MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Software Support arrow Operating Systems : Microsoft arrow Topic: New problem
April 26, 2019, 12:19:16 PM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
April 26, 2019, 12:19:16 PM

Login with username, password and session length
 
News
12th Anniversary Celebrating 12 Years! (1997 - 2009) 12th Anniversary
Thanks to ALL that make this site what it is!
  0 Members and 1 Guest are viewing this topic.
Pages: [1] 2  All Go Down Print
Author Topic: New problem  (Read 4255 times)
toppro77
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 129


Bookmark and Share

View Profile
« on: April 05, 2008, 02:59:34 PM »

I don't even believe this! I let a friend do some browsing on my computer last night and everything was fine but this morning I decided to reboot because I was low on ram and when I restarted it took over 3 minutes to boot and my task bar was gone. If I minimize my browser it disappears completely even though it is still running. Here is a HJT log. I know I have a new virus somewhere.

Logfile of HijackThis v1.99.1
Scan saved at 10:57:18 AM, on 4/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\jv4xmghx.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\jv4xmghx.slt\prefs.js)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\HP_Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v46/scrabblecubes/scrabblecubes.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {18C3FD15-74F6-4280-9C98-3590C966B7B8} (SkillGam Control) - http://www.worldwinner.com/games/v47/skillgam/skillgam.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v47/shared/FunGamesLoader.cab
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) - http://www.worldwinner.com/games/v48/brickout/brickout.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinner.com/games/v50/pool/pool.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Jigsaw Genius Control) - http://www.worldwinner.com/games/v43/jigsaw/jigsaw.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://www.worldwinner.com/games/v63/bjattack/bja.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://www.worldwinner.com/games/v49/blockwerx/blockwerx.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://www.worldwinner.com/games/v41/freecell/freecell.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://www.worldwinner.com/games/v57/cubis/cubis.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
O16 - DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} (WwLuxor Control) - http://www.worldwinner.com/games/v49/luxor/luxor.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinner.com/games/v67/swapit/swapit.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://www.worldwinner.com/games/v42/tilecity/tilecity.cab
O16 - DPF: {BB637307-92FA-47EC-B3F7-6969078673CC} (Royal Control) - http://www.worldwinner.com/games/v45/royal/royal.cab
O16 - DPF: {C5326A4D-E9AA-40AD-A09A-E74304D86B47} (DinerDash Control) - http://www.worldwinner.com/games/v50/dinerdash/dinerdash.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinner.com/games/v43/paint/paint.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - http://www.worldwinner.com/games/v44/golfsol/golfsol.cab
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} (WWSpades Control) - http://www.worldwinner.com/games/v47/wwspades/wwspades.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX
Logged

 
toppro77
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 129


Bookmark and Share

View Profile
« Reply #1 on: April 05, 2008, 03:11:06 PM »

Here is a combofix log.

ComboFix 07-08-17.2 - "HP_Owner" 2008-04-05 10:59:20.3 - NTFSx86


(((((((((((((((((((((((((   Files Created from 2008-03-05 to 2008-04-05  )))))))))))))))))))))))))))))))


