MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Bad Virus on Friends Computer
November 14, 2019, 06:19:15 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
November 14, 2019, 06:19:15 AM

Login with username, password and session length
 Featured Sites:
News
Help us help you! Help us help you by helping out! The more people know about us, the more help will be available. Click here to find out how...
  0 Members and 2 Guests are viewing this topic.
Pages: [1] 2  All Go Down Print
Author Topic: Bad Virus on Friends Computer  (Read 7971 times)
toppro77
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 129


Bookmark and Share

View Profile
« on: May 22, 2008, 02:16:34 PM »

I am trying to help a friend get a nasty virus off his computer. Here is the Combo Fix log

ComboFix 07-08-17.2 - "Harold Warren" 2008-05-21 10:46:36.1 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.358 [GMT -4:00]


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\HAROLD~1\Desktop.\Spyware&Malware Protection.url
C:\DOCUME~1\HAROLD~1\Desktop\Error Cleaner.url
C:\DOCUME~1\HAROLD~1\Desktop\Privacy Protector.url
C:\DOCUME~1\HAROLD~1\FAVORI~1.\Error Cleaner.url
C:\DOCUME~1\HAROLD~1\FAVORI~1.\Privacy Protector.url
C:\DOCUME~1\HAROLD~1\FAVORI~1.\Spyware&Malware Protection.url
C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\NDNuninstall7_48.exe
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\system32\drivers\sfsync02.sys


(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NWSAPAGENT
-------\LEGACY_SFSYNC02
-------\NwSapAgent
-------\sfsync02


(((((((((((((((((((((((((   Files Created from 2008-04-21 to 2008-05-21  )))))))))))))))))))))))))))))))


2008-05-21 10:45   51,200   --a------   C:\WINDOWS\nircmd.exe
2008-05-21 10:45   <DIR>   d--------   C:\Deckard
2008-05-21 10:37   <DIR>   d--------   C:\WINDOWS\pss
2008-05-21 01:31   <DIR>   d--------   C:\Program Files\XP Antivirus
2008-05-21 00:46   <DIR>   d--------   C:\Program Files\KvmSecure
2008-05-20 22:50   94,208   --a------   C:\WINDOWS\efvr.exe
2008-05-20 22:50   217,088   --a------   C:\WINDOWS\nldfmtapowe.dll
2008-05-19 23:29   <DIR>   d--------   C:\DOCUME~1\HAROLD~1\APPLIC~1\TmpRecentIcons
2008-05-19 23:15   <DIR>   d--------   C:\Program Files\AntiSpywareMaster
2008-05-19 22:24   91,264   --a------   C:\WINDOWS\system32\tfwwaxaf.dll
2008-05-19 22:21   787,992   --ahs----   C:\WINDOWS\system32\iSYHQXyb.ini2
2008-05-19 22:21   318,336   --a------   C:\WINDOWS\system32\byXQHYSi.dll
2008-05-19 21:41   21,588   --a------   C:\Program Files\antiviirus.exe
2008-05-19 21:41   16,464   -r-hs----   C:\Program Files\tmp3.exe
2008-05-19 21:41   16,464   -r-hs----   C:\Program Files\tmp2.exe
2008-05-19 21:41   16,464   -r-hs----   C:\Program Files\tmp1.exe
2008-05-19 21:41   16,464   -r-hs----   C:\Program Files\tmp0.exe
2008-05-19 21:41   <DIR>   d--------   C:\WINDOWS\system32\382077
2008-05-17 18:44   96,256   --a------   C:\WINDOWS\system32\ctfmona.exe
2008-05-17 18:44   29,824   --a------   C:\WINDOWS\system32\urqPfDTm.dll
2008-05-17 18:44   29,056      C:\WINDOWS\system32\drivers\hqX86.sys
2008-05-17 18:44   160,256   --a------   C:\WINDOWS\system32\blackster.scr
2008-05-17 18:44   14,336   --a------   C:\WINDOWS\system32\WinCtrl32.dll
2008-05-17 18:43   81,920   --a------   C:\WINDOWS\mdtgkswr.exe
2008-05-17 18:43   29,824   --a------   C:\WINDOWS\system32\qoMffDuS.dll
2008-05-17 18:43   212,992   --a------   C:\WINDOWS\pxgdslro.dll
2008-05-17 18:43   204,800   --a------   C:\WINDOWS\nldfmtappek.dll
2008-05-17 18:43   188,416   --a------   C:\WINDOWS\gktxaspm.dll
2008-05-17 18:43   176,128   --a------   C:\WINDOWS\gnowmebk.dll
2008-05-17 18:43   159,744   --a------   C:\WINDOWS\esta.exe
2008-05-17 18:43   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adsl Software Limited


