Sign in to follow this  
hjean_0619

Hillarie's own topic here

Recommended Posts

Welcome to the Lavasoft Support Forums kelshorn :)

 

Please download the HijackThis Installer from here, then run a scan and save the log. Close that log .... we won't be needing it.

 

Next, download Deckard's System Scanner (dss.exe) and save it to your desktop.

  • Close all applications and windows.
  • Double click on dss.exe to run it and follow the prompts.
  • When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post the contents of main.txt only for now

 

I'm having the same problem. Here's the Main.txt file from my scan

 

Deckard's System Scanner v20071014.68

Run by Hillarie Meenach on 2007-11-17 14:49:05

Computer is in Normal Mode.

--------------------------------------------------------------------------------

 

-- System Restore --------------------------------------------------------------

 

Successfully created a Deckard's System Scanner Restore Point.

 

 

-- Last 5 Restore Point(s) --

63: 2007-11-17 19:49:19 UTC - RP211 - Deckard's System Scanner Restore Point

62: 2007-11-17 19:12:32 UTC - RP210 - Installed Java 6 Update 3

61: 2007-11-17 18:34:17 UTC - RP209 - ComboFix created restore point

60: 2007-11-17 18:21:38 UTC - RP208 - Installed Symantec Technical Support Web Controls

59: 2007-11-17 18:02:36 UTC - RP207 - Installed Windows Internet Explorer 7.

 

 

-- First Restore Point --

1: 2007-11-15 22:52:11 UTC - RP149 - Software Distribution Service 3.0

 

 

Backed up registry hives.

Performed disk cleanup.

 

 

 

-- HijackThis Clone ------------------------------------------------------------

 

 

Emulating logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2007-11-17 14:55:03

Platform: Windows XP Service Pack 2 (5.01.2600)

MSIE: Internet Explorer (7.00.6000.16544)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\system32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\ati2evxx.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\HPQ\Quick Launch Buttons\eabservr.exe

C:\WINDOWS\system32\dlcqcoms.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Apoint2K\ApntEx.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Documents and Settings\Hillarie Meenach\Local Settings\Temporary Internet Files\Content.IE5\B2V742LP\Windows-KB890830-V1.35[1].exe

C:b1483d8782a6ac973e7ed9f\mrtstub.exe

C:\WINDOWS\system32\MRT.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Hillarie Meenach\Local Settings\Temporary Internet Files\Content.IE5\G5CYWT10\dss[1].exe

C:\Program Files\Common Files\Symantec Shared\COH\COH32.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {200D0AAD-71B1-51C9-DDB0-092BA4662A54} - C:\Program Files\Lcufneyf\yyxrqzrb.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Common Files\Symantec Shared\IDS\IPSBHO.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\pmnlklj.dll

O2 - BHO: {4a5c9542-f4e2-4d78-9694-ea88078dfb8f} - {f8bfd870-88ae-4969-87d4-2e4f2459c5a4} - C:\WINDOWS\system32\drcggork.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll

O3 - Toolbar: (no name) - - (no file)

O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O8 - Extra context menu item: &AOL Toolbar search - blank

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - CmdMapping - (file missing)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (file missing)

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe

O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: https://owa.dmacafe.com (HKCU)

O15 - Trusted Zone: https://ecampus.phoenix.edu (HKCU)

O15 - Trusted Zone: https://hwconnect.towers.com (HKCU)

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} () - http://activation.rr.com/install/downloads/tgctlcm.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633

O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/activedata/nprdtinf.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab

O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} () - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137208026859

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab

O16 - DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} (WwLuxor Control) - http://www.worldwinner.com/games/v49/luxor/luxor.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326

O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL

O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL

O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL

O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

O20 - Winlogon Notify: pmnlklj - C:\WINDOWS\system32\pmnlklj.dll

O20 - Winlogon Notify: winbue32 - C:\WINDOWS\system32\winbue32.dll (file missing)

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\ati2evxx.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: dlcq_device - Unknown owner - C:\WINDOWS\system32\dlcqcoms.exe

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

 

 

--

End of file - 12413 bytes

 

-- File Associations -----------------------------------------------------------

 

All associations okay.

 

 

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

 

R3 catchme - c:\docume~1\hillar~1\locals~1\temp\catchme.sys (file missing)

 

S3 chimou2k (WHEEL MOUSE PS2 MOUSE Filter Driver) - c:\windows\system32\drivers\bcm8042p.sys <Not Verified; ; Win2k/XP mouse driver>

S3 PhDebug32 - c:\bios\hr60\debug32.sys <Not Verified; Phoenix Technologies Ltd.; PhlashEx>

S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>

 

 

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

 

S3 hpqwmi (HP WMI Interface) - c:\program files\hpq\shared\hpqwmi.exe <Not Verified; Hewlett-Packard Development Company, L.P.; hpqwmi Module>

 

 

-- Device Manager: Disabled ----------------------------------------------------

 

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: Broadcom 802.11b/g WLAN

Device ID: PCI\VEN_14E4&DEV_4320&SUBSYS_12FA103C&REV_03\4&253A0906&0&10A4

Manufacturer: Broadcom

Name: Broadcom 802.11b/g WLAN #2

PNP Device ID: PCI\VEN_14E4&DEV_4320&SUBSYS_12FA103C&REV_03\4&253A0906&0&10A4

Service: BCM43XX

 

 

-- Scheduled Tasks -------------------------------------------------------------

 

2007-11-16 15:58:12 644 --a------ C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Hillarie Meenach.job

2007-11-09 17:15:00 412 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job

2007-09-17 10:45:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

 

 

-- Files created between 2007-10-17 and 2007-11-17 -----------------------------

 

2007-11-17 14:02:42 0 d-------- C:b1483d8782a6ac973e7ed9f

2007-11-17 11:46:09 0 d-------- C:\Program Files\Common Files\SupportSoft

2007-11-17 00:59:14 0 d-------- C:\Program Files\MSBuild

2007-11-17 00:45:05 0 d-------- C:\WINDOWS\system32\XPSViewer

2007-11-17 00:40:52 0 d-------- C:\Program Files\Reference Assemblies

2007-11-17 00:31:07 0 d-------- C:\Program Files\MSXML 6.0

2007-11-16 22:11:39 0 d-------- C:\Program Files\Lcufneyf

2007-11-16 16:53:07 0 d-------- C:\WINDOWS\tiinst

2007-11-16 15:45:33 0 d-------- C:\Program Files\Windows Sidebar

2007-11-16 15:42:32 0 d-------- C:\Program Files\Norton Internet Security

2007-11-16 14:07:23 78273 --a------ C:\WINDOWS\system32\ukrtkldy.dll

2007-11-16 14:01:16 81984 --a------ C:\WINDOWS\system32\drcggork.dll

2007-11-16 14:01:10 139196 --a------ C:\WINDOWS\system32\pyhyyfpw.dll

2007-11-16 13:43:31 0 d-------- C:\Program Files\Frfmgdtl

2007-11-15 18:15:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2007-11-14 21:24:36 36352 --a------ C:\WINDOWS\system32\pmnlklj.dll

