Jump to content


Photo

Trojans and Spyware


  • Please log in to reply
30 replies to this topic

#1 rocketdude1234

rocketdude1234

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 11 June 2007 - 07:07 PM

Hey guys, i ran spybot and it picked up a few things, i also ran hijackthis and ill post the log in the blog
Ill also post a silent runner log file below


Logfile of HijackThis v1.99.1
Scan saved at 7:06:00 PM, on 6/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Rar$EX00.797\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netsc...com/aimhome.adp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CVirtualDNSObj Object - {86C510E9-97EF-4749-914F-0280247BE3A6} - C:\WINDOWS\VirtualDNS.dll (file missing)
O2 - BHO: H - {C9905EF0-610F-4404-9030-A3F345D069F5} - C:\WINDOWS\system32\comi.dll (file missing)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/z...s/heartbeat.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" ["ALWIL Software"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{86C510E9-97EF-4749-914F-0280247BE3A6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "CVirtualDNSObj Object"
\InProcServer32\(Default) = "C:\WINDOWS\VirtualDNS.dll" [file not found]
{C9905EF0-610F-4404-9030-A3F345D069F5}\(Default) = (no title provided)
-> {HKLM...CLSID} = "H"
\InProcServer32\(Default) = "C:\WINDOWS\system32\comi.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {HKLM...CLSID} = "RecordNow! SendToExt"
\InProcServer32\(Default) = "c:\Program Files\Sonic RecordNow!\shlext.dll" [null data]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MI1933~1\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MI1933~1\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "SampleView"
-> {HKLM...CLSID} = "SampleView"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{20082881-FC36-4E47-9A7A-644C95FF749F}" = "IntelliPoint Wireless Control Panel Property Page"
-> {HKLM...CLSID} = "Wireless Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplwir.dll"" [MS]
"{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}" = "IntelliPoint Wheel Control Panel Property Page"
-> {HKLM...CLSID} = "Wheel Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplwhl.dll"" [MS]
"{653DCCC2-13DB-45B2-A389-427885776CFE}" = "IntelliPoint Activities Control Panel Property Page"
-> {HKLM...CLSID} = "Activities Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplact.dll"" [MS]
"{124597D8-850A-41AE-849C-017A4FA99CA2}" = "IntelliPoint Buttons Control Panel Property Page"
-> {HKLM...CLSID} = "Buttons Property Page"
\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplbtn.dll"" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{C539A15A-3AF9-4c92-B771-50CB78F5C751}" = "Acronis True Image Shell Context Menu Extension"
-> {HKLM...CLSID} = "Acronis True Image Shell Context Menu Extension"
\InProcServer32\(Default) = "C:\Program Files\Acronis\TrueImageHome\tishell.dll" ["Acronis"]
"{C539A15B-3AF9-4c92-B771-50CB78F5C751}" = "Acronis True Image Shell Extension"
-> {HKLM...CLSID} = "Acronis True Image Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Acronis\TrueImageHome\tishell.dll" ["Acronis"]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "Userinit" = "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe," [MS], [null data]

HKLM\System\CurrentControlSet\Control\SecurityProviders\
<<!>> ("zwebauth.dll" [MS]) "SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoViewOnDrive" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Scheduled Tasks:
------------------------

"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDetect.exe" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{014DA6CE-189F-421A-88CD-07CFE51CFF10}\(Default) = "iMesh Bar Quick View"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_04"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Acronis Scheduler2 Service, AcrSch2Svc, ""C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe"" ["Acronis"]
Atheros Configuration Service, ACS, "C:\WINDOWS\system32\acs.exe" [null data]
avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" ["ALWIL Software"]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" ["ALWIL Software"]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\system32\HPZipm12.exe" ["HP"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
EPSON Stylus CX4600 Series 2KMonitor5A\Driver = "E_FLM9AA.DLL" ["SEIKO EPSON CORPORATION"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]
PCL Language Monitor\Driver = "hpz3l3xu.dll" ["Hewlett-Packard Company"]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 47 seconds, including 5 seconds for message boxes)

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,520 posts

Posted 14 June 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 16 June 2007 - 01:14 AM

