| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 88075 | 2008-03-14 07:35:00 | HP Laptop - XP - Virus infected | justinsg (11165) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 649396 | 2008-03-14 22:01:00 | You have a Vundo infection in your registry.... Ok.We need to download ComboFix.exe. This will give a better view to the files running and also hidden on your computer. Please visit this webpage for download links, and instructions for running the tool (www.bleepingcomputer.com) When the tool is finished, it will produce a report for you. Please post the "C:\ComboFix.txt" along with a new HijackThis log so that we can continue to do any further cleaning that your system may require. Caution: Never run and remove files with Combofix unless supervised by a security analyst. |
Pancake (6359) | ||
| 649397 | 2008-03-15 01:24:00 | I am currently working through the last two posts: Downloading ComboFix and removing Norton. I have a question for Pancake: I don't have a floppy drive on this laptop (or a usb one) so do i need to install the XP Recovery Console? I have a HP restore partition which can restore my PC to it's factory state. NOTE The version of Symantec I have is: "Symantec Client Security 2006" Should I get rid of this and keep AVG? (these are the only two on my HD, not nod32) Also, Spybot S & D just asked me this: Category: System startup global entry Change: Value Changed Entry: BM499f8fde Old Data: Rundll32.exe "C:WINDOWS\system32\tohaibcl.dll",s New Data: Rundll32.exe "C:WINDOWS\system32\bcvgfuls.dll",s should i accept or deny? |
justinsg (11165) | ||
| 649398 | 2008-03-15 02:57:00 | Nortons is what could as I mentioned before causing most of your problems in fact you even said it your self. Symantec has since disabled or crashed because it won't run a simple scan! You'll find when you remove Nortons the PC should run a lot better. - use that removal tool and it will do a betetr job of removing Its also been mentioned a couple of times - ONLY 1 ANTIVIRUS. AVG is Crap - got a customers PC in the workshop right now - HAD AVG said it was clean - Nod is currently scanning and at 54% has located and deleted 19 infections. |
wainuitech (129) | ||
| 649399 | 2008-03-15 05:50:00 | I have a question for Pancake: I don't have a floppy drive on this laptop (or a usb one) so do i need to install the XP Recovery Console? I have a HP restore partition which can restore my PC to it's factory state. You wont need a disc of any kind.Its an automatic install.Just carry on and install the Recovery Console ..:thumbs: |
Pancake (6359) | ||
| 649400 | 2008-03-15 22:44:00 | ComboFix 08-03-14 . 4 - Administrator 2008-03-16 12:26:17 . 1 - NTFSx86 MINIMAL Microsoft Windows XP Professional 5 . 1 . 2600 . 2 . 1252 . 1 . 1033 . 18 . 738 [GMT 12:00] Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix . exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg . dll C:\WINDOWS\BM499f8fde . xml C:\WINDOWS\pskt . ini C:\WINDOWS\system32\agagceil . dll C:\WINDOWS\system32\bcvgfuls . dll C:\WINDOWS\system32\bosuibfx . dll C:\WINDOWS\system32\ceagcnbp . dll C:\WINDOWS\system32\ctqgqvqd . dll C:\WINDOWS\system32\gnfusxkk . dll C:\WINDOWS\system32\kjkkj . ini C:\WINDOWS\system32\kjkkj . ini2 C:\WINDOWS\system32\kkcgocno . dll C:\WINDOWS\system32\mmdludsl . dll C:\WINDOWS\system32\mnnmp . ini C:\WINDOWS\system32\mnnmp . ini2 C:\WINDOWS\system32\nnnmp . ini C:\WINDOWS\system32\nnnmp . ini2 C:\WINDOWS\system32\pmnnn . dll C:\WINDOWS\system32\pstwa . ini C:\WINDOWS\system32\pstwa . ini2 C:\WINDOWS\system32\svdpcqto . dll C:\WINDOWS\system32\talbgpsa . dll C:\WINDOWS\system32\tohiabcl . dll C:\WINDOWS\system32\uepsbupt . dll C:\WINDOWS\system32\urqronm . dll C:\WINDOWS\system32\wpdxbwky . dll C:\WINDOWS\system32\x64 . ((((((((((((((((((((((((( Files Created from 2008-02-16 to 2008-03-16 ))))))))))))))))))))))))))))))) . 2008-03-14 20:36 . 2008-03-14 20:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Alcatel PIMphony 2008-03-14 20:36 . 2008-03-14 20:36 <DIR> d-------- C:\Documents and Settings\Administrator\A4902Logs 2008-03-14 20:05 . 2008-03-14 20:05 <DIR> d-------- C:\Program Files\ESET 2008-03-14 20:05 . 2008-03-14 20:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET 2008-03-12 18:23 . 2004-08-03 22:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO . sys 2008-03-12 18:23 . 2004-08-03 22:07 59,264 --a------ C:\WINDOWS\system32\dllcache\usbaudio . sys 2008-03-12 18:14 . 2008-03-12 18:17 <DIR> d-------- C:\Program Files\Audacity 2008-03-12 14:13 . 2008-03-12 14:13 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-03-12 14:13 . 2008-03-12 14:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-03-12 13:04 . 2008-03-12 15:11 <DIR> d-------- C:\Program Files\Spyware Doctor 2008-03-11 19:14 . 2008-03-11 19:14 <DIR> d-------- C:\MicrosoftSysinternals 2008-03-11 11:06 . 2008-03-15 13:03 <DIR> d-------- C:\Documents and Settings\user\Application Data\AVG7 2008-03-11 09:38 . 2008-03-11 09:38 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\AVG7 2008-03-11 09:31 . 