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2008-05-20 21:55   ---------   d--------   C:\Program Files\Easy Internet signup
2008-05-17 18:05   ---------   d--------   C:\Program Files\Juno
2008-05-15 15:55   ---------   d--------   C:\Program Files\Pointsec
2008-04-11 10:34   ---------   d--------   C:\DOCUME~1\HAROLD~1\APPLIC~1\Intuit
2008-03-27 04:12   151583   --a------   C:\WINDOWS\system32\msjint40.dll
2008-03-27 04:12   151583   --a------   C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-25 00:50   838432   --a------   C:\WINDOWS\system32\mswdat10.dll
2008-03-25 00:50   838432   --a------   C:\WINDOWS\system32\dllcache\mswdat10.dll
2008-03-25 00:50   621344   --a------   C:\WINDOWS\system32\mswstr10.dll
2008-03-25 00:50   621344   --a------   C:\WINDOWS\system32\dllcache\mswstr10.dll
2008-03-25 00:50   60192   --a------   C:\WINDOWS\system32\msjter40.dll
2008-03-25 00:50   60192   --a------   C:\WINDOWS\system32\dllcache\msjter40.dll
2008-03-25 00:50   559904   --a------   C:\WINDOWS\system32\msrepl40.dll
2008-03-25 00:50   559904   --a------   C:\WINDOWS\system32\dllcache\msrepl40.dll
2008-03-25 00:50   554008   --a------   C:\WINDOWS\system32\dllcache\dao360.dll
2008-03-25 00:50   518944   --a------   C:\WINDOWS\system32\ms*xch40.dll
2008-03-25 00:50   518944   --a------   C:\WINDOWS\system32\dllcache\ms*xch40.dll
2008-03-25 00:50   432928   --a------   C:\WINDOWS\system32\msrd2x40.dll
2008-03-25 00:50   432928   --a------   C:\WINDOWS\system32\dllcache\msrd2x40.dll
2008-03-25 00:50   355112   --a------   C:\WINDOWS\system32\msjetoledb40.dll
2008-03-25 00:50   355112   --a------   C:\WINDOWS\system32\dllcache\msjetol1.dll
2008-03-25 00:50   355104   --a------   C:\WINDOWS\system32\msxbde40.dll
2008-03-25 00:50   355104   --a------   C:\WINDOWS\system32\mspbde40.dll
2008-03-25 00:50   355104   --a------   C:\WINDOWS\system32\dllcache\msxbde40.dll
2008-03-25 00:50   355104   --a------   C:\WINDOWS\system32\dllcache\mspbde40.dll
2008-03-25 00:50   326432   --a------   C:\WINDOWS\system32\ms*xcl40.dll
2008-03-25 00:50   326432   --a------   C:\WINDOWS\system32\dllcache\ms*xcl40.dll
2008-03-25 00:50   322336   --a------   C:\WINDOWS\system32\msrd3x40.dll
2008-03-25 00:50   322336   --a------   C:\WINDOWS\system32\dllcache\msrd3x40.dll
2008-03-25 00:50   264992   --a------   C:\WINDOWS\system32\mstext40.dll
2008-03-25 00:50   264992   --a------   C:\WINDOWS\system32\dllcache\mstext40.dll
2008-03-25 00:50   248608   --a------   C:\WINDOWS\system32\msjtes40.dll
2008-03-25 00:50   248608   --a------   C:\WINDOWS\system32\dllcache\msjtes40.dll
2008-03-25 00:50   219936   --a------   C:\WINDOWS\system32\msltus40.dll
2008-03-25 00:50   219936   --a------   C:\WINDOWS\system32\dllcache\msltus40.dll
2008-03-25 00:50   1516568   --a------   C:\WINDOWS\system32\msjet40.dll
2008-03-25 00:50   1516568   --a------   C:\WINDOWS\system32\dllcache\msjet40.dll
2008-03-19 05:47   1845248   --a------   C:\WINDOWS\system32\win32k.sys
2008-03-19 05:47   1845248   ---------   C:\WINDOWS\system32\dllcache\win32k.sys


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13B80BBC-97B5-4124-A5D8-72C3390A095D}]
2008-05-20 19:47   217088   --a------   C:\WINDOWS\nldfmtapowe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18F4FBD5-CDE8-492C-9365-1912378EECFE}]
2008-05-17 18:43   29824   --a------   C:\WINDOWS\system32\qoMffDuS.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5402577C-BAF3-4342-AB8C-42FBA512C6EF}]
2008-05-19 22:21   318336   --a------   C:\WINDOWS\system32\byXQHYSi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{831C798D-F9AD-4659-8625-63F2A439F439}]
2008-05-17 17:14   204800   --a------   C:\WINDOWS\nldfmtappek.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0A035EC-C865-4E47-BF73-B17741DD5232}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-07 23:40]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-04-07 15:22]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe" [2007-05-02 05:15]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 13:24]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 04:01]
"CamMonitor"="C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 03:23]
"Share-to-Web Namespace Daemon"="C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 13:42]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" []
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-22 22:55]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-11-10 03:30]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-02-17 14:01]
"Lexmark X83 Button Monitor"="C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe" [2001-10-18 10:25]
"Lexmark X83 Button Manager"="C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe" [2001-06-14 12:42]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2002-06-26 23:47]
"AGRSMMSG"="AGRSMMSG.exe" [2004-01-30 12:01 C:\WINDOWS\AGRSMMSG.exe]
"Protect Tray"="C:\Program Files\Pointsec\P95tray.exe" [2003-12-18 03:57]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 14:54]
"MaxtorCombo"="C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe" [2002-07-16 12:23]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 14:46]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 15:04]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 17:14]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 17:30]
"ctfmona"="C:\WINDOWS\system32\ctfmona.exe" [2008-05-17 18:44]
"AntiSpywareMaster"="C:\Program Files\AntiSpywareMaster\asm.exe" [2008-05-21 00:21]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 03:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"WinSpywareProtect (ver. 5.1)"="C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe" [2008-05-17 18:44]
"KvmSecure.exe"="C:\Program Files\KvmSecure\KvmSecure.exe" [2008-05-21 00:46]

C:\Documents and Settings\Harold Warren\Start Menu\Programs\Startup\
DLHelperEXE.exe [2004-08-05 00:02:32]
PowerReg Scheduler.exe [2004-07-06 11:24:23]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 04:20:40]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-08-06]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{18F4FBD5-CDE8-492C-9365-1912378EECFE}"= C:\WINDOWS\system32\qoMffDuS.dll [2008-05-17 18:43 29824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"RamCheck"= {d3c46137-0c08-4eb9-90da-d9284615f2b3} - C:\WINDOWS\Resources\RamCheck.dll [2008-05-19 21:41 14886]
"gnowmebk"= {44D7A794-483B-4821-BA96-359272279846} - C:\WINDOWS\gnowmebk.dll [2008-05-20 19:46 176128]
"pxgdslro"= {AE57DFE7-69E4-49CD-871C-CF589A846D1B} - C:\WINDOWS\pxgdslro.dll [2008-05-20 19:46 212992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qoMffDuS]
qoMffDuS.dll 2008-05-17 18:43 29824 C:\WINDOWS\system32\qoMffDuS.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
WinCtrl32.dll 2008-05-21 11:01 14336 C:\WINDOWS\system32\WinCtrl32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\byXQHYSi