Hello,

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#4 rocketdude1234

rocketdude1234

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 20 June 2007 - 01:37 PM

ComboFix 07-06-18.2 - C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
"HP_Owner" - 2007-06-20 13:29:27 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\{32F76~1
C:\Program Files\Common Files\{72F76~2
C:\Program Files\Common Files\icroso~1.net
C:\Program Files\winupdate
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\boa.dat
C:\WINDOWS\system32\mcroso~1
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\stem32~1
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2007-05-20 to 2007-06-20 )))))))))))))))))))))))))))))))


2007-06-20 13:28 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-13 12:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Acronis
2007-06-04 19:53 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-06-04 19:53 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-04 19:53 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-04 19:53 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-06-04 19:53 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-06-04 19:53 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-06-04 19:52 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-06-04 19:52 <DIR> d-------- C:\Program Files\Alwil Software
2007-06-03 19:49 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-06-03 18:31 12 --a------ C:\WINDOWS\system32\sl.bin
2007-06-03 18:30 12 --a------ C:\WINDOWS\system32\gtv_sd.bin
2007-06-02 09:13 <DIR> d-------- C:\spoolerlogs
2007-06-01 16:02 4,456,448 --a------ C:\DOCUME~1\HP_Owner\ntuser.dat
2007-05-28 18:02 1 --a------ C:\WINDOWS\system32\ps.dat


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-05 16:25:20 17,466 ----a-w C:\DOCUME~1\HP_Owner\APPLIC~1\wklnhst.dat
2005-04-24 10:17:15 56 --sh--r C:\WINDOWS\system32\027CE54B39.sys
2005-04-24 10:17:15 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 17:17]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Norton GoBack.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Norton GoBack.lnk
backup=C:\WINDOWS\pss\Norton GoBack.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^svchost.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
backup=C:\WINDOWS\pss\svchost.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=C:\WINDOWS\pss\HP Organize.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!ewido]
"C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1pop06apelt3]
C:\WINDOWS\octeltpop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\abvb97fa]
RUNDLL32.EXE w03aa2ec.dll,n 006b97f40000000203aa2ec

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
"C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTBar]
c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
C:\Program Files\Toshiba\MediaSource\Detector\CTDetect.exe /R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
C:\Program Files\Toshiba\TOSHIBA Multimedia Center\Surround Mixer\CTSysVol.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
C:\Program Files\dvd43\dvd43_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ejuz]
C:\Program Files\Common Files\?icrosoft.NET\services.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX4600 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\system32\rwinroem.exe ELT001

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
"C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
HDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Install.exe]
C:\WINDOWS\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
"C:\Program Files\Microsoft IntelliPoint\point32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IpWins]
C:\Program Files\ipwins\ipwins.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton SystemWorks]
"C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\p2pnetworking]
p2pnetworking.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\regcmdcons]
c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
"C:\Windows\Creator\Remind_XP.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteCenter]
C:\Program Files\Toshiba\MediaSource\RemoteControl\RcMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SbUsb AudCtrl]
RunDll32 sbusbdll.dll,RCMonitor

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]
MIDIDef.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Srro]
"C:\DOCUME~1\HP_Owner\APPLIC~1\DOBE~1\tracert.exe" -vt yazb

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sys022881659019]
C:\WINDOWS\sys022881659019.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheMonitor]
C:\WINDOWS\Duce6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ToolbarInstall]
C:\WINDOWS\MirarSetup_876057.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ukif]
C:\PROGRA~1\COMMON~1\ukif\ukifm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
C:\Program Files\webHancer\Programs\whagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\win32089019288165]
C:\WINDOWS\win32089019288165.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winupdate]
C:\Program Files\winupdate\winupdate.exe /auto

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{76-67-7C-CE-ZN}]
c:\windows\system32\dwdsregt.exe ELT001

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SymWSC"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SBService"=2 (0x2)
"SAVScan"=3 (0x3)
"ose"=3 (0x3)
"NPFMntor"=2 (0x2)
"MDM"=2 (0x2)
"LiveUpdate"=3 (0x3)
"GBPoll"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"navapsvc"=2 (0x2)
"LightScribeService"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"ewido anti-spyware 4.0 guard"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"Speed Disk service"=2 (0x2)
"SNDSrvc"=3 (0x3)
"NVSvc"=2 (0x2)
"NProtectService"=2 (0x2)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"AVG Anti-Spyware Guard"=2 (0x2)
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
AutoRun\command- D:\setup.exe