2008-03-16 11:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7 2008-03-11 09:30 . 2008-03-11 09:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-03-11 09:30 . 2008-03-11 19:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7 2008-03-11 08:52 . 2008-03-11 08:52 <DIR> d-------- C:\user 2008-03-11 07:48 . 2008-03-11 09:29 1,318,043 --ahs---- C:\WINDOWS\system32\yaykissn . ini 2008-03-10 15:31 . 2008-03-11 07:47 1,317,923 --ahs---- C:\WINDOWS\system32\fdebcepe . ini 2008-03-10 12:14 . 2008-03-10 15:30 1,307,621 --ahs---- C:\WINDOWS\system32\dpqsgwjs . ini 2008-03-10 11:02 . 2008-03-10 11:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Suite 2008-03-10 10:49 . 2008-03-10 10:49 0 --a------ C:\WINDOWS\VPC32 . INI 2008-03-10 09:39 . 2008-03-10 10:47 1,308,101 --ahs---- C:\WINDOWS\system32\bpfagtvl . ini 2008-03-07 07:53 . 2008-03-10 09:34 1,307,981 --ahs---- C:\WINDOWS\system32\uqcetapr . ini 2008-03-07 07:36 . 2008-03-07 07:50 1,306,977 --ahs---- C:\WINDOWS\system32\tijhtooy . ini 2008-03-06 10:15 . 2008-03-07 07:31 1,307,554 --ahs---- C:\WINDOWS\system32\sebuxihl . ini 2008-03-03 19:40 . 2008-03-03 19:40 <DIR> d-------- C:\Program Files\InterVideo Information Service 2008-03-03 19:40 . 2008-03-03 19:40 <DIR> d-------- C:\Program Files\Common Files\Ulead 2008-03-03 19:40 . 2006-05-11 17:41 654 --------- C:\WINDOWS\remove . iss 2008-03-03 19:39 . 2008-03-03 19:39 <DIR> d-------- C:\Program Files\Common Files\InterVideo 2008-03-02 15:53 . 2008-03-02 15:53 0 --a------ C:\WINDOWS\pcfriend . INI 2008-03-02 15:52 . 1999-09-28 03:15 78,848 --a------ C:\WINDOWS\system32\INLOADER . DLL 2008-02-29 19:07 . 2006-10-07 16:31 221,184 --a------ C:\WINDOWS\system32\rspencr330 . ocx 2008-02-29 19:07 . 2004-11-14 04:27 212,992 --a------ C:\WINDOWS\system32\wodShellMenu . dll 2008-02-29 18:56 . 2008-02-29 18:56 <DIR> d-------- C:\Documents and Settings\user\Application Data\InstallShield Installation Information 2008-02-29 18:56 . 2008-02-29 18:56 <DIR> d-------- C:\Documents and Settings\user\Application Data\FirstClass 2008-02-29 18:56 . 2001-05-03 06:36 4,710 --a------ C:\WINDOWS\system32\fc . ico 2008-02-29 18:56 . 1996-02-26 18:15 2,528 --a------ C:\WINDOWS\FCIC . INI 2008-02-22 20:24 . 2008-03-15 18:19 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 3 2008-02-22 20:21 . 2008-03-10 11:10 <DIR> d-------- C:\Program Files\CCleaner 2008-02-20 19:33 . 2008-02-20 19:37 <DIR> d-------- C:\Program Files\Pcsx2_0 . 9 . 4 2008-02-17 12:05 . 2008-03-11 19:03 <DIR> d-------- C:\Program Files\pebuilder3110a 2008-02-17 10:15 . 2008-02-17 10:16 <DIR> d-------- C:\Program Files\nLite 2008-02-16 12:32 . 2008-02-16 12:32 <DIR> d-------- C:\Program Files\Electronic Arts . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2008-03-15 22:18 --------- d-----w C:\Program Files\Symantec AntiVirus 2008-03-15 01:04 --------- d-----w C:\Documents and Settings\user\Application Data\Alcatel PIMphony 2008-03-12 03:11 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-03-11 07:00 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-03-11 06:49 --------- d-----w C:\Program Files\Common Files\Adobe 2008-03-03 07:39 --------- d-----w C:\Program Files\InterVideo 2008-03-01 07:44 --------- d-----w C:\Documents and Settings\user\Application Data\dvdcss 2008-02-11 01:35 --------- d-----w C:\Program Files\Hewlett-Packard 2008-02-10 07:13 --------- d-----w C:\Documents and Settings\user\Application Data\Blueberry 2008-02-10 06:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Blueberry 2008-02-10 06:14 2,944 ----a-w C:\WINDOWS\system32\drivers\bbcap . sys 2008-02-10 06:14 --------- d-----w C:\Documents and Settings\user\Application Data\LogSys 2008-02-10 06:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogSys 2008-02-09 02:11 --------- d-----w C:\Program Files\Project64 1 . 6 2008-01-29 07:33 --------- d-----w C:\Program Files\Microsoft SQL Server 2008-01-29 07:32 --------- d-----w C:\Program Files\Microsoft . NET 2008-01-29 07:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-01-29 07:26 --------- d-----w C:\Program Files\Microsoft Visual Studio 8 2008-01-24 08:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet 2008-01-24 08:20 --------- d-----w C:\Program Files\FileMaker 2008-01-24 08:04 --------- d-----w C:\Program Files\Java 2008-01-21 01:54 --------- d-----w C:\Documents and Settings\user\Application Data\MapInfo 2008-01-21 01:52 --------- d-----w C:\Documents and Settings\administrator . SPBL\Application Data\MapInfo 2008-01-21 01:49 --------- d-----w C:\Program Files\MapInfo 2008-01-21 01:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\MapInfo 2008-01-21 01:45 --------- d-----w C:\Documents and Settings\administrator . STAFF\Application Data\PC Suite 2008-01-20 05:52 --------- d-----w C:\Program Files\AnvSoft 2008-01-17 10:43 --------- d-----w C:\Program Files\Samsung 2008-01-17 10:42 --------- d-----w C:\Documents and Settings\user\Application Data\DataCast 2007-10-30 06:23 604 ---ha-w C:\Program Files\STLL Notifier . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel . exe" [2007-04-20 08:26 484904] "ctfmon . exe"="C:\WINDOWS\system32\ctfmon . exe" [2004-08-04 20:00 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "MsmqIntCert"="regsvr32 /s mqrt . dll" [] "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp . exe" [2007-01-06 04:36 872448] "SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4 . exe" [2006-07-14 02:12 729088] "PDF Complete"="C:\Program Files\PDF Complete\pdfsty . exe" [2007-05-09 03:38 331552] "PTHOSTTR"="C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR . exe" [2007-01-10 10:52 145184] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh . exe" [2007-01-13 01:36 827392] "IgfxTray"="C:\WINDOWS\system32\igfxtray . exe" [2007-05-19 09:50 138008] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd . exe" [2007-05-19 09:50 162584] "Persistence"="C:\WINDOWS\system32\igfxpers . exe" [2007-05-19 09:50 138008] "hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain . exe" [2007-05-12 08:21 472632] "SunJavaUpdateSched"="C:\Program Files\Java\jre1 . 6 . 0_03\bin\jusched . exe" [2007-09-25 00:11 132496] "QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl . exe" [2007-05-03 11:17 163840] "CognizanceTS"="C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC . dll" [2003-12-23 05:12 17920] "Recguard"="C:\WINDOWS\Sminst\Recguard . exe" [2005-12-21 11:51 1187840] "Reminder"="C:\WINDOWS\Creator\Remind_XP . exe" [2006-03-10 12:38 806912] "Scheduler"="C:\WINDOWS\SMINST\Scheduler . exe" [2006-10-10 06:23 697976] "HP Software Update"="c:\Program Files\Hp\HP Software Update\HPWuSchd2 . exe" [2005-02-17 18:11 49152] "Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset . exe" [2007-05-03 10:52 57344] "IMJPMIG8 . 1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG . exe" [2004-08-05 01:00 208952] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP . exe" [2004-08-05 01:00 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP . exe" [2004-08-05 01:00 455168] "AccelerometerSysTrayApplet"="C:\WINDOWS\system32\AccelerometerSt . exe" [2007-01-24 14:28 124928] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp . exe" [2006-11-21 17:38 52840] "vptray"="C:\PROGRA~1\SYMANT~1\VPTray . exe" [2007-03-14 19:49 125632] "PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1 . exe" [2006-04-26 07:29 237568] "MAAgent"="C:\Program Files\MarkAny\ContentSafer\MAAgent . exe" [2007-01-30 19:36 57344] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8 . 0\Reader\Reader_sl . exe" [2008-01-11 21:16 39792] "ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM . exe" [2006-03-20 16:34 213936] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc . exe" [2008-03-11 09:42 579072] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst . exe" [2004-08-05 01:00 59392] "Temporary Explorer FIX"="C:\WINDOWS\explorer . exe" [2007-06-13 22:23 1033216] "egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui . exe" [2007-12-21 07:21 1443072] [HKEY_USERS\ . DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw . exe" [2008-03-11 09:30 219136] [HKEY_USERS\ . DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce] "RunNarrator"="Narrator . exe" [2006-10-04 20:48 53760 C:\WINDOWS\system32\narrator . exe] C:\Documents and Settings\user\Start Menu\Programs\Startup\ PIMphony . lnk - C:\Program Files\Alcatel_PIMphony\aocphone . exe [2007-09-24 09:41:06 2844000] [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer] "NoWelcomeScreen"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks] "{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1 . DLL [2004-11-23 15:51 192512] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard] C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg . dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=APSHook . dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2004-10-14 04:24 1694208 C:\Program Files\Messenger\msmsgs . exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr . exe"= "C:\\WINDOWS\\system32\\mqsvc . exe"= "C:\\WINDOWS\\SMINST\\Scheduler . exe"= "%windir%\\Network Diagnostic\\xpnetdiag . exe"= "C:\\Program Files\\Alcatel_PIMphony\\aocwiz . exe"= "C:\\Program Files\\Alcatel_PIMphony\\uaproc . exe"= "C:\\Program Files\\Alcatel_PIMphony\\abers . exe"= "C:\\Program Files\\Alcatel_PIMphony\\appdiag\\appdiag . exe"= "C:\\Program Files\\Alcatel_PIMphony\\aocphone . exe"= "C:\\WINDOWS\\system32\\muzapp . exe"= "C:\\Program Files\\VideoLAN\\VLC\\vlc . exe"= "C:\\Program Files\\InterVideo\\DVD8\\WinDVD . exe"= R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM . S YS [2006-09-20 04:58] S1 bbcap;bbcap;C:\WINDOWS\system32\DRIVERS\bbcap . sys [2008-02-10 18:14] S1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfw tdir . sys [2007-12-21 07:21] S2 ASBroker;Logon Session Broker;C:\WINDOWS\System32\svchost . exe [2004-08-04 20:00] S2 ASChannel;Local Communication Channel;C:\WINDOWS\System32\svchost . exe [2004-08-04 20:00] S2 pdfcDispatcher;PDF Document Manager;C:\Program Files\PDF Complete\pdfsvc . exe [2007-05-09 03:38] S2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter . exe" [2005-10-14 02:53] S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32 . sys [2002-07-17 07:05] S3 PVSUSB;Parallels USB Device Driver;C:\WINDOWS\system32\Drivers\PvsUsb . sys [] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 Cognizance REG_MULTI_SZ ASBroker ASChannel [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] "C:\Program Files\Common Files\LightScribe\LSRunOnce . exe" . ************************************************** ************************ catchme 0 . 