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hqX86.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\69c01f25]
rundll32.exe "C:\WINDOWS\system32\tfwwaxaf.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antiviirus]
C:\Program Files\antiviirus.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
"C:\Program Files\TomTom HOME\TomTomHOME.exe" -s

R0 hqX86;hqX86;C:\WINDOWS\system32\Drivers\hqX86.sys
R0 prot_2k;prot_2k;C:\WINDOWS\system32\drivers\prot_2k.sys
R2 Pointsec;Pointsec;C:\WINDOWS\System32\PROT_SRV.EXE
R2 Pointsec_agent;Pointsec update agent;C:\WINDOWS\System32\pagents.exe
R2 Pointsec_start;Pointsec service start;C:\WINDOWS\System32\PSTARTSR.EXE
R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys
S3 CE3;Xircom Ethernet Adapter 10/100 Service;C:\WINDOWS\system32\DRIVERS\ce3n5.sys
S3 Novatel;Novatel Wireless EVDO Network Adapter;C:\WINDOWS\system32\DRIVERS\nw620.sys
S3 NWUSBModem;Novatel Wireless USB Modem Driver;C:\WINDOWS\system32\DRIVERS\nwusbmdm.sys
S3 NWUSBPort;Novatel Wireless USB Status Port Driver;C:\WINDOWS\system32\DRIVERS\nwusbser.sys


Contents of the 'Scheduled Tasks' folder
2008-03-15 00:00:17 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Harold Warren.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 11:03:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?Huh?Huh??4?7?9?7?Huh?Huh? ???B?Huh?Huh?Huh????hLC? Huh?Huh?
  AntiSpywareMaster = C:\Program Files\AntiSpywareMaster\asm.exe?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  KvmSecure.exe = C:\Program Files\KvmSecure\KvmSecure.exe?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh??e?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2008-05-21 11:12:32 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2008-05-21 11:12

   --- E O F ---

Thanks in advance
Logged

 
toppro77
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 129


Bookmark and Share

View Profile
« Reply #1 on: May 22, 2008, 07:07:15 PM »

Ok I ran a few more virus scans myself and I am posting a new combofix log.

ComboFix 07-08-17.2 - "Harold Warren" 2008-05-22 14:42:17.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.214 [GMT -4:00]


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\HAROLD~1\Desktop.\Spyware&Malware Protection.url
C:\DOCUME~1\HAROLD~1\Desktop\Error Cleaner.url
C:\DOCUME~1\HAROLD~1\Desktop\Privacy Protector.url
C:\DOCUME~1\HAROLD~1\FAVORI~1.\Error Cleaner.url
C:\DOCUME~1\HAROLD~1\FAVORI~1.\Privacy Protector.url
C:\DOCUME~1\HAROLD~1\FAVORI~1.\Spyware&Malware Protection.url


(((((((((((((((((((((((((   Files Created from 2008-04-22 to 2008-05-22  )))))))))))))))))))))))))))))))


2008-05-22 13:44   <DIR>   d--------   C:\Program Files\Lavasoft
2008-05-22 13:44   <DIR>   d--------   C:\DOCUME~1\HAROLD~1\APPLIC~1\Lavasoft
2008-05-22 13:29   94,208   --a------   C:\WINDOWS\eavx.exe
2008-05-22 13:29   217,088   --a------   C:\WINDOWS\nldfmtapndk.dll
2008-05-22 13:08   <DIR>   d--------   C:\VundoFix Backups
2008-05-22 09:38   160,256   --a------   C:\WINDOWS\system32\blackster.scr
2008-05-22 09:37   27,008      C:\WINDOWS\system32\drivers\Tel07.sys
2008-05-22 09:37   12,288   --a------   C:\WINDOWS\system32\WLCtrl32.dll
2008-05-21 20:13   90,112   --a------   C:\WINDOWS\system32\avuynkua.dll
2008-05-21 10:45   51,200   --a------   C:\WINDOWS\nircmd.exe
2008-05-21 10:45   <DIR>   d--------   C:\Deckard
2008-05-21 10:37   <DIR>   d--------   C:\WINDOWS\pss
2008-05-21 01:31   <DIR>   d--------   C:\Program Files\XP Antivirus
2008-05-20 22:50   94,208   --a------   C:\WINDOWS\efvr.exe
2008-05-20 22:50   217,088   --a------   C:\WINDOWS\nldfmtapowe.dll
2008-05-19 23:29   <DIR>   d--------   C:\DOCUME~1\HAROLD~1\APPLIC~1\TmpRecentIcons
2008-05-19 22:24   91,264   --a------   C:\WINDOWS\system32\tfwwaxaf.dll
2008-05-19 22:21   803,974   --ahs----   C:\WINDOWS\system32\iSYHQXyb.ini2
2008-05-19 22:21   318,336   --a------   C:\WINDOWS\system32\byXQHYSi.dll
2008-05-19 21:41   16,464   -r-hs----   C:\Program Files\tmp3.exe
2008-05-19 21:41   16,464   -r-hs----   C:\Program Files\tmp2.exe
2008-05-19 21:41   16,464   -r-hs----   C:\Program Files\tmp1.exe
2008-05-19 21:41   16,464   -r-hs----   C:\Program Files\tmp0.exe
2008-05-19 21:41   <DIR>   d--------   C:\WINDOWS\system32\382077
2008-05-17 18:44   96,256   --a------   C:\WINDOWS\system32\ctfmona.exe
2008-05-17 18:44   29,824   --a------   C:\WINDOWS\system32\urqPfDTm.dll
2008-05-17 18:44   29,056      C:\WINDOWS\system32\drivers\hqX86.sys
2008-05-17 18:44   14,336   --a------   C:\WINDOWS\system32\WinCtrl32.dll
2008-05-17 18:43   81,920   --a------   C:\WINDOWS\mdtgkswr.exe
2008-05-17 18:43   29,824   --a------   C:\WINDOWS\system32\qoMffDuS.dll
2008-05-17 18:43   217,088   --a------   C:\WINDOWS\pxgdslro.dll
2008-05-17 18:43   204,800   --a------   C:\WINDOWS\nldfmtappek.dll
2008-05-17 18:43   188,416   --a------   C:\WINDOWS\gktxaspm.dll
2008-05-17 18:43   176,128   --a------   C:\WINDOWS\gnowmebk.dll
2008-05-17 18:43   159,744   --a------   C:\WINDOWS\esta.exe
2008-05-17 18:43   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adsl Software Limited