2007-11-10 19:14:22 0 d-------- C:\spoolerlogs

 

 

-- Find3M Report ---------------------------------------------------------------

 

2007-11-17 14:35:17 0 d-------- C:\Program Files\Common Files\Symantec Shared

2007-11-17 14:15:27 0 d-------- C:\Program Files\Java

2007-11-17 11:46:09 0 d-------- C:\Program Files\Common Files

2007-11-16 22:08:25 0 d-------- C:\Program Files\Google

2007-11-16 20:49:00 0 d-------- C:\Program Files\Dell Photo AIO Printer 966

2007-11-16 20:48:22 0 d--h----- C:\Program Files\InstallShield Installation Information

2007-11-16 16:05:53 0 d-------- C:\Program Files\Symantec

2007-11-16 16:00:34 0 d-------- C:\Program Files\LimeWire

2007-11-16 15:51:06 0 d-------- C:\Documents and Settings\Hillarie Meenach\Application Data\Symantec

2007-11-16 13:24:39 0 d-------- C:\Program Files\TuneUp Utilities 2007

2007-11-15 18:15:31 0 d-------- C:\Program Files\Lavasoft

2007-11-15 18:14:33 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-11-13 20:55:26 0 d-------- C:\Documents and Settings\Hillarie Meenach\Application Data\uTorrent

2007-11-01 14:24:26 0 d-------- C:\Documents and Settings\Hillarie Meenach\Application Data\AdobeUM

2007-10-27 11:02:30 0 d-------- C:\Program Files\Dell PC Fax

2007-10-20 16:19:22 0 d-------- C:\Documents and Settings\Hillarie Meenach\Application Data\LimeWire

2007-10-08 20:35:56 0 d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint

2007-10-08 20:27:52 6686 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys

2007-10-08 20:27:50 104 -rahs---- C:\WINDOWS\system32\2D8732E96E.sys

2007-10-08 20:27:45 88 -rahs---- C:\WINDOWS\system32\6EE932872D.sys

2007-08-20 17:41:43 3472 --a------ C:\WINDOWS\system32\d3d9caps.dat

 

 

-- Registry Dump ---------------------------------------------------------------

 

*Note* empty entries & legit default entries are not shown

 

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{200D0AAD-71B1-51C9-DDB0-092BA4662A54}]

11/16/2007 10:11 PM 114688 --a------ C:\Program Files\Lcufneyf\yyxrqzrb.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]

08/24/2007 10:51 PM 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]

11/16/2007 03:44 PM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}]

11/14/2007 09:24 PM 36352 --a------ C:\WINDOWS\system32\pmnlklj.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f8bfd870-88ae-4969-87d4-2e4f2459c5a4}]

11/16/2007 02:01 PM 81984 --a------ C:\WINDOWS\system32\drcggork.dll

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [08/24/2007 10:51 PM 316784]

 

[-HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]

[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]

[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [12/03/2004 01:24 PM]

"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [10/07/2003 10:40 PM]

"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [02/16/2005 10:11 PM]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [08/25/2007 12:07 AM]

"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [08/24/2007 11:53 PM]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:00 AM]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [10/23/2003 11:37:56 PM]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}"= C:\WINDOWS\system32\pmnlklj.dll [11/14/2007 09:24 PM 36352]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlklj]

pmnlklj.dll 11/14/2007 09:24 PM 36352 C:\WINDOWS\system32\pmnlklj.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbue32]

winbue32.dll

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mljjh.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"

"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

"Microsoft Windows Update x86"=firefox.exe

"MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 966\memcard.exe"

"dlcqmon.exe"="C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe"

"DLCQCATS"=rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCQtime.dll,[email protected]

"zidgxitu"=regsvr32 /u "C:\Documents and Settings\All Users\Application Data\zidgxitu.dll"

"SC2"=C:\Program Files\SecCenter\scprot4.exe

"kvarwfkp"=rundll32.exe "C:\Program Files\kvarwfkp\yvuxypoj.dll",Init

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]

"Microsoft Windows Update x86"=firefox.exe

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

 

*Newly Created Service* - COMHOST

 

 

 

-- End of Deckard's System Scanner: finished at 2007-11-17 14:58:53 ------------

Share this post


Link to post
Share on other sites

Welocme to the Lavasoft Support Forums Hillarie :)

 

Download VundoFix by Atribune, saving it to your desktop.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HijackThis log in a reply to this thread.

Note: It is possible that VundoFix encounters a file it could not remove. In this case, VundoFix will run on reboot. If that happens, follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

 

 

Please post the contents of C:\ComboFix.txt as well.

Share this post


Link to post
Share on other sites
Welocme to the Lavasoft Support Forums Hillarie :)

 

Download VundoFix by Atribune, saving it to your desktop.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HijackThis log in a reply to this thread.

Note: It is possible that VundoFix encounters a file it could not remove. In this case, VundoFix will run on reboot. If that happens, follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Please post the contents of C:\ComboFix.txt as well.

 

 

I ran Vundo and it scanned but found nothing. So no text file was created in the C:\vodofix directory. However I reran HijackThis and here is the log:

 

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 6:19:12 PM, on 11/17/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\dlcqcoms.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Hillarie Meenach\Desktop\Utilities\HiJackThis_v2.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {200D0AAD-71B1-51C9-DDB0-092BA4662A54} - C:\Program Files\Lcufneyf\yyxrqzrb.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\pmnlklj.dll

O2 - BHO: {4a5c9542-f4e2-4d78-9694-ea88078dfb8f} - {f8bfd870-88ae-4969-87d4-2e4f2459c5a4} - C:\WINDOWS\system32\drcggork.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll

O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O8 - Extra context menu item: &AOL Toolbar search - blank

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://activation.rr.com/install/downloads/tgctlcm.cab

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633

O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/activedata/nprdtinf.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab

O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137208026859

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab

O16 - DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} (WwLuxor Control) - http://www.worldwinner.com/games/v49/luxor/luxor.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326

O20 - Winlogon Notify: pmnlklj - C:\WINDOWS\SYSTEM32\pmnlklj.dll

O20 - Winlogon Notify: winbue32 - winbue32.dll (file missing)

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: dlcq_device - - C:\WINDOWS\system32\dlcqcoms.exe

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

 

--

End of file - 11014 bytes

 

 

Here is the combofix log as well:

 

ComboFix 07-11-08.1 - Hillarie Meenach 2007-11-17 13:36:38.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.444 [GMT -5:00]

Running from: C:\Documents and Settings\Hillarie Meenach\Local Settings\Temporary Internet Files\Content.IE5\WG8I9D94\ComboFix[1].exe

* Created a new restore point

.