2008-04-05 10:13   102,664   --a------   C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-01 16:51   <DIR>   d--------   C:\WINDOWS\system32\Kaspersky Lab
2008-04-01 16:51   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2008-03-31 21:24   <DIR>   d--------   C:\WINDOWS\ERUNT
2008-03-31 00:05   <DIR>   d--------   C:\Deckard
2008-03-30 00:23   <DIR>   d--------   C:\Program Files\XoftSpySE
2008-03-29 19:51   <DIR>   d--------   C:\VundoFix Backups
2008-03-29 19:50   <DIR>   d--------   C:\vundo
2008-03-29 19:09   51,200   --a------   C:\WINDOWS\nircmd.exe
2008-03-29 13:27   <DIR>   d--------   C:\HJT
2008-03-25 20:08   <DIR>   d--------   C:\DOCUME~1\ADMINI~1.DIA\APPLIC~1\Netscape
2008-03-25 18:29   19,308,544   --a------   C:\DOCUME~1\HP_Owner\ntuser.dat
2008-03-25 01:14   <DIR>   d--------   C:\DOCUME~1\HP_Owner\APPLIC~1\Microsoft Web Folders
2008-03-21 22:29   546,816   --a------   C:\WINDOWS\system32\SS32D25.DLL
2008-03-21 22:29   3,360   --a------   C:\WINDOWS\system32\MSWTHK16.DLL
2008-03-21 22:29   203,776   --a------   C:\WINDOWS\system32\RODAP32.DLL
2008-03-21 22:29   17,920   --a------   C:\WINDOWS\system32\MSWTHK32.DLL
2008-03-21 22:29   <DIR>   d--------   C:\EQUIS
2008-03-17 01:24   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\InstallShield
2008-03-17 01:23   <DIR>   d--h-----   C:\Program Files\Zero G Registry
2008-03-17 01:23   <DIR>   d--------   C:\Program Files\FAST Trading Platform
2008-03-17 01:22   <DIR>   d--h-----   C:\DOCUME~1\HP_Owner\InstallAnywhere


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2050-03-22 00:46   ---------   d--------   C:\Program Files\Gecko Software
2008-03-29 20:58   4224   --a------   C:\WINDOWS\system32\drivers\beep.sys
2008-03-27 21:22   ---------   d--------   C:\Program Files\Microsoft ActiveSync
2008-03-25 01:14   ---------   d--------   C:\Program Files\microsoft frontpage
2008-02-28 18:33   ---------   d--------   C:\Program Files\Blender Foundation
2008-02-17 15:00   ---------   d--------   C:\Program Files\Finding Notes Easy
2008-02-17 15:00   ---------   d--------   C:\Program Files\Citrix
2008-02-09 11:41   ---------   d--------   C:\Program Files\GameSpy Arcade
2008-02-09 11:40   ---------   d--h-----   C:\Program Files\InstallShield Installation Information
2008-02-06 19:49   ---------   d--------   C:\DOCUME~1\HP_Owner\APPLIC~1\Canon
2005-06-26 22:32:28   616,448   --sha-r   C:\WINDOWS\system32\cygwin1.dll
2005-06-22 05:37:42   45,568   --sha-r   C:\WINDOWS\system32\cygz.dll
2006-05-03 09:06:54   163,328   --sh--r   C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47:16   31,232   --sh--r   C:\WINDOWS\system32\msfDX.dll


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-04-13 15:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=C:\WINDOWS\pss\HP Organize.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^HyperChannel.lnk]
path=C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\HyperChannel.lnk
backup=C:\WINDOWS\pss\HyperChannel.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray]
"C:\Program Files\Creative\Shared Files\CamTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
C:\WINDOWS\system32\hphmon06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorOneTouch]
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
"C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MP10_EnsureFileVer]
C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MXO Auto Loader]
C:\WINDOWS\MXOALDR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvPvrNetMon]
"C:\Program Files\NVIDIA Corporation\ForceWare\Multimedia\NVPVR\NvPvrNetMon.exe" start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvRemoteManager]
C:\Program Files\NVIDIA Corporation\ForceWare\NVRemote\NvRemote.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
"C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PD0630 STISvc]
RunDLL32.exe P0630Pin.dll,RunDLL32EP 513

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
"C:\Windows\Creator\Remind_XP.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SemanticInsight]
C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead Quick-Drop]
"C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator TBYB\Ulead Quick-Drop 1.0\Quick-Drop.exe" WINDOWCALL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=3 (0x3)
"Schedule"=2 (0x2)
"SamSs"=2 (0x2)
"nvpvrmon"=2 (0x2)
"Apple Mobile Device"=2 (0x2)


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msnetmtg.inf,NetMtg.Remove.PerUser.NT