3 . 1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www . gmer . net Rootkit scan 2008-03-16 12:29:24 Windows 5 . 1 . 2600 Service Pack 2 NTFS scanning hidden processes . . . scanning hidden autostart entries . . . scanning hidden files . . . scan completed successfully hidden files: 0 ************************************************** ************************ [HKEY_LOCAL_MACHINE\system\ControlSet002\Services\p dfcDispatcher] "ImagePath"="C:\Program Files\PDF Complete\pdfsvc . exe /startedbyscm:66B66708-40E2BE4D-pdfcService" . Completion time: 2008-03-16 12:31:25 - machine was rebooted ComboFix-quarantined-files . txt 2008-03-16 00:31:23 . 2008-03-05 19:50:26 --- E O F --- |
justinsg (11165) | ||
| 649401 | 2008-03-15 23:17:00 | Ok . You should see an improvement after this . . . Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions . It's IMPORTANT to carry out the instructions in the sequence listed below . 1 . Close any open browsers . 2 . Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix . Open *notepad* and copy/paste the text in the quotebox below into it: Killall:: File:: C:\WINDOWS\system32\yaykissn . ini C:\WINDOWS\system32\fdebcepe . ini C:\WINDOWS\system32\dpqsgwjs . ini C:\WINDOWS\system32\bpfagtvl . ini C:\WINDOWS\system32\uqcetapr . ini C:\WINDOWS\system32\tijhtooy . ini C:\WINDOWS\system32\sebuxihl . ini Registry:: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "MsmqIntCert"=- Save this as CFScript . txt, in the same location as ComboFix . exe which is on the Desktop . . pandora . be/bluepatchy/miekiemoes/images/CFScript . gif" target="_blank">users . pandora . be Refering to the picture above, drag CFScript . txt into ComboFix . exe When finished, it shall produce a log for you at C:\ComboFix . txt Please copy and paste the ComboFix . txt along with a fresh HijackThis log in your next reply please . *Note: Do not mouseclick combofix's window whilst it's running . That may cause it to stall* |
Pancake (6359) | ||
| 649402 | 2008-03-15 23:48:00 | ComboFix 08-03-14 . 4 - Administrator 2008-03-16 13:25:36 . 2 - NTFSx86 MINIMAL Microsoft Windows XP Professional 5 . 1 . 2600 . 2 . 1252 . 1 . 1033 . 18 . 748 [GMT 12:00] Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix . exe Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript . txt FILE :: C:\WINDOWS\system32\bpfagtvl . ini C:\WINDOWS\system32\dpqsgwjs . ini C:\WINDOWS\system32\fdebcepe . ini C:\WINDOWS\system32\sebuxihl . ini C:\WINDOWS\system32\tijhtooy . ini C:\WINDOWS\system32\uqcetapr . ini C:\WINDOWS\system32\yaykissn . ini . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\bpfagtvl . ini C:\WINDOWS\system32\dpqsgwjs . ini C:\WINDOWS\system32\fdebcepe . ini C:\WINDOWS\system32\sebuxihl . ini C:\WINDOWS\system32\tijhtooy . ini C:\WINDOWS\system32\uqcetapr . ini C:\WINDOWS\system32\yaykissn . ini . ((((((((((((((((((((((((( Files Created from 2008-02-16 to 2008-03-16 ))))))))))))))))))))))))))))))) . 2008-03-14 20:36 . 2008-03-14 20:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Alcatel PIMphony 2008-03-14 20:36 . 2008-03-14 20:36 <DIR> d-------- C:\Documents and Settings\Administrator\A4902Logs 2008-03-14 20:05 . 2008-03-14 20:05 <DIR> d-------- C:\Program Files\ESET 2008-03-14 20:05 . 2008-03-14 20:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET 2008-03-12 18:23 . 2004-08-03 22:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO . sys 2008-03-12 18:23 . 2004-08-03 22:07 59,264 --a------ C:\WINDOWS\system32\dllcache\usbaudio . sys 2008-03-12 18:14 . 2008-03-12 18:17 <DIR> d-------- C:\Program Files\Audacity 2008-03-12 14:13 . 2008-03-12 14:13 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-03-12 14:13 . 2008-03-12 14:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-03-12 13:04 . 2008-03-12 15:11 <DIR> d-------- C:\Program Files\Spyware Doctor 2008-03-11 19:14 . 2008-03-11 19:14 <DIR> d-------- C:\MicrosoftSysinternals 2008-03-11 11:06 . 2008-03-15 13:03 <DIR> d-------- C:\Documents and Settings\user\Application Data\AVG7 2008-03-11 09:38 . 2008-03-11 09:38 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\AVG7 2008-03-11 09:31 . 2008-03-16 11:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7 2008-03-11 09:30 . 2008-03-11 09:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-03-11 09:30 . 2008-03-11 19:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7 2008-03-11 08:52 . 2008-03-11 08:52 <DIR> d-------- C:\user 2008-03-10 11:02 . 2008-03-10 11:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Suite 2008-03-10 10:49 . 2008-03-10 10:49 0 --a------ C:\WINDOWS\VPC32 . INI 2008-03-03 19:40 . 