 

Unable to gain System Privileges

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\All Users\Application Data.\zidgxitu.dll

C:\Program Files\SecCenter

C:\Program Files\SecCenter\scprot4.exe

C:\Program Files\SecCenter\scprot4.exe.bak

C:\Program Files\SecCenter\scprot4.exe~

C:\WINDOWS\Downloaded Program Files\ODCTOOLS

C:\WINDOWS\system32\fibagbia

C:\WINDOWS\system32\fibagbia\bg1.gif

C:\WINDOWS\system32\fibagbia\bgtop.gif

C:\WINDOWS\system32\fibagbia\bottom1.gif

C:\WINDOWS\system32\fibagbia\essentials.gif

C:\WINDOWS\system32\fibagbia\fibagbia1.exe

C:\WINDOWS\system32\fibagbia\fibagbia2.exe

C:\WINDOWS\system32\fibagbia\fibagbia3.exe

C:\WINDOWS\system32\fibagbia\icon1.ico

C:\WINDOWS\system32\fibagbia\install1.gif

C:\WINDOWS\system32\fibagbia\left1.gif

C:\WINDOWS\system32\fibagbia\li.gif

C:\WINDOWS\system32\fibagbia\logo.gif

C:\WINDOWS\system32\fibagbia\main.htm

C:\WINDOWS\system32\fibagbia\mainframe.htm

C:\WINDOWS\system32\fibagbia\reinstall1.gif

C:\WINDOWS\system32\fibagbia\right1.gif

C:\WINDOWS\system32\fibagbia\s1.htm

C:\WINDOWS\system32\fibagbia\s2.htm

C:\WINDOWS\system32\fibagbia\s3.htm

C:\WINDOWS\system32\fibagbia\SMTop1.gif

C:\WINDOWS\system32\fibagbia\SMTop2.gif

C:\WINDOWS\system32\fibagbia\SMTop3.gif

C:\WINDOWS\system32\fibagbia\SMTop4.gif

C:\WINDOWS\system32\fibagbia\soft1_off.gif

C:\WINDOWS\system32\fibagbia\soft1_off_ext.gif

C:\WINDOWS\system32\fibagbia\soft1_on.gif

C:\WINDOWS\system32\fibagbia\soft1_on_ext.gif

C:\WINDOWS\system32\fibagbia\soft2_off.gif

C:\WINDOWS\system32\fibagbia\soft2_off_ext.gif

C:\WINDOWS\system32\fibagbia\soft2_on.gif

C:\WINDOWS\system32\fibagbia\soft2_on_ext.gif

C:\WINDOWS\system32\fibagbia\soft3_off.gif

C:\WINDOWS\system32\fibagbia\soft3_off_ext.gif

C:\WINDOWS\system32\fibagbia\soft3_on.gif

C:\WINDOWS\system32\fibagbia\soft3_on_ext.gif

C:\WINDOWS\system32\fibagbia\softbottom_off.gif

C:\WINDOWS\system32\fibagbia\softbottom_on.gif

C:\WINDOWS\system32\fibagbia\softleft_off.gif

C:\WINDOWS\system32\fibagbia\softleft_on.gif

C:\WINDOWS\system32\fibagbia\top1.gif

C:\WINDOWS\system32\fibagbia\top2.gif

C:\WINDOWS\system32\fibagbia\turnoff1.gif

C:\WINDOWS\system32\fibagbia\turnon1.gif

C:\WINDOWS\system32\hjjlm.ini

C:\WINDOWS\system32\hjjlm.ini2

C:\WINDOWS\system32\mljjh.dll

 

.

((((((((((((((((((((((((( Files Created from 2007-10-17 to 2007-11-17 )))))))))))))))))))))))))))))))

.

 

2007-11-17 13:33 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-11-17 11:46 <DIR> d-------- C:\Program Files\Common Files\SupportSoft

2007-11-17 00:59 <DIR> d-------- C:\Program Files\MSBuild

2007-11-17 00:45 <DIR> d-------- C:\WINDOWS\system32\XPSViewer

2007-11-17 00:40 <DIR> d-------- C:\Program Files\Reference Assemblies

2007-11-17 00:36 14,048 --------- C:\WINDOWS\system32\spmsg2.dll

2007-11-17 00:31 <DIR> d-------- C:\Program Files\MSXML 6.0

2007-11-16 22:11 <DIR> d-------- C:\Program Files\Lcufneyf

2007-11-16 16:53 <DIR> d-------- C:\WINDOWS\tiinst

2007-11-16 15:45 <DIR> d-------- C:\Program Files\Windows Sidebar

2007-11-16 15:42 <DIR> d-------- C:\Program Files\Norton Internet Security

2007-11-16 15:38 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS

2007-11-16 15:38 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL

2007-11-16 14:07 78,273 --a------ C:\WINDOWS\system32\ukrtkldy.dll

2007-11-16 14:01 139,196 --a------ C:\WINDOWS\system32\pyhyyfpw.dll

2007-11-16 14:01 81,984 --a------ C:\WINDOWS\system32\drcggork.dll

2007-11-16 13:43 <DIR> d-------- C:\Program Files\Frfmgdtl

2007-11-15 18:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2007-11-14 21:24 36,352 --a------ C:\WINDOWS\system32\pmnlklj.dll

2007-11-10 19:14 <DIR> d-------- C:\spoolerlogs

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-11-17 18:26 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2007-11-17 18:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec

2007-11-17 03:08 --------- d-----w C:\Program Files\Google

2007-11-17 01:49 --------- d-----w C:\Program Files\Dell Photo AIO Printer 966

2007-11-17 01:48 --------- d--h--w C:\Program Files\InstallShield Installation Information

2007-11-16 21:05 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF

2007-11-16 21:05 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT

2007-11-16 21:05 --------- d-----w C:\Program Files\Symantec

2007-11-16 21:00 --------- d-----w C:\Program Files\LimeWire

2007-11-16 20:51 --------- d-----w C:\Documents and Settings\Hillarie Meenach\Application Data\Symantec

2007-11-16 18:24 --------- d-----w C:\Program Files\TuneUp Utilities 2007

2007-11-15 23:15 --------- d-----w C:\Program Files\Lavasoft

2007-11-15 23:14 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2007-11-14 01:55 --------- d-----w C:\Documents and Settings\Hillarie Meenach\Application Data\uTorrent

2007-11-01 19:24 --------- d-----w C:\Documents and Settings\Hillarie Meenach\Application Data\AdobeUM