Contents of the 'Scheduled Tasks' folder
2008-03-19 02:01:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2008-03-30 04:23:07 C:\WINDOWS\Tasks\XoftSpySE 2.job - C:\Program Files\XoftSpySE\XoftSpy.exe
2008-03-30 04:23:07 C:\WINDOWS\Tasks\XoftSpySE.job - C:\Program Files\XoftSpySE\XoftSpy.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-05 11:05:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2008-04-05 11:05:40
C:\ComboFix-quarantined-files.txt ... 2008-04-05 11:05
C:\ComboFix2.txt ... 2008-04-01 16:46
C:\ComboFix3.txt ... 2008-03-31 23:57

   --- E O F ---
« Last Edit: April 05, 2008, 03:20:55 PM by toppro77 » Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #2 on: April 06, 2008, 01:59:23 AM »

Remove the Combofix you now have and then download and run latest version..


http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Logged

An Australian Member of

EDDY
toppro77
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 129


Bookmark and Share

View Profile
« Reply #3 on: April 06, 2008, 02:46:50 AM »

Ok Pancake old pal. Thanks for coming to my rescue again. Your the best!
Logged

 
toppro77
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 129


Bookmark and Share

View Profile
« Reply #4 on: April 06, 2008, 03:02:17 AM »

Here is the new combofix log

ComboFix 08-04-04.1 - HP_Owner 2008-04-05 22:50:35.4 - NTFSx86
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
.
TimedOut: progfile.dat

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\HP_Owner\g2mdlhlpx.exe
C:\Program Files\Internet Explorer\setupapi.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\klnmp.ini

.
(((((((((((((((((((((((((   Files Created from 2008-03-06 to 2008-04-06  )))))))))))))))))))))))))))))))
.

2008-04-01 16:51 . 2008-04-01 16:51   <DIR>   d--------   C:\WINDOWS\system32\Kaspersky Lab
2008-04-01 16:51 . 2008-04-01 16:51   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-31 23:20 . 2008-03-28 00:32   281   --ahs----   C:\boot.ini.cf
2008-03-31 21:24 . 2008-03-31 21:24   <DIR>   d--------   C:\WINDOWS\ERUNT
2008-03-31 21:19 . 2008-04-05 12:09   <DIR>   d--------   C:\SDFix
2008-03-31 00:05 . 2008-03-31 00:05   <DIR>   d--------   C:\Deckard
2008-03-30 00:23 . 2008-04-05 14:36   <DIR>   d--------   C:\Program Files\XoftSpySE
2008-03-29 19:51 . 2008-03-29 19:51   <DIR>   d--------   C:\VundoFix Backups
2008-03-29 19:50 . 2008-03-29 19:50   <DIR>   d--------   C:\vundo
2008-03-29 13:27 . 2008-04-05 14:33   <DIR>   d--------   C:\HJT
2008-03-29 08:35 . 2008-03-29 19:19   1,583,877   ---hs----   C:\WINDOWS\system32\riqjagqb.ini
2008-03-28 08:32 . 2008-03-29 08:32   1,583,637   ---hs----   C:\WINDOWS\system32\mnpeugjk.ini
2008-03-27 08:33 . 2008-03-27 22:13   1,583,695   ---hs----   C:\WINDOWS\system32\poemrywc.ini
2008-03-26 08:36 . 2008-03-26 17:15   1,585,588   ---hs----   C:\WINDOWS\system32\ftlmejth.ini
2008-03-25 20:08 . 2008-03-25 20:08   <DIR>   d--------   C:\Documents and Settings\Administrator.DIAMONDMINE\Application Data\Netscape
2008-03-25 01:14 . 2008-03-25 01:14   <DIR>   d--------   C:\Documents and Settings\HP_Owner\Application Data\Microsoft Web Folders
2008-03-21 22:29 . 2008-03-21 22:48   <DIR>   d--------   C:\EQUIS
2008-03-21 22:29 . 1997-01-10 06:00   546,816   --a------   C:\WINDOWS\system32\SS32D25.DLL
2008-03-21 22:29 . 1997-01-10 06:00   203,776   --a------   C:\WINDOWS\system32\RODAP32.DLL
2008-03-21 22:29 . 1997-01-10 06:00   17,920   --a------   C:\WINDOWS\system32\MSWTHK32.DLL
2008-03-21 22:29 . 1997-01-10 06:00   3,360   --a------   C:\WINDOWS\system32\MSWTHK16.DLL
2008-03-17 01:24 . 2008-03-17 01:24   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\InstallShield
2008-03-17 01:23 . 2008-03-17 01:23   <DIR>   d--h-----   C:\Program Files\Zero G Registry
2008-03-17 01:23 . 2008-03-17 01:23   <DIR>   d--------   C:\Program Files\FAST Trading Platform
2008-03-17 01:22 . 2008-03-17 01:22   <DIR>   d--h-----   C:\Documents and Settings\HP_Owner\InstallAnywhere