Contents of the 'Scheduled Tasks' folder
2007-06-20 18:29:00 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-20 13:34:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-20 13:34:54 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-20 13:34

--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 1:37:00 PM, on 6/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Rar$EX00.563\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/z...s/heartbeat.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

#5 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 20 June 2007 - 01:53 PM

Hi,

Ehm, is there any reason why you disabled your Avast via msconfig? How are you supposed to protect your system from malware if you disable your Antivirus protection? If it was enabled, then you wouldn't get infected in the first place...
I also see you have Norton/Symantec disabled. So this means that you have 2 Antivirus installed.
Never install more than one Antivirus
More than one Antivirus installed are not compatible with eachother, it can cause system performance problems and a serious system slowdown. Even though you have disabled them, you just cannot have two Antivirus.

So you have to make a decision here and keep the Antivirus you prefer and uninstall the other one.
Enable the Antivirus from msconfig you want to keep.

I also see you disabled a lot of malware related entries via msconfig as well. Malware related entries should get deleted, not disabled. Because you disabled them, they wouldn't show in HIjackThis, so for me it difficult to see what was disabled/present. Anyway, I can see it via your combofix log now and we'll delete the malware related entries as well afterwards..

Also, I see references to some outdated programs as well, so in this case, uninstall Ewido and uninstall Microsoft Antispyware. We'll remove the references to them via a regfix too, because uninstalling a program won't delete the registry keys under msconfig.

Then reboot after uninstalling and enabling your Antivirus through msconfig

After reboot,

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\sl.bin
C:\WINDOWS\system32\gtv_sd.bin

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^svchost.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^TA_Start.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^Think-Adz.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!ewido]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1pop06apelt3]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\abvb97fa]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ejuz]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Install.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IpWins]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\p2pnetworking]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Srro]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sys022881659019]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheMonitor]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ToolbarInstall]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ukif]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\win32089019288165]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winupdate]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{76-67-7C-CE-ZN}]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ewido anti-spyware 4.0 guard"=-


Save this as ComboFix-Do.txt

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#6 rocketdude1234

rocketdude1234

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 22 June 2007 - 03:07 PM

ComboFix 07-06-18.2 - C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
"HP_Owner" - 2007-06-22 15:03:25 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\HP_Owner\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\sl.bin
C:\WINDOWS\system32\stfv.bin


((((((((((((((((((((((((( Files Created from 2007-05-22 to 2007-06-22 )))))))))))))))))))))))))))))))


2007-06-20 13:28 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-13 12:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Acronis
2007-06-04 19:53 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-06-04 19:53 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-04 19:53 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-04 19:53 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-06-04 19:53 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-06-04 19:53 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-06-04 19:52 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-06-04 19:52 <DIR> d-------- C:\Program Files\Alwil Software
2007-06-02 09:13 <DIR> d-------- C:\spoolerlogs
2007-06-01 16:02 4,456,448 --a------ C:\DOCUME~1\HP_Owner\ntuser.dat
2007-05-28 18:02 1 --a------ C:\WINDOWS\system32\ps.dat


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-05 16:25:20 17,466 ----a-w C:\DOCUME~1\HP_Owner\APPLIC~1\wklnhst.dat
2005-04-24 10:17:15 56 --sh--r C:\WINDOWS\system32\027CE54B39.sys
2005-04-24 10:17:15 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 17:17]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:00]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Norton GoBack.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Norton GoBack.lnk
backup=C:\WINDOWS\pss\Norton GoBack.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=C:\WINDOWS\pss\HP Organize.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
"C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTBar]
c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
C:\Program Files\Toshiba\MediaSource\Detector\CTDetect.exe /R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
C:\Program Files\Toshiba\TOSHIBA Multimedia Center\Surround Mixer\CTSysVol.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
C:\Program Files\dvd43\dvd43_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX4600 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
HDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
"C:\Program Files\Microsoft IntelliPoint\point32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton SystemWorks]
"C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\regcmdcons]
c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
"C:\Windows\Creator\Remind_XP.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteCenter]
C:\Program Files\Toshiba\MediaSource\RemoteControl\RcMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SbUsb AudCtrl]
RunDll32 sbusbdll.dll,RCMonitor