2007-10-27 16:02 --------- d-----w C:\Program Files\Dell PC Fax

2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll

2007-10-20 21:19 --------- d-----w C:\Documents and Settings\Hillarie Meenach\Application Data\LimeWire

2007-10-16 16:40 91,520 ----a-w C:\WINDOWS\HPBroker.dll

2007-10-09 01:35 --------- d-----w C:\Program Files\Abbyy FineReader 6.0 Sprint

2007-10-09 01:27 6,686 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys

2007-09-18 19:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat

2007-09-18 19:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat

2007-09-18 19:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat

2007-09-18 19:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf

2007-09-18 19:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf

2007-09-18 19:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf

2007-09-18 19:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys

2007-09-18 19:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys

2007-09-18 19:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys

2007-08-29 19:18 577,928 ----a-w C:\WINDOWS\system32\SymNeti.dll

2007-08-23 23:57 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll

2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\dllcache\inetcomm.dll

2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll

2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll

2007-08-20 10:04 63,488 ----a-w C:\WINDOWS\system32\dllcache\icardie.dll

2007-08-20 10:04 6,058,496 ----a-w C:\WINDOWS\system32\dllcache\ieframe.dll

2007-08-20 10:04 52,224 ----a-w C:\WINDOWS\system32\dllcache\msfeedsbs.dll

2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll

2007-08-20 10:04 459,264 ----a-w C:\WINDOWS\system32\dllcache\msfeeds.dll

2007-08-20 10:04 44,544 ----a-w C:\WINDOWS\system32\dllcache\iernonce.dll

2007-08-20 10:04 384,512 ----a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll

2007-08-20 10:04 383,488 ----a-w C:\WINDOWS\system32\dllcache\ieapfltr.dll

2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll

2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll

2007-08-20 10:04 267,776 ----a-w C:\WINDOWS\system32\dllcache\iertutil.dll

2007-08-20 10:04 232,960 ----a-w C:\WINDOWS\system32\dllcache\webcheck.dll

2007-08-20 10:04 230,400 ----a-w C:\WINDOWS\system32\dllcache\ieaksie.dll

2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll

2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll

2007-08-20 10:04 153,088 ----a-w C:\WINDOWS\system32\dllcache\ieakeng.dll

2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll

2007-08-20 10:04 124,928 ----a-w C:\WINDOWS\system32\dllcache\advpack.dll

2007-08-20 10:04 105,984 ----a-w C:\WINDOWS\system32\dllcache\url.dll

2007-08-20 10:04 102,400 ----a-w C:\WINDOWS\system32\dllcache\occache.dll

2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll

2007-08-17 10:21 625,152 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe

2007-08-17 10:20 63,488 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe

2007-08-17 10:20 13,824 ----a-w C:\WINDOWS\system32\dllcache\ieudinit.exe

2007-08-17 07:34 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll

2006-08-24 00:22 274 ----a-w C:\Documents and Settings\Hillarie Meenach\Application Data\wklnhst.dat

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{200D0AAD-71B1-51C9-DDB0-092BA4662A54}]

2007-11-16 22:11 114688 --a------ C:\Program Files\Lcufneyf\yyxrqzrb.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]

2007-08-24 22:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]

2007-11-16 15:44 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}]

2007-11-14 21:24 36352 --a------ C:\WINDOWS\system32\pmnlklj.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f8bfd870-88ae-4969-87d4-2e4f2459c5a4}]

2007-11-16 14:01 81984 --a------ C:\WINDOWS\system32\drcggork.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-24 22:51 316784]

 

[HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]

[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]

[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-24 22:51 316784]

 

[HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]

[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]

[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 13:24]

"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-07 22:40]

"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 22:11]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-08-25 00:07]

"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-24 23:53]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}"= C:\WINDOWS\system32\pmnlklj.dll [2007-11-14 21:24 36352]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlklj]

pmnlklj.dll 2007-11-14 21:24 36352 C:\WINDOWS\system32\pmnlklj.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbue32]

winbue32.dll

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mljjh.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"

"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

"Microsoft Windows Update x86"=firefox.exe

"MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 966\memcard.exe"

"dlcqmon.exe"="C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe"

"DLCQCATS"=rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCQtime.dll,[email protected]

"zidgxitu"=regsvr32 /u "C:\Documents and Settings\All Users\Application Data\zidgxitu.dll"

"SC2"=C:\Program Files\SecCenter\scprot4.exe

"kvarwfkp"=rundll32.exe "C:\Program Files\kvarwfkp\yvuxypoj.dll",Init

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]

"Microsoft Windows Update x86"=firefox.exe

 

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys

R2 dlcq_device;dlcq_device;C:\WINDOWS\system32\dlcqcoms.exe -service

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon

R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe -k netsvcs

R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys

S3 chimou2k;WHEEL MOUSE PS2 MOUSE Filter Driver;C:\WINDOWS\system32\DRIVERS\bcm8042p.sys

S3 COH_Mon;COH_Mon;\??\C:\WINDOWS\system32\Drivers\COH_Mon.sys

S3 PhDebug32;PhDebug32;\??\c:\bios\hr60\debug32.sys

S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

 

*Newly Created Service* - COMHOST

.

Contents of the 'Scheduled Tasks' folder

"2007-11-09 22:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"

- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe

"2007-09-17 15:45:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2007-11-16 20:58:12 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Hillarie Meenach.job"

- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe

.

**************************************************************************

 

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-11-17 13:52:43

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2007-11-17 13:55:54 - machine was rebooted

.

--- E O F ---

 

 

I will say that since all my different scans and whatnot today, the problem has not reoccured since about 3 hours ago. But please check my logs and let me know what you find. Thank you!

Share this post


Link to post
Share on other sites

Download ComboFix by sUBs from here or here, saving the file to your desktop.

  • Close all open programs and windows
  • Double click combofix.exe and follow the prompts.
  • When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Share this post


Link to post
Share on other sites
Download ComboFix by sUBs from here or here, saving the file to your desktop.
  • Close all open programs and windows
  • Double click combofix.exe and follow the prompts.
  • When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

 

I tried both of those links to download/install combofix.exe. It said that the version was out of date and to find the new version. I can't seem to find any newer version though! Help!

Share this post


Link to post
Share on other sites

Download VundoFix by Atribune, saving it to your desktop.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new dss log in a reply here.

Note: It is possible that VundoFix encounters a file it could not remove. In this case, VundoFix will run on reboot. If that happens, follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Share this post


Link to post
Share on other sites
Download VundoFix by Atribune, saving it to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new dss log in a reply here.