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2050-03-22 04:46   ---------   d-----w   C:\Program Files\Gecko Software
2050-03-22 04:46   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Gecko Software
2008-04-03 04:26   ---------   d---a-w   C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-30 00:58   4,224   ----a-w   C:\WINDOWS\system32\drivers\beep.sys
2008-03-28 01:22   ---------   d-----w   C:\Program Files\Microsoft ActiveSync
2008-03-25 05:14   ---------   d-----w   C:\Program Files\microsoft frontpage
2008-02-28 22:33   ---------   d-----w   C:\Program Files\Blender Foundation
2008-02-17 19:00   ---------   d-----w   C:\Program Files\Finding Notes Easy
2008-02-17 19:00   ---------   d-----w   C:\Program Files\Citrix
2008-02-09 15:41   ---------   d-----w   C:\Program Files\GameSpy Arcade
2008-02-09 15:40   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-02-06 23:49   ---------   d-----w   C:\Documents and Settings\HP_Owner\Application Data\Canon
2005-06-26 22:32   616,448   --sha-r   C:\WINDOWS\system32\cygwin1.dll
2005-06-22 05:37   45,568   --sha-r   C:\WINDOWS\system32\cygz.dll
2006-05-03 09:06   163,328   --sh--r   C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47   31,232   --sh--r   C:\WINDOWS\system32\msfDX.dll
.

------- Sigcheck -------

Cryptography Services Error !!
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-04-13 15:25 3309568]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-07 17:03 180269]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"vidc.LEAD"= LCODCCMP.DLL
"MSVideo8"= VfWWDM32.dll
"VIDC.FPS1"= frapsvid.dll
"VIDC.YV12"= yv12vfw.dll
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= mpegacm.acm
"msacm.ulmp3acm"= ulmp3acm.acm
"vidc.tscc"= tsccvid.dll
"VIDC.JPEG"= jpegCode.dll
"VIDC.MJPG"= jpegCode.dll
"msacm.lhacm"= lhacm.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages   REG_SZ            

