no name) - {D6993FBC-85E1-4CE2-BE1E-768B7D77AB40} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra 'Tools' menuitem: PayPal Buy Now Button - {D6993FBC-85E1-4CE2-BE1E-768B7D77AB40} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {E4D60AD3-9F9F-42F7-BCC9-F1FF81B43267} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra 'Tools' menuitem: PayPal Subscribe Now Button - {E4D60AD3-9F9F-42F7-BCC9-F1FF81B43267} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~3\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: wampapache - Apache Software Foundation - C:\webserver\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - C:\webserver\mysql\bin\mysqld-nt.exe

--
End of file - 9260 bytes

I don't know what to actually look for - seems similar to me is that correct?

#8 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,171 posts

Posted 08 April 2008 - 05:38 AM

How's it running now?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#9 webgirl

webgirl

    New Member

  • New Member
  • Pip
  • 10 posts

Posted 09 April 2008 - 02:38 AM

I still seem to have trouble with my task bar icons disappearing like the wamp one I use. After the first combofix it came back but now it has disappeared again. The system seems a little faster than it was though.

#10 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,171 posts

Posted 09 April 2008 - 02:55 PM

Are there any taskbar icons showing? Right Click on the taskbar and see what Properities shows.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

    Advertisements

Register to Remove


#11 webgirl

webgirl

    New Member

  • New Member
  • Pip
  • 10 posts

Posted 10 April 2008 - 02:23 AM

Hi it shows that it is a past item but still running. My Trend Micro still keeps getting errors and wanting to send reports all day. It said it had a Trojan from ComboFix and that it couldn't fix it. Now it seems to be playing up again. Do I start all over again? Thanks again for your help.

#12 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,171 posts

Posted 10 April 2008 - 09:20 AM

Right Click on the Taskbar> Properties> Make sure Auto-hide and Hide inactive don't have a check / tick mark.

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

    [list]
  • Posted Image

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#13 webgirl

webgirl

    New Member

  • New Member
  • Pip
  • 10 posts

Posted 11 April 2008 - 02:46 AM

It won't work because I had to delete ComboFix because it had a Trojan in the files. Do I start from scratch again? I noticed in the Trend Micro Quarantine file is ff.exe but it won't let me delete it - it says another program is using it. Is there anyway to delete it? Cheers Thanks

#14 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,171 posts

Posted 11 April 2008 - 02:35 PM

Lets do this:

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Also "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#15 webgirl

webgirl

    New Member

  • New Member
  • Pip
  • 10 posts

Posted 11 April 2008 - 09:02 PM

I really appreciate your help.
The computer is still the same with the ff.exe in quarantine and the scan doesn't always complete because of errors.
I think I will uninstall the trend micro and try the AVG. I use to use the Zone Alarm but not sure if it is the best firewall.
Anyway here is the result of the Anti-Malware it didn't pick anything up:
Malwarebytes' Anti-Malware 1.11
Database version: 615

Scan type: Quick Scan
Objects scanned: 29883
Time elapsed: 8 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

And this is the HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:54:49 PM, on 12/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\webserver\wampmanager.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\webserver\apache2\bin\httpd.exe
C:\webserver\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\mqsvc.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\webserver\apache2\bin\httpd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\TRENDM~3\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Documents and Settings\Nanny\My Documents\Downloads\tmicro\HiJackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hairbeautyjobs.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O3 - Toolbar: PayPal Toolbar - {C8390328-1270-436B-A76F-D85B0E8F3F34} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: WampServer.lnk = C:\webserver\wampmanager.exe
O4 - Startup: WinMySQLadmin.lnk = C:\wamp\mysql\bin\winmysqladmin.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {4B521767-E7AC-453B-BC7A-58015434AAF5} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra 'Tools' menuitem: PayPal Help - {4B521767-E7AC-453B-BC7A-58015434AAF5} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra button: (no name) - {583A3218-0C83-473D-B2DF-C1A4C367166F} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra 'Tools' menuitem: PayPal TipJar Now Button - {583A3218-0C83-473D-B2DF-C1A4C367166F} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {92BBF3D3-5B26-4354-B814-D46EE2F6F9C5} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra 'Tools' menuitem: PayPal Donate Now Button - {92BBF3D3-5B26-4354-B814-D46EE2F6F9C5} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra button: (no name) - {D6993FBC-85E1-4CE2-BE1E-768B7D77AB40} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra 'Tools' menuitem: PayPal Buy Now Button - {D6993FBC-85E1-4CE2-BE1E-768B7D77AB40} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {E4D60AD3-9F9F-42F7-BCC9-F1FF81B43267} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra 'Tools' menuitem: PayPal Subscribe Now Button - {E4D60AD3-9F9F-42F7-BCC9-F1FF81B43267} - C:\Program Files\WebAssist\PayPal\PPBar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~3\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: wampapache - Apache Software Foundation - C:\webserver\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - C:\webserver\mysql\bin\mysqld-nt.exe

--
End of file - 9366 bytes
Still seems to be the same.
Thanks again

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users