Note: It is possible that VundoFix encounters a file it could not remove. In this case, VundoFix will run on reboot. If that happens, follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

 

 

My browser is still hijacked! I thought it was fixed but nope, still getting redirected all over the place.

 

I rand VundoFix and it came back with 0 files detected. I also reran combofix.exe. Here is the log:

 

ComboFix 07-12-02.6 - Hillarie Meenach 2007-12-03 21:29:52.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.442 [GMT -5:00]

Running from: C:\Documents and Settings\Hillarie Meenach\Desktop\Utilities\ComboFix.exe

* Created a new restore point

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\system32\ukrtkldy.dll

 

.

((((((((((((((((((((((((( Files Created from 2007-11-04 to 2007-12-04 )))))))))))))))))))))))))))))))

.

 

2007-12-03 21:30 . 2007-12-03 21:30 6,736 --a------ C:\WINDOWS\system32\drivers\PROCEXP90.SYS

2007-11-24 20:10 . 2007-11-27 13:56 <DIR> d-------- C:\Program Files\QuickTime

2007-11-24 20:09 . 2007-11-24 20:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

2007-11-21 11:04 . 2007-11-21 11:04 <DIR> d-------- C:\VundoFix Backups

2007-11-17 14:48 . 2007-11-17 14:48 <DIR> d-------- C:\Deckard

2007-11-17 14:15 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl

2007-11-17 11:46 . 2007-11-17 11:46 <DIR> d-------- C:\Program Files\Common Files\SupportSoft

2007-11-17 00:59 . 2007-11-17 00:59 <DIR> d-------- C:\Program Files\MSBuild

2007-11-17 00:45 . 2007-12-03 19:13 <DIR> d-------- C:\WINDOWS\system32\XPSViewer

2007-11-17 00:40 . 2007-11-17 00:40 <DIR> d-------- C:\Program Files\Reference Assemblies

2007-11-17 00:36 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll

2007-11-17 00:31 . 2007-11-17 00:31 <DIR> d-------- C:\Program Files\MSXML 6.0

2007-11-16 22:11 . 2007-11-16 22:11 <DIR> d-------- C:\Program Files\Lcufneyf

2007-11-16 16:53 . 2007-11-16 16:53 <DIR> d-------- C:\WINDOWS\tiinst

2007-11-16 15:45 . 2007-11-16 15:45 <DIR> d-------- C:\Program Files\Windows Sidebar

2007-11-16 15:42 . 2007-11-16 15:48 <DIR> d-------- C:\Program Files\Norton Internet Security

2007-11-16 15:38 . 2007-11-16 16:05 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS

2007-11-16 15:38 . 2007-11-16 16:05 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL

2007-11-16 15:38 . 2007-11-16 16:05 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT

2007-11-16 15:38 . 2007-11-16 16:05 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF

2007-11-16 13:43 . 2007-11-16 13:43 <DIR> d-------- C:\Program Files\Frfmgdtl

2007-11-16 13:00 . 2007-11-16 20:07 210 --a------ C:\WINDOWS\wininit.ini

2007-11-10 19:14 . 2007-11-10 19:14 <DIR> d-------- C:\spoolerlogs

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-12-04 02:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec

2007-12-04 01:50 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2007-11-25 01:09 --------- d-----w C:\Program Files\Apple Software Update

2007-11-21 16:16 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2007-11-21 16:16 --------- d-----w C:\Documents and Settings\Hillarie Meenach\Application Data\Lavasoft

2007-11-20 02:34 --------- d-----w C:\Program Files\TuneUp Utilities 2007

2007-11-20 02:31 --------- d-----w C:\Program Files\ActiveX Control Pad

2007-11-17 19:15 --------- d-----w C:\Program Files\Java

2007-11-17 03:08 --------- d-----w C:\Program Files\Google

2007-11-17 01:49 --------- d-----w C:\Program Files\Dell Photo AIO Printer 966

2007-11-17 01:48 --------- d--h--w C:\Program Files\InstallShield Installation Information

2007-11-16 21:05 --------- d-----w C:\Program Files\Symantec

2007-11-16 21:00 --------- d-----w C:\Program Files\LimeWire

2007-11-16 20:51 --------- d-----w C:\Documents and Settings\Hillarie Meenach\Application Data\Symantec

2007-11-14 01:55 --------- d-----w C:\Documents and Settings\Hillarie Meenach\Application Data\uTorrent

2007-11-01 19:24 --------- d-----w C:\Documents and Settings\Hillarie Meenach\Application Data\AdobeUM

2007-10-27 16:02 --------- d-----w C:\Program Files\Dell PC Fax

2007-10-20 21:19 --------- d-----w C:\Documents and Settings\Hillarie Meenach\Application Data\LimeWire

2007-10-16 16:40 91,520 ----a-w C:\WINDOWS\HPBroker.dll

2007-10-09 01:35 --------- d-----w C:\Program Files\Abbyy FineReader 6.0 Sprint

2006-08-24 00:22 274 ----a-w C:\Documents and Settings\Hillarie Meenach\Application Data\wklnhst.dat

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{200D0AAD-71B1-51C9-DDB0-092BA4662A54}]

2007-11-16 22:11 114688 --a------ C:\Program Files\Lcufneyf\yyxrqzrb.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]

2007-08-24 22:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]

2007-11-16 15:44 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f8bfd870-88ae-4969-87d4-2e4f2459c5a4}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-24 22:51 316784]

 

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]

[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]

[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-24 22:51 316784]

 

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]

[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]

[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 13:24]

"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-07 22:40]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-08-25 00:07]

"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-24 23:53]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbue32]

winbue32.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"

"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

"MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 966\memcard.exe"

"dlcqmon.exe"="C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe"

 

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys

R2 dlcq_device;dlcq_device;C:\WINDOWS\system32\dlcqcoms.exe -service

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon

R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe -k netsvcs

R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys

S3 chimou2k;WHEEL MOUSE PS2 MOUSE Filter Driver;C:\WINDOWS\system32\DRIVERS\bcm8042p.sys

S3 COH_Mon;COH_Mon;\??\C:\WINDOWS\system32\Drivers\COH_Mon.sys

S3 PhDebug32;PhDebug32;\??\c:\bios\hr60\debug32.sys

S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

 

*Newly Created Service* - COMHOST

.

Contents of the 'Scheduled Tasks' folder

"2007-11-30 22:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"

- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe

"2007-11-25 01:09:40 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2007-12-04 01:00:01 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Hillarie Meenach.job"

- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:

.

**************************************************************************

 

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-12-03 21:35:55

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2007-12-03 21:37:14 - machine was rebooted

C:\ComboFix2.txt ... 2007-11-17 13:55

.