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=C:\WINDOWS\pss\HP Organize.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^HyperChannel.lnk]
path=C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\HyperChannel.lnk
backup=C:\WINDOWS\pss\HyperChannel.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2005-03-04 12:01 88209 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray]
--------- 2005-03-29 02:13 258048 C:\Program Files\Creative\Shared Files\CamTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 15:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 09:38 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2004-03-04 11:46 172032 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
--a------ 2004-06-07 21:42 659456 C:\WINDOWS\system32\hphmon06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
--a------ 2004-06-07 21:53 49152 c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 19:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2003-02-11 23:02 61440 C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorOneTouch]
--a------ 2003-05-21 16:30 45056 C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MP10_EnsureFileVer]
--a------ 2004-08-04 15:00 208896 C:\WINDOWS\inf\unregmp2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MXO Auto Loader]
--a------ 2003-04-07 19:09 118784 C:\WINDOWS\MXOALDR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--------- 2001-07-09 04:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
-ra------ 2004-04-13 15:25 3309568 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
-ra------ 2004-04-13 15:25 46080 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvPvrNetMon]
--a------ 2004-04-26 14:23 229376 C:\Program Files\NVIDIA Corporation\ForceWare\Multimedia\NVPVR\NvPvrNetMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvRemoteManager]
--a------ 2004-03-01 19:13 139264 C:\Program Files\NVIDIA Corporation\ForceWare\NVRemote\NvRemote.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
-ra------ 2004-04-13 15:25 782336 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
--a------ 2003-05-08 13:00 49152 C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PD0630 STISvc]
-ra------ 2005-06-05 13:01 36864 C:\WINDOWS\system32\P0630Pin.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2002-10-16 19:57 81920 C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 11:56 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2004-04-14 23:43 233472 C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a------ 2003-12-18 02:31 118784 C:\Windows\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SemanticInsight]
C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2004-08-07 17:03 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead Quick-Drop]
C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator TBYB\Ulead Quick-Drop 1.0\Quick-Drop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2004-03-27 00:07 49152 C:\WINDOWS\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
--a------ 2005-09-02 16:50 302528 C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-07-31 15:54 4617720 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=3 (0x3)
"Schedule"=2 (0x2)
"SamSs"=2 (0x2)
"nvpvrmon"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msnetmtg.inf,NetMtg.Remove.PerUser.NT
.
Contents of the 'Scheduled Tasks' folder
"2008-03-19 02:01:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-30 04:23:07 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-03-30 04:23:07 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-05 22:54:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-05 22:57:07
ComboFix-quarantined-files.txt  2008-04-06 02:57:06
ComboFix2.txt  2008-04-05 15:05:40
Pre-Run: 34,441,388,032 bytes free
Post-Run: 34,429,698,048 bytes free
.
2008-03-29 14:20:11   --- E O F --- 

When this was done I lost my task bar again. I figured out a way to get it back for most of the day but I couldn't minimize any window because it would disappear. Now after running combofix the task bar is gone again.
Logged

 
toppro77
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 129


Bookmark and Share

View Profile
« Reply #5 on: April 06, 2008, 03:14:38 AM »

I just noticed another interesting thing. I cannot play world winner games on yahoo now because when I click the button to log in nothing happens. I also cannot delete junk from my email or read my email because when I click on a link in IE nothing happens. I will have to resort to firefox I guess.
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #6 on: April 06, 2008, 07:31:16 AM »

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Quote

Killall::

File::
C:\WINDOWS\system32\riqjagqb.ini
C:\WINDOWS\system32\mnpeugjk.ini
C:\WINDOWS\system32\poemrywc.ini
C:\WINDOWS\system32\ftlmejth.ini

 

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Refering to the picture above, drag CFScript.txt into ComboFix.exe


When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply  please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your compter*

Logged

An Australian Member of

EDDY
toppro77
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 129


Bookmark and Share

View Profile
« Reply #7 on: April 06, 2008, 07:27:06 PM »

Hi Pancake,
I made the text like you asked but I cannot drag or drop anything on my desktop or in any of my folders. This this is worse than the last virus. I did do a trend micro online scan yesterday and found winreanimator back on my hard drive which it was able to delete. I just wonder if this is a left over virus from what we did before that is just now showing up. I'm going to try to go into safe mode and do what you ask but I dont know if it will work.
Logged

 
toppro77
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 129


Bookmark and Share

View Profile
« Reply #8 on: April 06, 2008, 07:46:21 PM »

I went into safe mode and it still wouldn't drag and drop so I manually deleted those files into recycle bin. I have not deleted them from there yet. I will wait to see what you tell me to do next.
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #9 on: April 06, 2008, 10:36:08 PM »

Yes you can delete those files now...


Go to http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
        • Scan Mail Bases[/color][/b]
    • Click OK & have it scan My Computer
    • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.