2008-03-03 19:40 <DIR> d-------- C:\Program Files\InterVideo Information Service 2008-03-03 19:40 . 2008-03-03 19:40 <DIR> d-------- C:\Program Files\Common Files\Ulead 2008-03-03 19:40 . 2006-05-11 17:41 654 --------- C:\WINDOWS\remove . iss 2008-03-03 19:39 . 2008-03-03 19:39 <DIR> d-------- C:\Program Files\Common Files\InterVideo 2008-03-02 15:53 . 2008-03-02 15:53 0 --a------ C:\WINDOWS\pcfriend . INI 2008-03-02 15:52 . 1999-09-28 03:15 78,848 --a------ C:\WINDOWS\system32\INLOADER . DLL 2008-02-29 19:07 . 2006-10-07 16:31 221,184 --a------ C:\WINDOWS\system32\rspencr330 . ocx 2008-02-29 19:07 . 2004-11-14 04:27 212,992 --a------ C:\WINDOWS\system32\wodShellMenu . dll 2008-02-29 18:56 . 2008-02-29 18:56 <DIR> d-------- C:\Documents and Settings\user\Application Data\InstallShield Installation Information 2008-02-29 18:56 . 2008-02-29 18:56 <DIR> d-------- C:\Documents and Settings\user\Application Data\FirstClass 2008-02-29 18:56 . 2001-05-03 06:36 4,710 --a------ C:\WINDOWS\system32\fc . ico 2008-02-29 18:56 . 1996-02-26 18:15 2,528 --a------ C:\WINDOWS\FCIC . INI 2008-02-22 20:24 . 2008-03-15 18:19 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 3 2008-02-22 20:21 . 2008-03-10 11:10 <DIR> d-------- C:\Program Files\CCleaner 2008-02-20 19:33 . 2008-02-20 19:37 <DIR> d-------- C:\Program Files\Pcsx2_0 . 9 . 4 2008-02-17 12:05 . 2008-03-11 19:03 <DIR> d-------- C:\Program Files\pebuilder3110a 2008-02-17 10:15 . 2008-02-17 10:16 <DIR> d-------- C:\Program Files\nLite 2008-02-16 12:32 . 2008-02-16 12:32 <DIR> d-------- C:\Program Files\Electronic Arts . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2008-03-16 01:31 --------- d-----w C:\Program Files\Symantec AntiVirus 2008-03-15 01:04 --------- d-----w C:\Documents and Settings\user\Application Data\Alcatel PIMphony 2008-03-12 03:11 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-03-11 07:00 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-03-11 06:49 --------- d-----w C:\Program Files\Common Files\Adobe 2008-03-03 07:39 --------- d-----w C:\Program Files\InterVideo 2008-03-01 07:44 --------- d-----w C:\Documents and Settings\user\Application Data\dvdcss 2008-02-11 01:35 --------- d-----w C:\Program Files\Hewlett-Packard 2008-02-10 07:13 --------- d-----w C:\Documents and Settings\user\Application Data\Blueberry 2008-02-10 06:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Blueberry 2008-02-10 06:14 2,944 ----a-w C:\WINDOWS\system32\drivers\bbcap . sys 2008-02-10 06:14 --------- d-----w C:\Documents and Settings\user\Application Data\LogSys 2008-02-10 06:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogSys 2008-02-09 02:11 --------- d-----w C:\Program Files\Project64 1 . 6 2008-01-29 07:33 --------- d-----w C:\Program Files\Microsoft SQL Server 2008-01-29 07:32 --------- d-----w C:\Program Files\Microsoft . NET 2008-01-29 07:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-01-29 07:26 --------- d-----w C:\Program Files\Microsoft Visual Studio 8 2008-01-24 08:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet 2008-01-24 08:20 --------- d-----w C:\Program Files\FileMaker 2008-01-24 08:04 --------- d-----w C:\Program Files\Java 2008-01-21 01:54 --------- d-----w C:\Documents and Settings\user\Application Data\MapInfo 2008-01-21 01:52 --------- d-----w C:\Documents and Settings\administrator . STAFF\Application Data\MapInfo 2008-01-21 01:49 --------- d-----w C:\Program Files\MapInfo 2008-01-21 01:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\MapInfo 2008-01-21 01:45 --------- d-----w C:\Documents and Settings\administrator . STAFF\Application Data\PC Suite 2008-01-20 05:52 --------- d-----w C:\Program Files\AnvSoft 2008-01-17 10:43 --------- d-----w C:\Program Files\Samsung 2008-01-17 10:42 --------- d-----w C:\Documents and Settings\user\Application Data\DataCast 2007-10-30 06:23 604 ---ha-w C:\Program Files\STLL Notifier . ((((((((((((((((((((((((((((( snapshot@2008-03-16_12 . 31 . 13 . 96 ))))))))))))))))))))))))))))))))))))))))) . - 2008-03-15 23:19:05 83,788 ----a-w C:\WINDOWS\system32\perfc009 . dat + 2008-03-16 00:50:49 83,788 ----a-w C:\WINDOWS\system32\perfc009 . dat - 2008-03-15 23:19:05 461,396 ----a-w C:\WINDOWS\system32\perfh009 . dat + 2008-03-16 00:50:49 461,396 ----a-w C:\WINDOWS\system32\perfh009 . dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel . exe" [2007-04-20 08:26 484904] "ctfmon . exe"="C:\WINDOWS\system32\ctfmon . exe" [2004-08-04 20:00 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp . exe" [2007-01-06 04:36 872448] "SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4 . exe" [2006-07-14 02:12 729088] "PDF Complete"="C:\Program Files\PDF Complete\pdfsty . exe" [2007-05-09 03:38 331552] "PTHOSTTR"="C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR . exe" [2007-01-10 10:52 145184] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh . exe" [2007-01-13 01:36 827392] "IgfxTray"="C:\WINDOWS\system32\igfxtray . exe" [2007-05-19 09:50 138008] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd . exe" [2007-05-19 09:50 162584] "Persistence"="C:\WINDOWS\system32\igfxpers . exe" [2007-05-19 09:50 138008] "hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain . exe" [2007-05-12 08:21 472632] "SunJavaUpdateSched"="C:\Program Files\Java\jre1 . 