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2008-05-20 21:55   ---------   d--------   C:\Program Files\Easy Internet signup
2008-05-17 18:05   ---------   d--------   C:\Program Files\Juno
2008-05-15 15:55   ---------   d--------   C:\Program Files\Pointsec
2008-04-11 10:34   ---------   d--------   C:\DOCUME~1\HAROLD~1\APPLIC~1\Intuit
2008-03-27 04:12   151583   --a------   C:\WINDOWS\system32\msjint40.dll
2008-03-27 04:12   151583   --a------   C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-25 00:50   838432   --a------   C:\WINDOWS\system32\mswdat10.dll
2008-03-25 00:50   838432   --a------   C:\WINDOWS\system32\dllcache\mswdat10.dll
2008-03-25 00:50   621344   --a------   C:\WINDOWS\system32\mswstr10.dll
2008-03-25 00:50   621344   --a------   C:\WINDOWS\system32\dllcache\mswstr10.dll
2008-03-25 00:50   60192   --a------   C:\WINDOWS\system32\msjter40.dll
2008-03-25 00:50   60192   --a------   C:\WINDOWS\system32\dllcache\msjter40.dll
2008-03-25 00:50   559904   --a------   C:\WINDOWS\system32\msrepl40.dll
2008-03-25 00:50   559904   --a------   C:\WINDOWS\system32\dllcache\msrepl40.dll
2008-03-25 00:50   554008   --a------   C:\WINDOWS\system32\dllcache\dao360.dll
2008-03-25 00:50   518944   --a------   C:\WINDOWS\system32\ms*xch40.dll
2008-03-25 00:50   518944   --a------   C:\WINDOWS\system32\dllcache\ms*xch40.dll
2008-03-25 00:50   432928   --a------   C:\WINDOWS\system32\msrd2x40.dll
2008-03-25 00:50   432928   --a------   C:\WINDOWS\system32\dllcache\msrd2x40.dll
2008-03-25 00:50   355112   --a------   C:\WINDOWS\system32\msjetoledb40.dll
2008-03-25 00:50   355112   --a------   C:\WINDOWS\system32\dllcache\msjetol1.dll
2008-03-25 00:50   355104   --a------   C:\WINDOWS\system32\msxbde40.dll
2008-03-25 00:50   355104   --a------   C:\WINDOWS\system32\mspbde40.dll
2008-03-25 00:50   355104   --a------   C:\WINDOWS\system32\dllcache\msxbde40.dll
2008-03-25 00:50   355104   --a------   C:\WINDOWS\system32\dllcache\mspbde40.dll
2008-03-25 00:50   326432   --a------   C:\WINDOWS\system32\ms*xcl40.dll
2008-03-25 00:50   326432   --a------   C:\WINDOWS\system32\dllcache\ms*xcl40.dll
2008-03-25 00:50   322336   --a------   C:\WINDOWS\system32\msrd3x40.dll
2008-03-25 00:50   322336   --a------   C:\WINDOWS\system32\dllcache\msrd3x40.dll
2008-03-25 00:50   264992   --a------   C:\WINDOWS\system32\mstext40.dll
2008-03-25 00:50   264992   --a------   C:\WINDOWS\system32\dllcache\mstext40.dll
2008-03-25 00:50   248608   --a------   C:\WINDOWS\system32\msjtes40.dll
2008-03-25 00:50   248608   --a------   C:\WINDOWS\system32\dllcache\msjtes40.dll
2008-03-25 00:50   219936   --a------   C:\WINDOWS\system32\msltus40.dll
2008-03-25 00:50   219936   --a------   C:\WINDOWS\system32\dllcache\msltus40.dll
2008-03-25 00:50   1516568   --a------   C:\WINDOWS\system32\msjet40.dll
2008-03-25 00:50   1516568   --a------   C:\WINDOWS\system32\dllcache\msjet40.dll
2008-03-19 05:47   1845248   --a------   C:\WINDOWS\system32\win32k.sys
2008-03-19 05:47   1845248   ---------   C:\WINDOWS\system32\dllcache\win32k.sys


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0683B6A6-0FF9-4C6C-9240-B71CA010D48F}]
2008-05-22 12:45   217088   --a------   C:\WINDOWS\nldfmtapndk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13B80BBC-97B5-4124-A5D8-72C3390A095D}]
2008-05-20 19:47   217088   --a------   C:\WINDOWS\nldfmtapowe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18F4FBD5-CDE8-492C-9365-1912378EECFE}]
2008-05-17 18:43   29824   --a------   C:\WINDOWS\system32\qoMffDuS.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3713B4F6-8273-48E9-B7D1-2BE4980717A8}]
2008-05-19 22:21   318336   --a------   C:\WINDOWS\system32\byXQHYSi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{831C798D-F9AD-4659-8625-63F2A439F439}]
2008-05-17 17:14   204800   --a------   C:\WINDOWS\nldfmtappek.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0A035EC-C865-4E47-BF73-B17741DD5232}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-07 23:40]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-04-07 15:22]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 13:24]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 04:01]
"CamMonitor"="C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 03:23]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-11-10 03:30]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-02-17 14:01]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [2002-06-26 23:47]
"AGRSMMSG"="AGRSMMSG.exe" [2004-01-30 12:01 C:\WINDOWS\AGRSMMSG.exe]
"Protect Tray"="C:\Program Files\Pointsec\P95tray.exe" [2003-12-18 03:57]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]