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]
MIDIDef.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SymWSC"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SBService"=2 (0x2)
"SAVScan"=3 (0x3)
"ose"=3 (0x3)
"NPFMntor"=2 (0x2)
"MDM"=2 (0x2)
"LiveUpdate"=3 (0x3)
"GBPoll"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"navapsvc"=2 (0x2)
"LightScribeService"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"Speed Disk service"=2 (0x2)
"SNDSrvc"=3 (0x3)
"NVSvc"=2 (0x2)
"NProtectService"=2 (0x2)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"AVG Anti-Spyware Guard"=2 (0x2)
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
AutoRun\command- D:\setup.exe


Contents of the 'Scheduled Tasks' folder
2007-06-22 20:04:00 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-22 15:05:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-22 15:05:56
C:\ComboFix-quarantined-files.txt ... 2007-06-22 15:05
C:\ComboFix2.txt ... 2007-06-20 13:34

--- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 3:07:22 PM, on 6/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Rar$EX00.797\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/z...s/heartbeat.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

#7 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 22 June 2007 - 03:16 PM

Why are you disabling your Antivirus?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#8 rocketdude1234

rocketdude1234

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 22 June 2007 - 06:29 PM

i will fix it after i need to get rid of the stuff.

#9 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 23 June 2007 - 12:34 AM

But you can get reinfected again. If infected and people disable their antivirus, nothing will prevent the malware still present for downloading new malware... so we are just running around in circles.

You may want to read this:
Top Ten excuses why people don't want to secure their computer and why they are wrong

Delete the C:\Qoobox folder.

Then, Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u1.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u1".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Post a new HijackThislog in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#10 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 02 July 2007 - 05:57 PM

Due to the lack of feedback, this Topic is closed.
[Reopened]

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#11 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 23 July 2007 - 06:53 PM

Reopened at request of topic owner.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#12 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 24 July 2007 - 12:45 AM

Hi,

We are one month later and you asked to reopen your thread. Normally, when you get reinfected after a certain period of time, we request to start a new thread, not reopening an existing thread, because that wouldn't be fair towards others.
So, since you asked to reopen this thread again, I assume it's not because you got reinfected.

Please let me know in your next reply what problems are still present since 1 month ago.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#13 rocketdude1234

rocketdude1234

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 24 July 2007 - 11:47 AM

I didnt fully fix the problem, i haven't been on my desktop in a month and im just getting it back up. Sorry that i did that i was busy.

Here is the HJT logfile you asked for.
Logfile of HijackThis v1.99.1
Scan saved at 11:47:14 AM, on 7/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Rar$EX00.782\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/z...s/heartbeat.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

#14 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 24 July 2007 - 11:56 AM

What problems are you still having? Because I can't see anything suspicious in your log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#15 rocketdude1234

rocketdude1234

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 24 July 2007 - 12:05 PM

Im getting really terrible lag, in just about anything i do.......The folder "Qoobox" re-appeared this morning when i started my computer also.

Its the lag thats worrying me, It lags really bad. I cant seem to have more than one prog running now because of the lag it will cause any other progs to slow down to basically a stand still.

I have pc doctor and it doesnt tell me anything wrong hardware wise so i dont know what else it could be.

I really appreciate your help with this.

#16 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 24 July 2007 - 12:19 PM

The folder Qoobox was a part of Combofix, so I assume you have been running Combofix again.

Take a look here about slow computers:
Help! My computer is slow!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#17 rocketdude1234

rocketdude1234

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 24 July 2007 - 12:36 PM

Yes i did run it again. I looked over the link and couldnt see anything that applies. I try to keep my computer clean and free from clutter. There are a few programs that i dont use anymore that can be deleted but none of them are new.

The programs that exist on my computer have been here for awhile. Thats what makes me think its a virus or malware.