--- E O F ---

;)

Share this post


Link to post
Share on other sites

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

 

Filename: CFScript.txt

Save As Type: All Files (*.*)

 

Folder::
C:\Program Files\Lcufneyf
C:\Program Files\Frfmgdtl
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{200D0AAD-71B1-51C9-DDB0-092BA4662A54}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f8bfd870-88ae-4969-87d4-2e4f2459c5a4}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbue32]

 

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.

 

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

 

Please open the following file with notepad and post it's contents here, if present.

 

C:\WINDOWS\wininit.ini

Share this post


Link to post
Share on other sites
Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

 

Filename: CFScript.txt

Save As Type: All Files (*.*)

 

Folder::
C:\Program Files\Lcufneyf
C:\Program Files\Frfmgdtl
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{200D0AAD-71B1-51C9-DDB0-092BA4662A54}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f8bfd870-88ae-4969-87d4-2e4f2459c5a4}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbue32]

 

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.

 

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

 

Please open the following file with notepad and post it's contents here, if present.

 

C:\WINDOWS\wininit.ini

 

 

I copied the text into CFScript.txt and drug into Combofix.

 

Here is the new combofix log:

 

ComboFix 07-12-02.6 - Hillarie Meenach 2007-12-04 18:11:34.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.538 [GMT -5:00]

Running from: C:\Documents and Settings\Hillarie Meenach\Desktop\Utilities\ComboFix.exe

Command switches used :: C:\Documents and Settings\Hillarie Meenach\Desktop\Utilities\CFScript.txt

* Created a new restore point

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Program Files\Frfmgdtl

C:\Program Files\Frfmgdtl\ffmiwadg.dll

C:\Program Files\Lcufneyf

C:\Program Files\Lcufneyf\yyxrqzrb.dll

 

.

((((((((((((((((((((((((( Files Created from 2007-11-04 to 2007-12-04 )))))))))))))))))))))))))))))))

.

 

2007-12-03 21:30 . 2007-12-04 18:11 6,736 --a------ C:\WINDOWS\system32\drivers\PROCEXP90.SYS

2007-11-24 20:10 . 2007-11-27 13:56 <DIR> d-------- C:\Program Files\QuickTime

2007-11-24 20:09 . 2007-11-24 20:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

2007-11-21 11:04 . 2007-11-21 11:04 <DIR> d-------- C:\VundoFix Backups

2007-11-17 14:48 . 2007-11-17 14:48 <DIR> d-------- C:\Deckard

2007-11-17 14:15 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl

2007-11-17 11:46 . 2007-11-17 11:46 <DIR> d-------- C:\Program Files\Common Files\SupportSoft

2007-11-17 00:59 . 2007-11-17 00:59 <DIR> d-------- C:\Program Files\MSBuild

2007-11-17 00:45 . 2007-12-03 19:13 <DIR> d-------- C:\WINDOWS\system32\XPSViewer

2007-11-17 00:40 . 2007-11-17 00:40 <DIR> d-------- C:\Program Files\Reference Assemblies

2007-11-17 00:36 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll

2007-11-17 00:31 . 2007-11-17 00:31 <DIR> d-------- C:\Program Files\MSXML 6.0

2007-11-16 16:53 . 2007-11-16 16:53 <DIR> d-------- C:\WINDOWS\tiinst

2007-11-16 15:45 . 2007-11-16 15:45 <DIR> d-------- C:\Program Files\Windows Sidebar

2007-11-16 15:42 . 2007-11-16 15:48 <DIR> d-------- C:\Program Files\Norton Internet Security

2007-11-16 15:38 . 2007-11-16 16:05 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS

2007-11-16 15:38 . 2007-11-16 16:05 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL

2007-11-16 15:38 . 2007-11-16 16:05 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT

2007-11-16 15:38 . 2007-11-16 16:05 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF

2007-11-16 13:00 . 2007-11-16 20:07 210 --a------ C:\WINDOWS\wininit.ini

2007-11-10 19:14 . 2007-11-10 19:14 <DIR> d-------- C:\spoolerlogs

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-12-04 23:00 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2007-12-04 22:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec

2007-11-25 01:09 --------- d-----w C:\Program Files\Apple Software Update

2007-11-21 16:16 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2007-11-21 16:16 --------- d-----w C:\Documents and Settings\Hillarie Meenach\Application Data\Lavasoft

2007-11-20 02:34 --------- d-----w C:\Program Files\TuneUp Utilities 2007

2007-11-20 02:31 --------- d-----w C:\Program Files\ActiveX Control Pad

2007-11-17 19:15 --------- d-----w C:\Program Files\Java

2007-11-17 03:08 --------- d-----w C:\Program Files\Google

2007-11-17 01:49 --------- d-----w C:\Program Files\Dell Photo AIO Printer 966

2007-11-17 01:48 --------- d--h--w C:\Program Files\InstallShield Installation Information

2007-11-16 21:05 --------- d-----w C:\Program Files\Symantec

2007-11-16 21:00 --------- d-----w C:\Program Files\LimeWire

2007-11-16 20:51 --------- d-----w C:\Documents and Settings\Hillarie Meenach\Application Data\Symantec

2007-11-14 01:55 --------- d-----w C:\Documents and Settings\Hillarie Meenach\Application Data\uTorrent

2007-11-01 19:24 --------- d-----w C:\Documents and Settings\Hillarie Meenach\Application Data\AdobeUM

2007-10-27 16:02 --------- d-----w C:\Program Files\Dell PC Fax

2007-10-20 21:19 --------- d-----w C:\Documents and Settings\Hillarie Meenach\Application Data\LimeWire

2007-10-16 16:40 91,520 ----a-w C:\WINDOWS\HPBroker.dll

2007-10-09 01:35 --------- d-----w C:\Program Files\Abbyy FineReader 6.0 Sprint

2006-08-24 00:22 274 ----a-w C:\Documents and Settings\Hillarie Meenach\Application Data\wklnhst.dat

.

 

((((((((((((((((((((((((((((( [email protected]_21.36.33.45 )))))))))))))))))))))))))))))))))))))))))

.

- 2007-12-04 01:36:48 78,850 ----a-w C:\WINDOWS\system32\perfc009.dat

+ 2007-12-04 07:14:46 78,850 ----a-w C:\WINDOWS\system32\perfc009.dat

- 2007-12-04 01:36:48 457,332 ----a-w C:\WINDOWS\system32\perfh009.dat

+ 2007-12-04 07:14:46 457,332 ----a-w C:\WINDOWS\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]

2007-08-24 22:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]

2007-11-16 15:44 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-24 22:51 316784]

 

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]

[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]

[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-24 22:51 316784]

 

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]

[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]

[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 13:24]

"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-07 22:40]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-08-25 00:07]

"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-24 23:53]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"

"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

"MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 966\memcard.exe"

"dlcqmon.exe"="C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe"

 

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys

R2 dlcq_device;dlcq_device;C:\WINDOWS\system32\dlcqcoms.exe -service

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon

R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe -k netsvcs

R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys

S3 chimou2k;WHEEL MOUSE PS2 MOUSE Filter Driver;C:\WINDOWS\system32\DRIVERS\bcm8042p.sys

S3 COH_Mon;COH_Mon;\??\C:\WINDOWS\system32\Drivers\COH_Mon.sys

S3 PhDebug32;PhDebug32;\??\c:\bios\hr60\debug32.sys

S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

 

*Newly Created Service* - COMHOST

.