C:\Documents and Settings\Harold Warren\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2004-07-06 11:24:23]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 04:20:40]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-08-06]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{18F4FBD5-CDE8-492C-9365-1912378EECFE}"= C:\WINDOWS\system32\qoMffDuS.dll [2008-05-17 18:43 29824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"RamCheck"= {d3c46137-0c08-4eb9-90da-d9284615f2b3} - C:\WINDOWS\Resources\RamCheck.dll [2008-05-19 21:41 14886]
"gnowmebk"= {1CF15163-2F0A-4CE9-8D1B-FE398A2CCB5B} - C:\WINDOWS\gnowmebk.dll [2008-05-22 12:45 176128]
"pxgdslro"= {8C7FCE0B-F859-44AC-9D43-CCEBB6989CAD} - C:\WINDOWS\pxgdslro.dll [2008-05-22 12:45 217088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qoMffDuS]
qoMffDuS.dll 2008-05-17 18:43 29824 C:\WINDOWS\system32\qoMffDuS.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
WinCtrl32.dll 2008-05-22 14:17 14336 C:\WINDOWS\system32\WinCtrl32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLCtrl32]
WLCtrl32.dll 2008-05-22 14:17 12288 C:\WINDOWS\system32\WLCtrl32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\byXQHYSi

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hqX86.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Tel07.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\69c01f25]
rundll32.exe "C:\WINDOWS\system32\avuynkua.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antiviirus]
C:\Program Files\antiviirus.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmona]
C:\WINDOWS\system32\ctfmona.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
C:\WINDOWS\System32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X83 Button Manager]
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X83 Button Monitor]
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorCombo]
"C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordNow!]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
"C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
"C:\Program Files\TomTom HOME\TomTomHOME.exe" -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSpywareProtect (ver. 5.1)]
"C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe" /autorun

R0 hqX86;hqX86;C:\WINDOWS\system32\Drivers\hqX86.sys
R0 prot_2k;prot_2k;C:\WINDOWS\system32\drivers\prot_2k.sys
R0 Tel07;Tel07;C:\WINDOWS\system32\Drivers\Tel07.sys
R2 Pointsec;Pointsec;C:\WINDOWS\System32\PROT_SRV.EXE
R2 Pointsec_agent;Pointsec update agent;C:\WINDOWS\System32\pagents.exe
R2 Pointsec_start;Pointsec service start;C:\WINDOWS\System32\PSTARTSR.EXE
R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys
S3 CE3;Xircom Ethernet Adapter 10/100 Service;C:\WINDOWS\system32\DRIVERS\ce3n5.sys
S3 Novatel;Novatel Wireless EVDO Network Adapter;C:\WINDOWS\system32\DRIVERS\nw620.sys
S3 NWUSBModem;Novatel Wireless USB Modem Driver;C:\WINDOWS\system32\DRIVERS\nwusbmdm.sys
S3 NWUSBPort;Novatel Wireless USB Status Port Driver;C:\WINDOWS\system32\DRIVERS\nwusbser.sys


Contents of the 'Scheduled Tasks' folder
2008-03-15 00:00:17 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Harold Warren.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-22 14:53:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?Huh?Huh??4?7?9?7?Huh?Huh? ???B?Huh?Huh?Huh????hLC? Huh?Huh?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2008-05-22 14:57:43
C:\ComboFix-quarantined-files.txt ... 2008-05-22 14:57

   --- E O F ---
Logged

 
toppro77
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 129


Bookmark and Share

View Profile
« Reply #2 on: May 22, 2008, 07:08:01 PM »

Here is a fresh HJT log

Logfile of HijackThis v1.99.1
Scan saved at 2:38:49 PM, on 5/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Pointsec\P95tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINDOWS\System32\PROT_SRV.EXE
C:\WINDOWS\System32\pagents.exe
C:\WINDOWS\System32\PSTARTSR.EXE
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Messenger\msmsgs.exe
E:\Virus\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: gktxaspm - {C9A66198-D585-4160-A963-A889176926B0} - C:\WINDOWS\gktxaspm.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Protect Tray] "C:\Program Files\Pointsec\P95tray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .TIF: C:\Program Files\Internet Explorer\plugins\Npdview.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - https://java.sun.com/update/1.5.0/jinstall-1_5-windows-i586.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O21 - SSODL: RamCheck - {d3c46137-0c08-4eb9-90da-d9284615f2b3} - C:\WINDOWS\Resources\RamCheck.dll
O21 - SSODL: gnowmebk - {1CF15163-2F0A-4CE9-8D1B-FE398A2CCB5B} - C:\WINDOWS\gnowmebk.dll
O21 - SSODL: pxgdslro - {8C7FCE0B-F859-44AC-9D43-CCEBB6989CAD} - C:\WINDOWS\pxgdslro.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
O23 - Service: Pointsec - Unknown owner - C:\WINDOWS\System32\PROT_SRV.EXE
O23 - Service: Pointsec update agent (Pointsec_agent) - Unknown owner - C:\WINDOWS\System32\pagents.exe
O23 - Service: Pointsec service start (Pointsec_start) - Unknown owner - C:\WINDOWS\System32\PSTARTSR.EXE
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #3 on: May 22, 2008, 11:12:02 PM »

Please download SDFix from here and save it to your desktop

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Please copy and paste that log in your next reply.


Logged

An Australian Member of

EDDY
toppro77
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 129


Bookmark and Share

View Profile
« Reply #4 on: May 26, 2008, 04:05:13 PM »

Hi pancake old buddy,
After I had posted the logs from my friends computerI had fooled around with it some more on my own and did a few more things and I think I solved most of his problems. I was all set to use the info you posted but when I went back to work the next day he had taken his computer home so I couldn't do any more to it. I guess he is satisfied with what I did. Thanks for your help on this. Sorry it took me a couple days to respond but it was the weekend. Smiley
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #5 on: May 26, 2008, 11:04:32 PM »

Ok.Lets see how he goes.He still has an infection in there so its not fixed...
Logged

An Australian Member of

EDDY
toppro77
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 129


Bookmark and Share

View Profile
« Reply #6 on: May 29, 2008, 03:44:51 PM »

Ok Pancake here is the SD Fix log and it looks like it got it this time. Let me know what you think.