I will remove the progs i dont need. But i am almost 100% sure that it wont stop it from doing what it's been doing.

I've got 250 GB on my C drive and 70GB on my backup drive. On the main hd i have 171GB free. I have 1.0GB SDRAM and a 3.2GHZ P4.

Any other suggestions?

#18 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 24 July 2007 - 12:42 PM

What exactly is hogging all the CPU?

Anyway, delete the version of Combofix you were having and download this version:
http://download.blee...ta/ComboFix.exe
This should show what has been modified/added/changed recently so maybe we can find the culprit what is causing this. Keep in mind, it's not always malware causing this. :)

Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#19 rocketdude1234

rocketdude1234

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 24 July 2007 - 12:54 PM

"HP_Owner" - 2007-07-24 12:46:12 [GMT -5:00] - ComboFix 07-07-24.5 - Service Pack 2 NTFS
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\IA
C:\WINDOWS\system32\zxdnt3d.cfg


((((((((((((((((((((((((( Files Created from 2007-06-24 to 2007-07-24 )))))))))))))))))))))))))))))))


2007-07-23 12:58 82,258 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-07-23 12:58 82,258 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-07-23 12:58 7,200 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-07-23 12:58 2,831,392 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-24 00:07:03 39,680 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-07-24 00:07:03 1,508 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-06-17 05:11:58 51,200 ----a-w C:\WINDOWS\nircmd.exe
2007-06-05 16:25:20 17,466 ----a-w C:\DOCUME~1\HP_Owner\APPLIC~1\wklnhst.dat
2007-06-04 01:18:02 6,144 -csha-w C:\WINDOWS\system32\drivers\Thumbs.db
2007-06-03 23:30:54 801 -c--a-w C:\WINDOWS\system32\drivers\system_stable_header_small.gif
2007-06-03 23:30:54 567 -c--a-w C:\WINDOWS\system32\drivers\users_rating.gif
2007-06-03 23:30:54 291 -c--a-w C:\WINDOWS\system32\drivers\v.gif
2007-06-03 23:30:54 283 -c--a-w C:\WINDOWS\system32\drivers\x.gif
2007-06-03 23:30:54 1,636 -c--a-w C:\WINDOWS\system32\drivers\system_stable_header.gif
2007-06-03 23:30:53 6,533 -c--a-w C:\WINDOWS\system32\drivers\system_stable_box_small.jpg
2007-06-03 23:30:53 579 -c--a-w C:\WINDOWS\system32\drivers\spy_away_header_small.gif
2007-06-03 23:30:53 5,097 -c--a-w C:\WINDOWS\system32\drivers\spy_away_box_small.jpg
2007-06-03 23:30:53 15,075 -c--a-w C:\WINDOWS\system32\drivers\system_stable_box.jpg
2007-06-03 23:30:53 1,139 -c--a-w C:\WINDOWS\system32\drivers\spy_away_header.gif
2007-06-03 23:30:52 841 -c--a-w C:\WINDOWS\system32\drivers\perfect_cleaner_header_small.gif
2007-06-03 23:30:52 14,484 -c--a-w C:\WINDOWS\system32\drivers\protect.gif
2007-06-03 23:30:52 13,618 -c--a-w C:\WINDOWS\system32\drivers\spy_away_box.jpg
2007-06-03 23:30:52 1,804 -c--a-w C:\WINDOWS\system32\drivers\perfect_cleaner_header.gif
2007-06-03 23:30:51 737 -c--a-w C:\WINDOWS\system32\drivers\logo_bg.gif
2007-06-03 23:30:51 580 -c--a-w C:\WINDOWS\system32\drivers\features.gif
2007-06-03 23:30:51 4,557 -c--a-w C:\WINDOWS\system32\drivers\perfect_cleaner_box_small.jpg
2007-06-03 23:30:51 3,099 -c--a-w C:\WINDOWS\system32\drivers\logo.gif
2007-06-03 23:30:51 10,260 -c--a-w C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
2007-06-03 23:30:50 811 -c--a-w C:\WINDOWS\system32\drivers\download_btn.gif
2007-06-03 23:30:50 746 -c--a-w C:\WINDOWS\system32\drivers\buy_btn.gif
2007-06-03 23:30:50 50,250 -c--a-w C:\WINDOWS\system32\drivers\pt.htm
2007-06-03 23:30:50 427 -c--a-w C:\WINDOWS\system32\drivers\4_stars.gif
2007-06-03 23:30:50 365 -c--a-w C:\WINDOWS\system32\drivers\5_stars.gif
2007-06-03 23:30:49 945 ----a-w C:\WINDOWS\system32\drivers\s_detect.htm
2007-06-03 23:30:49 6,575 ----a-w C:\WINDOWS\system32\drivers\remove_spyware_button.gif
2007-06-03 23:30:49 6,373 ----a-w C:\WINDOWS\system32\drivers\secuity_center_logo.gif
2007-06-03 23:30:48 64 ----a-w C:\WINDOWS\system32\drivers\close_icon.gif
2007-06-03 23:30:48 4,825 ----a-w C:\WINDOWS\system32\drivers\detect.htm
2007-06-03 23:30:48 360 ----a-w C:\WINDOWS\system32\drivers\header_bg.gif
2007-06-03 23:30:48 2,186 ----a-w C:\WINDOWS\system32\drivers\alert_icon.gif
2007-06-03 23:30:48 1,014 ----a-w C:\WINDOWS\system32\drivers\icon_warning.gif
2007-05-28 23:02:20 1 ----a-w C:\WINDOWS\system32\ps.dat
2005-04-24 10:17:15 56 --sh--r C:\WINDOWS\system3227CE54B39.sys
2005-04-24 10:17:15 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"AVP"="C:\Program Files\AOL\Active Virus Shield\avp.exe" [2007-04-03 11:37]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:00]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Norton GoBack.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Norton GoBack.lnk
backup=C:\WINDOWS\pss\Norton GoBack.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=C:\WINDOWS\pss\HP Organize.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
"C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTBar]
c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
C:\Program Files\Toshiba\MediaSource\Detector\CTDetect.exe /R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
C:\Program Files\Toshiba\TOSHIBA Multimedia Center\Surround Mixer\CTSysVol.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
C:\Program Files\dvd43\dvd43_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX4600 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
HDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
"C:\Program Files\Microsoft IntelliPoint\point32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton SystemWorks]
"C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\regcmdcons]
c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
"C:\Windows\Creator\Remind_XP.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteCenter]
C:\Program Files\Toshiba\MediaSource\RemoteControl\RcMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SbUsb AudCtrl]
RunDll32 sbusbdll.dll,RCMonitor