Contents of the 'Scheduled Tasks' folder

"2007-11-30 22:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"

- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe

"2007-11-25 01:09:40 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2007-12-04 01:00:01 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Hillarie Meenach.job"

- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:

.

**************************************************************************

 

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-12-04 18:17:31

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2007-12-04 18:18:54 - machine was rebooted

C:\ComboFix2.txt ... 2007-12-03 21:37

C:\ComboFix3.txt ... 2007-11-17 13:55

.

--- E O F ---

 

 

And here is the new HijackThis log:

 

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 6:20:31 PM, on 12/4/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\WINDOWS\system32\dlcqcoms.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Documents and Settings\Hillarie Meenach\Desktop\Utilities\HiJackThis_v2.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll

O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O8 - Extra context menu item: &AOL Toolbar search - blank

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://activation.rr.com/install/downloads/tgctlcm.cab

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633

O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/activedata/nprdtinf.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab

O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137208026859

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab

O16 - DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} (WwLuxor Control) - http://www.worldwinner.com/games/v49/luxor/luxor.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: dlcq_device - - C:\WINDOWS\system32\dlcqcoms.exe

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\system32\HPZipm12.exe (file missing)

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

 

--

End of file - 10120 bytes

 

 

And here is the wininit file contents:

 

[rename]

c:\tempjunk7940.tmp=C:\WINDOWS\system32\winbue32.dll_tobedeleted_old

nul=c:\tempjunk9580.tmp

c:\tempjunk9580.tmp=C:\Documents and Settings\All Users\Application Data\wdcpcnez.dll_tobedeleted_old

 

THANK YOU FOR ALL OF YOUR HELP!!!

Share this post


Link to post
Share on other sites

I'm a bit confused by the presence of the wininit.ini file. It is a commonly used file on Windows 95, 98 and ME to delete files in use on reboot, but has generally been replaced by a registry value in Windows 2000, XP and Vista. Lets get rid of it, and check for the presence of the files it was aimed at.

 

Look for and delete the following files if found.

 

C:\tempjunk7940.tmp

C:\tempjunk9580.tmp

C:\Documents and Settings\All Users\Application Data\wdcpcnez.dll_tobedeleted_old

C:\WINDOWS\system32\winbue32.dll_tobedeleted_old

C:\WINDOWS\wininit.ini

 

Your logs look good otherwise. Click Start>Run and type ComboFix /u then hit enter to remove ComboFix.

 

Delete the following.

 

VundoFix.exe

dss.exe

 

Then empty the recycle bin.

 

Let do an online scan to be sure we haven't missed something. Please do an online scan with Kaspersky WebScanner

 

Click on Kaspersky Online Scanner

 

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT

  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:

      Extended (if available otherwise Standard)

    • Scan Options:

      Scan Archives
      Scan Mail Bases

    [*]Click OK

    [*]Now under select a target to scan:

      Select My Computer

    [*]This will program will start and scan your system.

    [*]The scan will take a while so be patient and let it run.

    [*]Once the scan is complete it will display if your system has been infected.

    • Now click on the Save as Text button:

    [*]Save the file to your desktop.

Post the Kaspersky log and one more fresh HijackThis log. Let me know how your computer is behaving.

Share this post


Link to post
Share on other sites
I'm a bit confused by the presence of the wininit.ini file. It is a commonly used file on Windows 95, 98 and ME to delete files in use on reboot, but has generally been replaced by a registry value in Windows 2000, XP and Vista. Lets get rid of it, and check for the presence of the files it was aimed at.

 

Look for and delete the following files if found.

 

C:\tempjunk7940.tmp

C:\tempjunk9580.tmp

C:\Documents and Settings\All Users\Application Data\wdcpcnez.dll_tobedeleted_old

C:\WINDOWS\system32\winbue32.dll_tobedeleted_old

C:\WINDOWS\wininit.ini

 

Your logs look good otherwise. Click Start>Run and type ComboFix /u then hit enter to remove ComboFix.

 

Delete the following.

 

VundoFix.exe

dss.exe

 

Then empty the recycle bin.

 

Let do an online scan to be sure we haven't missed something. Please do an online scan with Kaspersky WebScanner

 

Click on Kaspersky Online Scanner

 

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT

  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:

    • Extended (if available otherwise Standard)

    • Scan Options:

    • Scan Archives
      Scan Mail Bases

    [*]Click OK

    [*]Now under select a target to scan:

    • Select My Computer

    [*]This will program will start and scan your system.

    [*]The scan will take a while so be patient and let it run.

    [*]Once the scan is complete it will display if your system has been infected.

    • Now click on the Save as Text button:

    [*]Save the file to your desktop.

Post the Kaspersky log and one more fresh HijackThis log. Let me know how your computer is behaving.

 

I could not locate the first four files you listed; even using search. I did however delete the ]wininit.ini file.

 

I also ran the Kapersky scan. Here is the log:

 

 

-------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER REPORT

Wednesday, December 05, 2007 8:36:33 PM

Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)

Kaspersky Online Scanner version: 5.0.98.0

Kaspersky Anti-Virus database last update: 6/12/2007

Kaspersky Anti-Virus database records: 473458

-------------------------------------------------------------------------------

 

Scan Settings:

Scan using the following antivirus database: extended

Scan Archives: true

Scan Mail Bases: true

 

Scan Target - My Computer:

C:\

D:\

 

Scan Statistics:

Total number of scanned objects: 71336

Number of viruses found: 8

Number of infected objects: 32

Number of suspicious objects: 0

Duration of the scan process: 01:26:50

 