6 . 0_03\bin\jusched . exe" [2007-09-25 00:11 132496] "QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl . exe" [2007-05-03 11:17 163840] "CognizanceTS"="C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC . dll" [2003-12-23 05:12 17920] "Recguard"="C:\WINDOWS\Sminst\Recguard . exe" [2005-12-21 11:51 1187840] "Reminder"="C:\WINDOWS\Creator\Remind_XP . exe" [2006-03-10 12:38 806912] "Scheduler"="C:\WINDOWS\SMINST\Scheduler . exe" [2006-10-10 06:23 697976] "HP Software Update"="c:\Program Files\Hp\HP Software Update\HPWuSchd2 . exe" [2005-02-17 18:11 49152] "Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset . exe" [2007-05-03 10:52 57344] "IMJPMIG8 . 1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG . exe" [2004-08-05 01:00 208952] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP . exe" [2004-08-05 01:00 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP . exe" [2004-08-05 01:00 455168] "AccelerometerSysTrayApplet"="C:\WINDOWS\system32\AccelerometerSt . exe" [2007-01-24 14:28 124928] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp . exe" [2006-11-21 17:38 52840] "vptray"="C:\PROGRA~1\SYMANT~1\VPTray . exe" [2007-03-14 19:49 125632] "PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1 . exe" [2006-04-26 07:29 237568] "MAAgent"="C:\Program Files\MarkAny\ContentSafer\MAAgent . exe" [2007-01-30 19:36 57344] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8 . 0\Reader\Reader_sl . exe" [2008-01-11 21:16 39792] "ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM . exe" [2006-03-20 16:34 213936] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc . exe" [2008-03-11 09:42 579072] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst . exe" [2004-08-05 01:00 59392] "Temporary Explorer FIX"="C:\WINDOWS\explorer . exe" [2007-06-13 22:23 1033216] "egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui . exe" [2007-12-21 07:21 1443072] [HKEY_USERS\ . DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw . exe" [2008-03-11 09:30 219136] [HKEY_USERS\ . DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce] "RunNarrator"="Narrator . exe" [2006-10-04 20:48 53760 C:\WINDOWS\system32\narrator . exe] C:\Documents and Settings\user\Start Menu\Programs\Startup\ PIMphony . lnk - C:\Program Files\Alcatel_PIMphony\aocphone . exe [2007-09-24 09:41:06 2844000] [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explo rer] "NoWelcomeScreen"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellex ecutehooks] "{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1 . DLL [2004-11-23 15:51 192512] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard] C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg . dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=APSHook . dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2004-10-14 04:24 1694208 C:\Program Files\Messenger\msmsgs . exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\Authori zedApplications\List] "%windir%\\system32\\sessmgr . exe"= "C:\\WINDOWS\\system32\\mqsvc . exe"= "C:\\WINDOWS\\SMINST\\Scheduler . exe"= "%windir%\\Network Diagnostic\\xpnetdiag . exe"= "C:\\Program Files\\Alcatel_PIMphony\\aocwiz . exe"= "C:\\Program Files\\Alcatel_PIMphony\\uaproc . exe"= "C:\\Program Files\\Alcatel_PIMphony\\abers . exe"= "C:\\Program Files\\Alcatel_PIMphony\\appdiag\\appdiag . exe"= "C:\\Program Files\\Alcatel_PIMphony\\aocphone . exe"= "C:\\WINDOWS\\system32\\muzapp . exe"= "C:\\Program Files\\VideoLAN\\VLC\\vlc . exe"= "C:\\Program Files\\InterVideo\\DVD8\\WinDVD . exe"= R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM . S YS [2006-09-20 04:58] S1 bbcap;bbcap;C:\WINDOWS\system32\DRIVERS\bbcap . sys [2008-02-10 18:14] S1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfw tdir . sys [2007-12-21 07:21] S2 ASBroker;Logon Session Broker;C:\WINDOWS\System32\svchost . exe [2004-08-04 20:00] S2 ASChannel;Local Communication Channel;C:\WINDOWS\System32\svchost . exe [2004-08-04 20:00] S2 pdfcDispatcher;PDF Document Manager;C:\Program Files\PDF Complete\pdfsvc . exe [2007-05-09 03:38] S2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter . exe" [2005-10-14 02:53] S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32 . sys [2002-07-17 07:05] S3 PVSUSB;Parallels USB Device Driver;C:\WINDOWS\system32\Drivers\PvsUsb . sys [] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 Cognizance REG_MULTI_SZ ASBroker ASChannel [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] "C:\Program Files\Common Files\LightScribe\LSRunOnce . exe" . ************************************************** ********** ************** catchme 0 . 3 . 1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www . gmer . net Rootkit scan 2008-03-16 13:37:51 Windows 5 . 1 . 