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]
MIDIDef.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SymWSC"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SBService"=2 (0x2)
"SAVScan"=3 (0x3)
"ose"=3 (0x3)
"NPFMntor"=2 (0x2)
"MDM"=2 (0x2)
"LiveUpdate"=3 (0x3)
"GBPoll"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"navapsvc"=2 (0x2)
"LightScribeService"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"Speed Disk service"=2 (0x2)
"SNDSrvc"=3 (0x3)
"NVSvc"=2 (0x2)
"NProtectService"=2 (0x2)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"AVG Anti-Spyware Guard"=2 (0x2)
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)

R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\system32\DRIVERS\snapman.sys
R0 timounter;Acronis True Image Backup Archive Explorer;C:\WINDOWS\system32\DRIVERS\timntr.sys
R2 BCMNTIO;BCMNTIO;\??\C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys
R2 MAPMEM;MAPMEM;\??\C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys
R2 tifsfilter;Acronis True Image FS Filter;C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
R3 HidUsb;Microsoft HID Class Driver;C:\WINDOWS\system32\DRIVERS\hidusb.sys
R3 Iviaspi;IVI ASPI Shell;C:\WINDOWS\system32\drivers\iviaspi.sys
R3 Point32;Microsoft IntelliPoint Filter Driver;C:\WINDOWS\system32\DRIVERS\point32.sys
R3 Ps2;PS2;C:\WINDOWS\system32\DRIVERS\PS2.sys
R3 sbusb;TOSHIBA Multimedia Center Driver(Powered by Creative);C:\WINDOWS\system32\DRIVERS\sbusb.sys
R3 usbccgp;Microsoft USB Generic Parent Driver;C:\WINDOWS\system32\DRIVERS\usbccgp.sys
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbehci.sys
R3 usbhub;Microsoft USB Standard Hub Driver;C:\WINDOWS\system32\DRIVERS\usbhub.sys
R3 USBSTOR;USB Mass Storage Driver;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbuhci.sys
S3 ADM851X;ADM851X USB To Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\ADM851X.SYS
S3 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe
S3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;C:\WINDOWS\system32\drivers\HdAudio.sys
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12;C:\WINDOWS\system32\DRIVERS\HPZius12.sys
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1);C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
S3 usbaudio;USB Audio Driver (WDM);C:\WINDOWS\system32\drivers\usbaudio.sys
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
S3 usbscan;USB Scanner Driver;C:\WINDOWS\system32\DRIVERS\usbscan.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
AutoRun\command- D:\setup.exe