SDFix: Version 1.186
Run by Harold Warren on Thu 05/29/2008 at 11:16 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
HQX86
TEL07

Path :
System32\Drivers\hqX86.sys
System32\Drivers\Tel07.sys

HQX86 - Deleted
TEL07 - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value
Restoring Default Desktop Wallpaper 

Rebooting

Service HQX86 - Deleted
Service TEL07 - Deleted

Checking Files :

Trojan Files Found:

C:\WINDOWS\Resources\RamCheck.dll - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\AntiMalwareGuard\AntiMalwareGuard.lnk - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\AntiMalwareGuard\Uninstall AntiMalwareGuard.lnk - Deleted
C:\Documents and Settings\Harold Warren\Desktop\Error Cleaner.url - Deleted
C:\Documents and Settings\Harold Warren\Favorites\Error Cleaner.url - Deleted
C:\Documents and Settings\Harold Warren\Desktop\Privacy Protector.url - Deleted
C:\Documents and Settings\Harold Warren\Favorites\Privacy Protector.url - Deleted
C:\Documents and Settings\Harold Warren\Desktop\Spyware&Malware Protection.url - Deleted
C:\Documents and Settings\Harold Warren\Favorites\Spyware&Malware Protection.url - Deleted
C:\Program Files\AntiMalwareGuard\amg.exe - Deleted
C:\Program Files\XP Antivirus\xpa.exe.tmp - Deleted
C:\WINDOWS\nldfmtapndk.dll - Deleted
C:\WINDOWS\nldfmtappdm.dll - Deleted
C:\Documents and Settings\Harold Warren\Desktop\AntiMalwareGuard.lnk  - Deleted
C:\WINDOWS\gktxaspm.dll  - Deleted
C:\WINDOWS\gnowmebk.dll  - Deleted
C:\WINDOWS\mdtgkswr.exe  - Deleted
C:\WINDOWS\pxgdslro.dll  - Deleted
C:\WINDOWS\system32\382077\382077.dll  - Deleted
C:\WINDOWS\system32\ctfmona.exe  - Deleted
C:\WINDOWS\system32\WinCtrl32.dll  - Deleted
C:\WINDOWS\system32\WLCtrl32.dll  - Deleted
C:\WINDOWS\system32\drivers\HQX86.sys - Deleted
C:\WINDOWS\system32\drivers\TEL07.sys - Deleted



Folder C:\Documents and Settings\All Users\Start Menu\Programs\AntiMalwareGuard - Removed
Folder C:\Program Files\AntiMalwareGuard - Removed
Folder C:\Program Files\XP Antivirus - Removed
Folder C:\WINDOWS\system32\382077 - Removed


Removing Temp Files

ADS Check :
 


                                 Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-29 11:31:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000121
"TracesSuccessful"=dword:00000005

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :

HQX86
TEL07



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 21 Feb 2005     1,715,200 A.SHR --- "C:\PROT_INS.SYS"
Thu 15 May 2003        43,008 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Mon  8 Oct 2007     8,348,280 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0d73c5f11656cfb2872f8f4bb0b3a716\BIT16.tmp"
Thu  8 May 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BITA.tmp"
Sat  8 Sep 2007       957,912 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\75e82597e92e4de4b8cbe6684b50f53e\BIT13.tmp"
Fri 12 Oct 2007       120,332 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\866dfbcabf59f6e422168c9ec5d1af75\BIT11.tmp"

Finished!

Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #7 on: May 29, 2008, 11:03:19 PM »

Thats taken out a bit more so can you run that Combofix as I need to check on hidden files.
Logged

An Australian Member of

EDDY
toppro77
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 129


Bookmark and Share

View Profile
« Reply #8 on: June 01, 2008, 07:47:49 PM »

Hi Pancake,
After that fix I left the computer run for a good  hour and no popups came back and nothing else was happening. I rebooted and left it sit another couple hours and still no sign of any virus activity. The guy took his computer back home again so I will see if he wants me to do another combofix scan or if he is satisfied with it the way it is.

Thanks for all your help and I willl post back if he wants me to do another scan or else this can be closed if he doesn't.

Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #9 on: June 01, 2008, 10:26:26 PM »

Ok.No problem
Logged

An Australian Member of

EDDY
toppro77
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 129


Bookmark and Share

View Profile
« Reply #10 on: June 03, 2008, 04:16:00 AM »

Hi Pancake,
The guy is bringing his computer back in tomorrow so I should be able to do a new combo scan. He says he is still getting pop ups when he uses the internet now. It wasn't doing this before, it was just giving him pop ups to buy a virus program and now he says he's getting p*rn pop ups. I guess we will see tomorrow just whats going on.
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #11 on: June 04, 2008, 12:34:04 AM »

Ok.No problem.
Logged

An Australian Member of

EDDY
toppro77
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 129


Bookmark and Share

View Profile
« Reply #12 on: June 04, 2008, 04:19:36 PM »

Ok Pancake here is a new combo fix log and a HJT log.

ComboFix 07-08-17.2 - "Harold Warren" 2008-06-04 11:18:18.4 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.244 [GMT -4:00]


(((((((((((((((((((((((((   Files Created from 2008-05-04 to 2008-06-04  )))))))))))))))))))))))))))))))