2600 Service Pack 2 NTFS scanning hidden processes . . . scanning hidden autostart entries . . . scanning hidden files . . . scan completed successfully hidden files: 0 ************************************************** ********** ************** [HKEY_LOCAL_MACHINE\system\ControlSet002\Services\p dfcDispatcher] "ImagePath"="C:\Program Files\PDF Complete\pdfsvc . exe /startedbyscm:66B66708-40E2BE4D-pdfcService" . Completion time: 2008-03-16 13:39:57 - machine was rebooted ComboFix-quarantined-files . txt 2008-03-16 01:39:55 ComboFix2 . txt 2008-03-16 00:31:26 . 2008-03-05 19:50:26 --- E O F --- -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Logfile of Trend Micro HijackThis v2 . 0 . 2 Scan saved at 9:30:01 p . m . , on 14/03/2008 Platform: Windows XP SP2 (WinNT 5 . 01 . 2600) MSIE: Internet Explorer v7 . 00 (7 . 00 . 6000 . 16512) Boot mode: Safe mode Running processes: C:\WINDOWS\System32\smss . exe C:\WINDOWS\system32\winlogon . exe C:\WINDOWS\system32\services . exe C:\WINDOWS\system32\lsass . exe C:\WINDOWS\system32\svchost . exe C:\WINDOWS\system32\svchost . exe C:\Program Files\Hewlett-Packard\IAM\bin\asghost . exe C:\WINDOWS\Explorer . EXE C:\Program Files\HijackThis\HijackThis . exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www . hp . com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = . microsoft . com/fwlink/?LinkId=69157" target="_blank">go . microsoft . com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = . microsoft . com/fwlink/?LinkId=54896" target="_blank">go . microsoft . com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = . microsoft . com/fwlink/?LinkId=54896" target="_blank">go . microsoft . com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = . microsoft . com/fwlink/?LinkId=69157" target="_blank">go . microsoft . com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = . microsoft . com/fwlink/?LinkId=74005" target="_blank">go . microsoft . com O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2 . dll O4 - HKLM\ . . \Run: [MsmqIntCert] regsvr32 /s mqrt . dll O4 - HKLM\ . . \Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp . exe O4 - HKLM\ . . \Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4 . exe /tray O4 - HKLM\ . . \Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty . exe" O4 - HKLM\ . . \Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR . EXE /Start O4 - HKLM\ . . \Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh . exe O4 - HKLM\ . . \Run: [IgfxTray] C:\WINDOWS\system32\igfxtray . exe O4 - HKLM\ . . \Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd . exe O4 - HKLM\ . . \Run: [Persistence] C:\WINDOWS\system32\igfxpers . exe O4 - HKLM\ . . \Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain . exe O4 - HKLM\ . . \Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1 . 6 . 0_03\bin\jusched . exe" O4 - HKLM\ . . \Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl . exe /Start O4 - HKLM\ . . \Run: [CognizanceTS] rundll32 . exe C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC . dll,RegisterM odule O4 - HKLM\ . . \Run: [Recguard] C:\WINDOWS\Sminst\Recguard . exe O4 - HKLM\ . . \Run: [Reminder] C:\WINDOWS\Creator\Remind_XP . exe O4 - HKLM\ . . \Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler . exe O4 - HKLM\ . . \Run: [HP Software Update] c:\Program Files\Hp\HP Software Update\HPWuSchd2 . exe O4 - HKLM\ . . \Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset . exe O4 - HKLM\ . . \Run: [IMJPMIG8 . 1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG . EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\ . . \Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP . EXE /SYNC O4 - HKLM\ . . \Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP . EXE /IMEName O4 - HKLM\ . . \Run: [AccelerometerSysTrayApplet] C:\WINDOWS\system32\AccelerometerSt . exe O4 - HKLM\ . . \Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp . exe" O4 - HKLM\ . . \Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray . exe O4 - HKLM\ . . \Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1 . EXE -startup O4 - HKLM\ . . \Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer\MAAgent . exe O4 - HKLM\ . . \Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8 . 0\Reader\Reader_sl . exe" O4 - HKLM\ . . \Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM . exe" -scheduler O4 - HKLM\ . . \Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc . exe /STARTUP O4 - HKLM\ . . \Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst . exe /SYNC O4 - HKLM\ . . \Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui . exe" /hide /waitservice O4 - HKCU\ . . \Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel . exe -hidden O4 - HKCU\ . . \Run: [ctfmon . exe] C:\WINDOWS\system32\ctfmon . exe O4 - HKUS\S-1-5-20\ . . \Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw . exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\ . . \Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw . exe /RUNONCE (User 'SYSTEM') O4 - HKUS\S-1-5-18\ . . \RunOnce: [RunNarrator] Narrator . exe (User 'SYSTEM') O4 - HKUS\ . DEFAULT\ . . \Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw . exe /RUNONCE (User 'Default user') O4 - HKUS\ . DEFAULT\ . . \RunOnce: [RunNarrator] Narrator . exe (User 'Default user') O4 - Global Startup: Bluetooth . lnk = ? O8 - Extra context menu item: Send to &Bluetooth Device . . . - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx . htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1 . 