Contents of the 'Scheduled Tasks' folder
2007-07-24 17:49:00 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-24 12:49:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-24 12:51:25
C:\ComboFix-quarantined-files.txt ... 2007-07-24 12:50
C:\ComboFix2.txt ... 2007-07-23 19:02
C:\ComboFix3.txt ... 2007-06-22 15:05

--- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 12:53:50 PM, on 7/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Rar$EX00.531\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/z...s/heartbeat.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

#20 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 24 July 2007 - 01:07 PM

Hi,

Do next:

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\drivers\system_stable_header_small.gif
C:\WINDOWS\system32\drivers\users_rating.gif
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\drivers\system_stable_header.gif
C:\WINDOWS\system32\drivers\system_stable_box_small.jpg
C:\WINDOWS\system32\drivers\spy_away_header_small.gif
C:\WINDOWS\system32\drivers\spy_away_box_small.jpg
C:\WINDOWS\system32\drivers\system_stable_box.jpg
C:\WINDOWS\system32\drivers\spy_away_header.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_header_small.gif
C:\WINDOWS\system32\drivers\protect.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\perfect_cleaner_header.gif
C:\WINDOWS\system32\drivers\logo_bg.gif
C:\WINDOWS\system32\drivers\features.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box_small.jpg
C:\WINDOWS\system32\drivers\logo.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\download_btn.gif
C:\WINDOWS\system32\drivers\buy_btn.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\4_stars.gif
C:\WINDOWS\system32\drivers\5_stars.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\remove_spyware_button.gif
C:\WINDOWS\system32\drivers\secuity_center_logo.gif
C:\WINDOWS\system32\drivers\close_icon.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\header_bg.gif
C:\WINDOWS\system32\drivers\alert_icon.gif
C:\WINDOWS\system32\drivers\icon_warning.gif


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again and remove above files.
This won't change anything in system behavior since these files won't affect it in any way. It's just because Combofix has been updated and displays them now.

The only thing I can expect to be the cause of your slow system is this:

((((((((((((((((((((((((( Files Created from 2007-06-24 to 2007-07-24 )))))))))))))))))))))))))))))))


2007-07-23 12:58 82,258 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-07-23 12:58 82,258 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-07-23 12:58 7,200 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-07-23 12:58 2,831,392 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat


This since they are created recently. They are related with your Active Virus Shield (AVP)
So it could be possible that somewhere it had a bad update or whatever and causing these problems. So what I suggest here is, uninstall Active Virus Shield (AVP) and let me know if that made a difference. If so, then I'll give you another free alternative instead. :)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#21 rocketdude1234

rocketdude1234

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 24 July 2007 - 01:30 PM

I did the first combo fix. I had avg anti virus, but i went and got AVP and it seems to work alright.

I just noticed that my connectivity on my lan is 4x less on my desktop than my laptop. The distance has never changed (although i had digital phone installed)

Nothing seems to be showing, the allusive slow computer problem. Damn you HP

#22 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 24 July 2007 - 01:41 PM

Well, not sure since when exactly you are having this slow down issue though..
You got installed AVP since yesterday (as I see from the logs) and then you said everything was working OK?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#23 rocketdude1234

rocketdude1234

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 24 July 2007 - 01:43 PM

No, the problem of lag has been the issue since we began the thread. I installed a different anti-virus to see if it would pull up anything different than other a-v. The problem of lag still persists, but i just noticed how much my internet has slowed down on this computer, and not the other one, for no apparent reason. (i usually get 54mbps, but its only getting 11mb on my desktop and 54 on my laptop)

#24 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 24 July 2007 - 02:00 PM

I am pretty sure that all scans come up clean and this is no malware issue.