  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan


Logged

An Australian Member of

EDDY
toppro77
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 129


Bookmark and Share

View Profile
« Reply #10 on: April 07, 2008, 01:36:24 AM »

Man this is getting rediculous. I went to kaspersky.com and it won't run that scan. I clicked on accept and it does nothing.  PC Smash
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #11 on: April 07, 2008, 01:48:59 AM »

Ummmmm......

Try this.



  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clipboard by highlighting it and then pressing Ctrl+C.

Code:

Files to delete:
C:\WINDOWS\system32\riqjagqb.ini
C:\WINDOWS\system32\mnpeugjk.ini
C:\WINDOWS\system32\poemrywc.ini
C:\WINDOWS\system32\ftlmejth.ini



  • In the avenger window, click the Paste Script from Clipboard, button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log, along with a new HijackThis log in your next reply.
Logged

An Australian Member of

EDDY
toppro77
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 129


Bookmark and Share

View Profile
« Reply #12 on: April 07, 2008, 01:58:54 AM »

Avenger Log

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error:  file "C:\WINDOWS\system32\riqjagqb.ini" not found!
Deletion of file "C:\WINDOWS\system32\riqjagqb.ini" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\mnpeugjk.ini" not found!
Deletion of file "C:\WINDOWS\system32\mnpeugjk.ini" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\poemrywc.ini" not found!
Deletion of file "C:\WINDOWS\system32\poemrywc.ini" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\ftlmejth.ini" not found!
Deletion of file "C:\WINDOWS\system32\ftlmejth.ini" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Completed script processing.

*******************

Finished!  Terminate.


HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 9:58:53 PM, on 4/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\jv4xmghx.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Profiles\default\jv4xmghx.slt\prefs.js)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\HP_Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v46/scrabblecubes/scrabblecubes.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {18C3FD15-74F6-4280-9C98-3590C966B7B8} (SkillGam Control) - http://www.worldwinner.com/games/v47/skillgam/skillgam.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v47/shared/FunGamesLoader.cab
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) - http://www.worldwinner.com/games/v48/brickout/brickout.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinner.com/games/v50/pool/pool.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Jigsaw Genius Control) - http://www.worldwinner.com/games/v43/jigsaw/jigsaw.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://www.worldwinner.com/games/v63/bjattack/bja.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://www.worldwinner.com/games/v49/blockwerx/blockwerx.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://www.worldwinner.com/games/v41/freecell/freecell.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://www.worldwinner.com/games/v57/cubis/cubis.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
O16 - DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} (WwLuxor Control) - http://www.worldwinner.com/games/v49/luxor/luxor.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinner.com/games/v67/swapit/swapit.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://www.worldwinner.com/games/v42/tilecity/tilecity.cab
O16 - DPF: {BB637307-92FA-47EC-B3F7-6969078673CC} (Royal Control) - http://www.worldwinner.com/games/v45/royal/royal.cab
O16 - DPF: {C5326A4D-E9AA-40AD-A09A-E74304D86B47} (DinerDash Control) - http://www.worldwinner.com/games/v50/dinerdash/dinerdash.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinner.com/games/v43/paint/paint.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - http://www.worldwinner.com/games/v44/golfsol/golfsol.cab
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} (WWSpades Control) - http://www.worldwinner.com/games/v47/wwspades/wwspades.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #13 on: April 07, 2008, 02:16:54 AM »

Thats fine.Nothing found and your HJT log looks fine now so it looks as if your problem lies elsewhere.
« Last Edit: April 07, 2008, 02:18:26 AM by Pancake » Logged

An Australian Member of

EDDY
toppro77
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 129


Bookmark and Share

View Profile
« Reply #14 on: April 07, 2008, 02:19:32 AM »

It still takes over 3 minutes to load from restart, I cant copy and paste in any word processor, I cant minimize any windows or they dissapear, My task bar is not right, I cant drag and drop anything. Ya it lies somewhere and I have no idea where. I cant' run system restore or windows media player and I have no sound. Angry
« Last Edit: April 07, 2008, 02:22:10 AM by toppro77 » Logged

 
Pages: [1] 2  All Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page January 30, 2019, 01:36:54 PM