6 . 0_03\bin\ssv . dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1 . 6 . 0_03\bin\ssv . dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR . DLL O9 - Extra button: @btrez . dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie . htm O9 - Extra 'Tools' menuitem: @btrez . dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie . htm O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper . dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper . dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag . exe O9 - Extra 'Tools' menuitem: @xpsp3res . dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag . exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs . exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs . exe O14 - IERESET . INF: START_PAGE_URL=http://www . hp . com O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = staff . co . nz O17 - HKLM\Software\ . . \Telephony: DomainName = staff . co . nz O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = staff . co . nz O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = staff . co . nz O20 - AppInit_DLLs: APSHook . dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc . exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s . r . o . - C:\PROGRA~1\Grisoft\AVG7\avgamsvr . exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s . r . o . - C:\PROGRA~1\Grisoft\AVG7\avgupsvc . exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation . - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins . exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr . exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr . exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch . exe O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv . exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn . exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService . exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L . P . - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex . exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT . exe O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr . exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc . exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1 . EXE O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel . exe O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc . exe O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9 . 0\SharedCOM\RoxMediaDB9 . exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam . exe O23 - Service: ServiceLayer - Nokia . - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer . exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc . exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc . exe O23 - Service: stllssvr - MicroVision Development, Inc . - c:\Program Files\Common Files\SureThing Shared\stllssvr . exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan . exe -- End of file - 9415 bytes |
justinsg (11165) | ||
| 649403 | 2008-03-16 00:04:00 | Just this last main bits to fix and you are done . . . . . Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes . Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT . O4 - HKLM\ . . \Run: [MsmqIntCert] regsvr32 /s mqrt . dll Reboot . . . . . . . ===================================== Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions . It's IMPORTANT to carry out the instructions in the sequence listed below . 1 . Close any open browsers . 2 . Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix . Open *notepad* and copy/paste the text in the quotebox below into it: Killall:: File:: C:\WINDOWS\VPC32 . INI C:\WINDOWS\pcfriend . INI Save this as CFScript . txt, in the same location as ComboFix . exe which is on the Desktop . . pandora . be/bluepatchy/miekiemoes/images/CFScript . gif" target="_blank">users . pandora . be Refering to the picture above, drag CFScript . txt into ComboFix . exe When finished, it shall produce a log for you at C:\ComboFix . txt Please copy and paste the ComboFix . txt along with a fresh HijackThis log in your next reply please . *Note: Do not mouseclick combofix's window whilst it's running . That may cause it to stall* |
Pancake (6359) | ||
| 649404 | 2008-03-16 01:09:00 | OK done that: [to make this post more readable i have uploaded the log files to a web server] Here are the links: justinsgfiles.freehostia.com justinsgfiles.freehostia.com |
justinsg (11165) | ||
| 649405 | 2008-03-16 01:19:00 | Ok.Thats it.You are all cleaned....done.:D This will clear away any of the files and folders that were created by ComboFix. Go to : Start > Run then copy and paste the following highlighted text below and click OK. ComboFix /u |
Pancake (6359) | ||
| 1 2 3 | |||||