2008-06-04 11:17   95,232   --a------   C:\WINDOWS\system32\wogtonrn.dll
2008-06-02 14:51   95,232   ---------   C:\WINDOWS\system32\eksxumrf.dll
2008-05-29 11:06   <DIR>   d--------   C:\WINDOWS\ERUNT
2008-05-23 22:29   15,104   --a------   C:\WINDOWS\system32\drivers\usbscan.sys
2008-05-23 19:18   94,208   --a------   C:\WINDOWS\epse.exe
2008-05-23 19:05   <DIR>   d--------   C:\Program Files\MyRegistryCleaner
2008-05-22 15:35   2,462   --a------   C:\WINDOWS\system32\tmp.reg
2008-05-22 13:44   <DIR>   d--------   C:\DOCUME~1\HAROLD~1\APPLIC~1\Lavasoft
2008-05-22 13:29   94,208   --a------   C:\WINDOWS\eavx.exe
2008-05-22 13:08   <DIR>   d--------   C:\VundoFix Backups
2008-05-22 09:38   160,256   --a------   C:\WINDOWS\system32\blackster.scr
2008-05-21 20:13   90,112   --a------   C:\WINDOWS\system32\avuynkua.dll
2008-05-21 10:45   51,200   --a------   C:\WINDOWS\nircmd.exe
2008-05-21 10:37   <DIR>   d--------   C:\WINDOWS\pss
2008-05-20 22:50   94,208   --a------   C:\WINDOWS\efvr.exe
2008-05-19 23:29   <DIR>   d--------   C:\DOCUME~1\HAROLD~1\APPLIC~1\TmpRecentIcons
2008-05-19 22:24   91,264   --a------   C:\WINDOWS\system32\tfwwaxaf.dll
2008-05-19 22:21   388,516   --ahs----   C:\WINDOWS\system32\iSYHQXyb.ini2
2008-05-19 22:21   318,336   --a------   C:\WINDOWS\system32\byXQHYSi.dll
2008-05-17 18:44   29,824   --a------   C:\WINDOWS\system32\urqPfDTm.dll
2008-05-17 18:43   29,824   --a------   C:\WINDOWS\system32\qoMffDuS.dll
2008-05-17 18:43   159,744   --a------   C:\WINDOWS\esta.exe
2008-05-17 18:43   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adsl Software Limited


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2008-06-03 16:03   ---------   d--------   C:\Program Files\Juno
2008-05-23 22:51   ---------   d--------   C:\Program Files\Call of Duty Game of the Year Edition
2008-05-23 22:13   ---------   d--------   C:\Program Files\TomTom HOME
2008-05-20 21:55   ---------   d--------   C:\Program Files\Easy Internet signup
2008-05-15 15:55   ---------   d--------   C:\Program Files\Pointsec
2008-04-11 10:34   ---------   d--------   C:\DOCUME~1\HAROLD~1\APPLIC~1\Intuit
2008-03-27 04:12   151583   --a------   C:\WINDOWS\system32\msjint40.dll
2008-03-27 04:12   151583   --a------   C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-25 00:50   838432   --a------   C:\WINDOWS\system32\mswdat10.dll
2008-03-25 00:50   838432   --a------   C:\WINDOWS\system32\dllcache\mswdat10.dll
2008-03-25 00:50   621344   --a------   C:\WINDOWS\system32\mswstr10.dll
2008-03-25 00:50   621344   --a------   C:\WINDOWS\system32\dllcache\mswstr10.dll
2008-03-25 00:50   60192   --a------   C:\WINDOWS\system32\msjter40.dll
2008-03-25 00:50   60192   --a------   C:\WINDOWS\system32\dllcache\msjter40.dll
2008-03-25 00:50   559904   --a------   C:\WINDOWS\system32\msrepl40.dll
2008-03-25 00:50   559904   --a------   C:\WINDOWS\system32\dllcache\msrepl40.dll
2008-03-25 00:50   554008   --a------   C:\WINDOWS\system32\dllcache\dao360.dll
2008-03-25 00:50   518944   --a------   C:\WINDOWS\system32\ms*xch40.dll
2008-03-25 00:50   518944   --a------   C:\WINDOWS\system32\dllcache\ms*xch40.dll
2008-03-25 00:50   432928   --a------   C:\WINDOWS\system32\msrd2x40.dll
2008-03-25 00:50   432928   --a------   C:\WINDOWS\system32\dllcache\msrd2x40.dll
2008-03-25 00:50   355112   --a------   C:\WINDOWS\system32\msjetoledb40.dll
2008-03-25 00:50   355112   --a------   C:\WINDOWS\system32\dllcache\msjetol1.dll
2008-03-25 00:50   355104   --a------   C:\WINDOWS\system32\msxbde40.dll
2008-03-25 00:50   355104   --a------   C:\WINDOWS\system32\mspbde40.dll
2008-03-25 00:50   355104   --a------   C:\WINDOWS\system32\dllcache\msxbde40.dll
2008-03-25 00:50   355104   --a------   C:\WINDOWS\system32\dllcache\mspbde40.dll
2008-03-25 00:50   326432   --a------   C:\WINDOWS\system32\ms*xcl40.dll
2008-03-25 00:50   326432   --a------   C:\WINDOWS\system32\dllcache\ms*xcl40.dll
2008-03-25 00:50   322336   --a------   C:\WINDOWS\system32\msrd3x40.dll
2008-03-25 00:50   322336   --a------   C:\WINDOWS\system32\dllcache\msrd3x40.dll
2008-03-25 00:50   264992   --a------   C:\WINDOWS\system32\mstext40.dll
2008-03-25 00:50   264992   --a------   C:\WINDOWS\system32\dllcache\mstext40.dll
2008-03-25 00:50   248608   --a------   C:\WINDOWS\system32\msjtes40.dll
2008-03-25 00:50   248608   --a------   C:\WINDOWS\system32\dllcache\msjtes40.dll
2008-03-25 00:50   219936   --a------   C:\WINDOWS\system32\msltus40.dll
2008-03-25 00:50   219936   --a------   C:\WINDOWS\system32\dllcache\msltus40.dll
2008-03-25 00:50   1516568   --a------   C:\WINDOWS\system32\msjet40.dll
2008-03-25 00:50   1516568   --a------   C:\WINDOWS\system32\dllcache\msjet40.dll
2008-03-19 05:47   1845248   --a------   C:\WINDOWS\system32\win32k.sys
2008-03-19 05:47   1845248   ---------   C:\WINDOWS\system32\dllcache\win32k.sys