It's hard to figure out what is causing this since I am not in front of your pc. However, you may not compare computers between eachother. On my laptop, the internet connection etc is better than on my workstation as well.

Anyway, run these ONLINE tests: PC Pitstop Full Tests
This will give a detailed report and the solutions.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#25 rocketdude1234

rocketdude1234

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 24 July 2007 - 02:03 PM

thanks a lot. Im trying to update windows right now to see if that does anything. As i had windows updates disabled. only bad thing is that my connectivity sucks and its gonna take 30 mins to download them.... Thank you for all of your help.

#26 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 24 July 2007 - 02:35 PM

I guess you better contact your ISP as well...
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#27 rocketdude1234

rocketdude1234

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 24 July 2007 - 02:55 PM

I really think there is some sort of malware on my computer. The packets being sent are double the packets being received. Updating windows just made my ie gay. haha My isp seems fine because of the other computer on the lan with no problems. It seems as though its with this computer only. I will do those diagnostics in a bit as im trying to finish updating windows.

#28 rocketdude1234

rocketdude1234

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 24 July 2007 - 03:06 PM

i just got an error during the tests on that website. it said

"16 bit MS-DOS Subsystem
C:\WINDOWS\system32\pcpbios.exe
C:\PROGRA~1\Symantec\S32EVNT1.DLL. An instable Virtual Device Driver failed DLL initialization. Chose Close to terminate the application. "

#29 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 24 July 2007 - 04:29 PM

The packets being sent are double the packets being received

That's not uncommon.


"16 bit MS-DOS Subsystem
C:\WINDOWS\system32\pcpbios.exe
C:\PROGRA~1\Symantec\S32EVNT1.DLL. An instable Virtual Device Driver failed DLL initialization. Chose Close to terminate the application. "

This is because you had Symantec/Norton installed previously and some components and registry keys/values were not properly removed. Not sure if you still have Symantec installed, since I see you had it previously disabled, as well as Avast Antivirus.
Keep in mind, NEVER install more than one Antivirus, even though you disabled them, because they may cause a huge system slowdown and incompatibility issues. So make sure you uninstall them.

Please make a backup of the following registry key, here is how it is done:

Go to Start -> run -> type the following:

regedit /e C:\backup.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers"

This should create a backup of the key you are going to modify on your C:\ with the name backup.reg

Next, open up your Registry Editor: Go to Start -> run -> type "regedit" (without the quotes).

When the registry editor dialog box opens, navigate to the following key:

HKEY_LOCAL_MACHINE -> SYSTEM -> CurrentControlSet -> Control -> VirtualDeviceDrivers

In the right pane of the "registry editor" for this key, their should be a value called VDD

Right click on this "VDD" value and choose Modify

Edit out the following data from this "VDD" value, if it exists: C:\Program Files\Symantec\S32EVNT1.DLL

(Note: Make sure that you delete only "C:\Program Files\Symantec\S32EVNT1.DLL", leave any other data in the "VDD" value alone.

Here's a screenshot of where exactly you modify it in the registry. It's in dutch in this case and and my case that window is empty:
VDD.gif
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#30 rocketdude1234

rocketdude1234

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 25 July 2007 - 02:35 PM

Alright i did that. Everytime i try to run the tests on the website it locks up and i dont know why. No error no nothing, just says (not responding).

My computer is really slowing down today. I dont know what is going on.

#31 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 25 July 2007 - 03:24 PM

Then I guess you are having a hardware issue if it locks up during the tests.

Unfortunately I don't have much knowledge about hardware in general... so my help on that is useless.

That's why, it is better that I redirect you to The PC Guide forums ( http://www.pcguide.com/vb/ ) which is an excellent forum specialized in hardware related issues.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button