Infected Object Name / Virus Name / Last Action

C:\Documents and Settings\All Users\Application Data\muvee Technologies30625102106\values Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\ccSubSDK\submissions.idx Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.DAT Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\volatile.DAT Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{0D38AA3A-EEB5-4FDA-A3BC-CE56E4A8AA7E}.DAT Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{1F11FC07-88DD-4EE7-9403-1A5E568BAC27}.DAT Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{A069B1CF-7D7D-478D-8E96-8953C473627D}.DAT Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{E23DCEBE-00B4-4DEA-97F3-6A73323523A2}.DAT Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-12-05_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\14042BBF.exe/svchost1.exe Infected: Backdoor.Win32.Iroffer.1217 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\14042BBF.exe/system.exe Infected: Backdoor.Win32.ServU-based skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\14042BBF.exe/FireDaemon.exe Infected: not-a-virus:RemoteAdmin.Win32.RA.3826 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\14042BBF.exe/setup.bat Infected: Trojan.BAT.Zapchast skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\14042BBF.exe/HIDDEN32.EXE Infected: not-a-virus:RiskTool.Win32.HideWindows skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\14042BBF.exe ZIP: infected - 5 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\14042BBF.exe CryptFF: infected - 5 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3DA22599.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3DA22599.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3DA22599.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3DA22599.exe/stream/data0007 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3DA22599.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3DA22599.exe NSIS: infected - 5 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3DA22599.exe CryptFF: infected - 5 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3DAB238E.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3DAB238E.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3DAB238E.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3DAB238E.exe/stream/data0007 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3DAB238E.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3DAB238E.exe NSIS: infected - 5 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3DAB238E.exe CryptFF: infected - 5 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\57C151B6.exe Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5D620E4B.exe/stream/data0001 Infected: Trojan-Clicker.Win32.VB.la skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5D620E4B.exe/stream Infected: Trojan-Clicker.Win32.VB.la skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5D620E4B.exe NSIS: infected - 2 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5D620E4B.exe CryptFF: infected - 2 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\660E14BF.exe/stream/data0001 Infected: Trojan-Clicker.Win32.VB.la skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\660E14BF.exe/stream Infected: Trojan-Clicker.Win32.VB.la skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\660E14BF.exe NSIS: infected - 2 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\660E14BF.exe CryptFF: infected - 2 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\68782305.exe Infected: Trojan-Clicker.Win32.VB.la skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\68BC310C.exe Infected: Trojan.Win32.VB.aad skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\index.qbs Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\Shl_{7442C751-1C92-4D2D-9960-AE2AB7EA6BA7}.ldb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\Shl_{7442C751-1C92-4D2D-9960-AE2AB7EA6BA7}.sds Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\5F329491.TMP Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\8DEECAA7.TMP Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped

C:\Documents and Settings\Hillarie Meenach\Application Data\Mozilla\Firefox\Profiles\mts7rxhw.default\cert8.db Object is locked skipped

C:\Documents and Settings\Hillarie Meenach\Application Data\Mozilla\Firefox\Profiles\mts7rxhw.default\formhistory.dat Object is locked skipped

C:\Documents and Settings\Hillarie Meenach\Application Data\Mozilla\Firefox\Profiles\mts7rxhw.default\history.dat Object is locked skipped

C:\Documents and Settings\Hillarie Meenach\Application Data\Mozilla\Firefox\Profiles\mts7rxhw.default\key3.db Object is locked skipped

C:\Documents and Settings\Hillarie Meenach\Application Data\Mozilla\Firefox\Profiles\mts7rxhw.default\parent.lock Object is locked skipped

C:\Documents and Settings\Hillarie Meenach\Application Data\Mozilla\Firefox\Profiles\mts7rxhw.default\search.sqlite Object is locked skipped

C:\Documents and Settings\Hillarie Meenach\Application Data\Symantec\NPMDataStore\CIMStore.xml Object is locked skipped

C:\Documents and Settings\Hillarie Meenach\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Hillarie Meenach\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Hillarie Meenach\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Hillarie Meenach\Local Settings\Application Data\Mozilla\Firefox\Profiles\mts7rxhw.default\Cache\_CACHE_001_ Object is locked skipped

C:\Documents and Settings\Hillarie Meenach\Local Settings\Application Data\Mozilla\Firefox\Profiles\mts7rxhw.default\Cache\_CACHE_002_ Object is locked skipped

C:\Documents and Settings\Hillarie Meenach\Local Settings\Application Data\Mozilla\Firefox\Profiles\mts7rxhw.default\Cache\_CACHE_003_ Object is locked skipped

C:\Documents and Settings\Hillarie Meenach\Local Settings\Application Data\Mozilla\Firefox\Profiles\mts7rxhw.default\Cache\_CACHE_MAP_ Object is locked skipped

C:\Documents and Settings\Hillarie Meenach\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Hillarie Meenach\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Hillarie Meenach\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Hillarie Meenach\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Hillarie Meenach\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\AntiSpam\Log\Spam.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP228\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\JETC217.tmp Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

 

Scan process completed.

 

And here is the new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 8:37:36 PM, on 12/5/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\WINDOWS\system32\dlcqcoms.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Hillarie Meenach\Desktop\Utilities\HiJackThis_v2.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll

O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O8 - Extra context menu item: &AOL Toolbar search - blank

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://activation.rr.com/install/downloads/tgctlcm.cab

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633

O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/activedata/nprdtinf.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab

O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137208026859

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab

O16 - DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} (WwLuxor Control) - http://www.worldwinner.com/games/v49/luxor/luxor.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: dlcq_device - - C:\WINDOWS\system32\dlcqcoms.exe

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\system32\HPZipm12.exe (file missing)

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

 

--

End of file - 10326 bytes

 

 

I haven't been able to reproduce the issue with the redirecting in IE or from the Google search page. So far it seems like it's good. It's slower than FireFox, but isn't it always? ;) Thank you for all of your help with this! Please let me know what the latest two scans show you.

Share this post


Link to post
Share on other sites

Looks great! All of the infected files found are in quarantine. Open the Norton interface and delete all quarantined items, then empty the recycle bin.

 

Your computer is now clean! miekiemoes has put together a great page full of prevention information and tips that I recommend you check out.

 

You're very wlecome, Hillarie. ;) Surf safe!

Share this post


Link to post
Share on other sites
Looks great! All of the infected files found are in quarantine. Open the Norton interface and delete all quarantined items, then empty the recycle bin.

 

Your computer is now clean! miekiemoes has put together a great page full of prevention information and tips that I recommend you check out.

 

You're very wlecome, Hillarie. ;) Surf safe!

 

 

Dave, I have Norton 2008 (AntiVirus and Internet Security). I can't seem to find any options in the Norton program to allow me to remove any quarantine files. Do you happen to know? I've searched Symantec and the Norton help all over and can't find anything. I'm new to the 2008 version and it's very different than the previous one...a LOT less user friendly. Any suggestions?

Share this post


Link to post
Share on other sites

About all I can do is point you in the right direction.

 

Start your Norton program.

On the Norton product tab, click Tasks & Scans.

Click Manage Quarantined Items, and then click Go to Quarantine.

 

 

You may have to select each item and click More Details to get an option to remove it.

Share this post


Link to post
Share on other sites
Sign in to follow this