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18F4FBD5-CDE8-492C-9365-1912378EECFE}]
2008-05-17 18:43   29824   --a------   C:\WINDOWS\system32\qoMffDuS.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3D1D6A2C-E648-4026-B788-D5218A4D7E4D}]
2008-05-19 22:21   318336   --a------   C:\WINDOWS\system32\byXQHYSi.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-07 23:40]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-04-07 15:22]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 13:24]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 04:01]
"CamMonitor"="C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 03:23]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-11-10 03:30]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-02-17 14:01]
"AGRSMMSG"="AGRSMMSG.exe" [2004-01-30 12:01 C:\WINDOWS\AGRSMMSG.exe]
"Protect Tray"="C:\Program Files\Pointsec\P95tray.exe" [2003-12-18 03:57]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-05-16 14:37]
"69c01f25"="C:\WINDOWS\system32\wogtonrn.dll" [2008-06-04 11:17]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]

C:\Documents and Settings\Harold Warren\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2004-07-06 11:24:23]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 04:20:40]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-08-06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{18F4FBD5-CDE8-492C-9365-1912378EECFE}"= C:\WINDOWS\system32\qoMffDuS.dll [2008-05-17 18:43 29824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qoMffDuS]
qoMffDuS.dll 2008-05-17 18:43 29824 C:\WINDOWS\system32\qoMffDuS.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\byXQHYSi

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hqX86.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Tel07.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\69c01f25]
rundll32.exe "C:\WINDOWS\system32\avuynkua.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antiviirus]
C:\Program Files\antiviirus.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmona]
C:\WINDOWS\system32\ctfmona.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
C:\WINDOWS\System32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X83 Button Manager]
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X83 Button Monitor]
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorCombo]
"C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordNow!]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
"C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
"C:\Program Files\TomTom HOME\TomTomHOME.exe" -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSpywareProtect (ver. 5.1)]
"C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe" /autorun

R0 prot_2k;prot_2k;C:\WINDOWS\system32\drivers\prot_2k.sys
R2 Pointsec;Pointsec;C:\WINDOWS\System32\PROT_SRV.EXE
R2 Pointsec_agent;Pointsec update agent;C:\WINDOWS\System32\pagents.exe
R2 Pointsec_start;Pointsec service start;C:\WINDOWS\System32\PSTARTSR.EXE
R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys
S3 CE3;Xircom Ethernet Adapter 10/100 Service;C:\WINDOWS\system32\DRIVERS\ce3n5.sys
S3 Novatel;Novatel Wireless EVDO Network Adapter;C:\WINDOWS\system32\DRIVERS\nw620.sys
S3 NWUSBModem;Novatel Wireless USB Modem Driver;C:\WINDOWS\system32\DRIVERS\nwusbmdm.sys
S3 NWUSBPort;Novatel Wireless USB Status Port Driver;C:\WINDOWS\system32\DRIVERS\nwusbser.sys


Contents of the 'Scheduled Tasks' folder
2008-05-24 01:28:23 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Harold Warren.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-04 11:24:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?Huh?Huh??4?7?9?7?Huh?Huh? ???B?Huh?Huh?Huh????hLC? Huh?Huh?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2008-06-04 11:27:33
C:\ComboFix-quarantined-files.txt ... 2008-06-04 11:27
C:\ComboFix2.txt ... 2008-05-23 21:58
C:\ComboFix3.txt ... 2008-05-22 14:57

   --- E O F ---


Logged

 
toppro77
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 129


Bookmark and Share

View Profile
« Reply #13 on: June 04, 2008, 04:20:19 PM »

The reason Im posting a HJT is because he was getting redirects and I wanted to find what was causing that. I already had HJT fix  014. It seems to have cleared up this problem. Let me know if anything else needs to be done.

Thanks


Logfile of HijackThis v1.99.1
Scan saved at 11:55:55 AM, on 6/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Pointsec\P95tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINDOWS\System32\PROT_SRV.EXE
C:\WINDOWS\System32\pagents.exe
C:\WINDOWS\System32\PSTARTSR.EXE
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Messenger\msmsgs.exe
E:\Virus\HiJack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Protect Tray] "C:\Program Files\Pointsec\P95tray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [69c01f25] rundll32.exe "C:\WINDOWS\system32\wogtonrn.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .TIF: C:\Program Files\Internet Explorer\plugins\Npdview.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - https://java.sun.com/update/1.5.0/jinstall-1_5-windows-i586.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OSCM Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
O23 - Service: Pointsec - Unknown owner - C:\WINDOWS\System32\PROT_SRV.EXE
O23 - Service: Pointsec update agent (Pointsec_agent) - Unknown owner - C:\WINDOWS\System32\pagents.exe
O23 - Service: Pointsec service start (Pointsec_start) - Unknown owner - C:\WINDOWS\System32\PSTARTSR.EXE
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #14 on: June 04, 2008, 10:45:26 PM »

Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.


O4 - HKLM\..\Run: [69c01f25] rundll32.exe "C:\WINDOWS\system32\wogtonrn.dll",b
O4 - Startup: PowerReg Scheduler.exe


Reboot..............................

==============================

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Quote

Killall::

File::
C:\WINDOWS\system32\wogtonrn.dll
 C:\WINDOWS\system32\eksxumrf.dll
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\blackster.scr
C:\WINDOWS\system32\avuynkua.dll
 C:\WINDOWS\system32\iSYHQXyb.ini2
C:\WINDOWS\system32\byXQHYSi.dll
C:\WINDOWS\system32\urqPfDTm.dll
C:\WINDOWS\system32\qoMffDuS.dll
C:\WINDOWS\eavx.exe
C:\WINDOWS\efvr.exe
C:\WINDOWS\esta.exe
C:\WINDOWS\system32\wogtonrn.dll
C:\Program Files\antiviirus.exe
C:\WINDOWS\system32\ctfmona.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18F4FBD5-CDE8-492C-9365-1912378EECFE}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3D1D6A2C-E648-4026-B788-D5218A4D7E4D}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"69c01f25"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qoMffDuS]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\69c01f25]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antiviirus]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmona]

 

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Refering to the picture above, drag CFScript.txt into ComboFix.exe


When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply  please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your computer*


Logged

An Australian Member of

EDDY
Pages: [1] 2  All Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page July 09, 2018, 04:08:50 PM