GeekPolice
Welcome to GeekPolice.net!

From "wow" to "whoa" - we're teaching practical technology and helping others with tech support. Join our family here!

You are viewing the forum as a "Guest" which doesn't give you member privileges to ask questions or post comments.

Take 30 seconds to register or log in below and unlock the limitations of this website to discover new computer knowledge!

More strange occurences. HijackThis log included...

View previous topic View next topic Go down

Re: More strange occurences. HijackThis log included...

Post by patmac on Tue Sep 01, 2009 2:56 am

I am also having this warning coming from my AVG Resident Shield each time I open Internet Explorer:

Resident Shield detection
Infection;"Object";"Result";"Detection time";"Object Type";"Process"
Found ;"C:\Documents and Settings\user1\Cookies\user1@advertising[1].txt";"Potentially dangerous object";"8/31/2009, 3:59:59 PM";"file";"C:\Program Files\Internet Explorer\iexplore.exe"
Found ;"C:\Documents and Settings\user1\Cookies\user1@doubleclick[2].txt";"Potentially dangerous object";"8/31/2009, 3:59:59 PM";"file";"C:\Program Files\Internet Explorer\iexplore.exe"
Found ;"C:\Documents and Settings\user1\Cookies\user1@ad.yieldmanager[3].txt";"Potentially dangerous object";"8/31/2009, 3:59:56 PM";"file";"C:\Program Files\Internet Explorer\iexplore.exe"
Found ;"C:\Documents and Settings\user1\Cookies\user1@atdmt[1].txt";"Moved to Virus Vault";"8/31/2009, 3:59:52 PM";"file";"C:\Program Files\Internet Explorer\iexplore.exe"
Found ;"C:\Documents and Settings\user1\Cookies\user1@doubleclick[1].txt";"Moved to Virus Vault";"8/31/2009, 2:00:15 PM";"file";"C:\Program Files\Internet Explorer\iexplore.exe"
Virus found Win32/Cryptor;"C:\System Volume Information\_restore{0D808AFC-C6CF-494A-B8CD-8CAB520AF4FE}\RP529\A0096236.dll";"Moved to Virus Vault";"8/14/2009, 10:57:21 PM";"file";"C:\Program Files\Malwarebytes' Anti-Malware\winlogon.exe"
Found ;"C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\hbyiztyu.default\cookies.sqlite";"Moved to Virus Vault";"8/13/2009, 9:20:56 AM";"file";"C:\Program Files\AVG\AVG8\avgcsrvx.exe"
Found ;"C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\hbyiztyu.default\cookies.sqlite";"Healed";"8/13/2009, 9:20:53 AM";"file";"C:\Program Files\Mozilla Firefox\firefox.exe"
Found ;"C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\hbyiztyu.default\cookies.sqlite";"Healed";"8/13/2009, 6:08:57 AM";"file";"C:\Program Files\Mozilla Firefox\firefox.exe"
Found ;"C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\hbyiztyu.default\cookies.sqlite";"Healed";"8/12/2009, 3:46:38 PM";"file";"C:\Program Files\Mozilla Firefox\firefox.exe"
Found ;"C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\hbyiztyu.default\cookies.sqlite";"Healed";"8/12/2009, 2:13:33 PM";"file";"C:\Program Files\Mozilla Firefox\firefox.exe"
Found ;"C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\hbyiztyu.default\cookies.sqlite";"Healed";"8/11/2009, 9:33:03 PM";"file";"C:\Program Files\Mozilla Firefox\firefox.exe"
Found ;"C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\hbyiztyu.default\cookies.sqlite";"Healed";"8/11/2009, 8:04:35 PM";"file";"C:\Program Files\Mozilla Firefox\firefox.exe"
Found ;"C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\hbyiztyu.default\cookies.sqlite";"Healed";"8/11/2009, 5:42:45 PM";"file";"C:\Program Files\Mozilla Firefox\firefox.exe"
Found ;"C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\hbyiztyu.default\cookies.sqlite";"Healed";"8/11/2009, 10:00:42 AM";"file";"C:\Program Files\Mozilla Firefox\firefox.exe"
Trojan horse Generic13.BQVV;"C:\System Volume Information\_restore{0D808AFC-C6CF-494A-B8CD-8CAB520AF4FE}\RP529\A0096238.dll";"Deleted";"8/10/2009, 7:36:54 PM";"file";"C:\WINDOWS\system32\svchost.exe"
Trojan horse Generic13.BQVV;"C:\System Volume Information\_restore{0D808AFC-C6CF-494A-B8CD-8CAB520AF4FE}\RP529\A0096238.dll";"Deleted";"8/10/2009, 6:36:54 PM";"file";"C:\WINDOWS\system32\svchost.exe"
Trojan horse Generic13.BQVV;"C:\System Volume Information\_restore{0D808AFC-C6CF-494A-B8CD-8CAB520AF4FE}\RP529\A0096238.dll";"Deleted";"8/10/2009, 5:36:54 PM";"file";"C:\WINDOWS\system32\svchost.exe"
Trojan horse Generic13.BQVV;"C:\System Volume Information\_restore{0D808AFC-C6CF-494A-B8CD-8CAB520AF4FE}\RP529\A0096238.dll";"Deleted";"8/10/2009, 5:16:41 PM";"file";"C:\WINDOWS\system32\svchost.exe"
Trojan horse Generic14.FFS;"C:\System Volume Information\_restore{0D808AFC-C6CF-494A-B8CD-8CAB520AF4FE}\RP529\A0096235.dll";"Moved to Virus Vault";"8/10/2009, 3:36:54 PM";"file";"C:\WINDOWS\system32\svchost.exe"
Trojan horse Pakes.DXZ;"C:\System Volume Information\_restore{0D808AFC-C6CF-494A-B8CD-8CAB520AF4FE}\RP529\A0096234.sys";"Moved to Virus Vault";"8/10/2009, 2:48:20 PM";"file";"C:\WINDOWS\system32\svchost.exe"
Trojan horse Pakes.DXZ;"C:\System Volume Information\_restore{0D808AFC-C6CF-494A-B8CD-8CAB520AF4FE}\RP529\A0096234.sys";"Deleted";"8/10/2009, 12:36:54 PM";"file";"C:\WINDOWS\system32\svchost.exe"
Trojan horse Pakes.DXZ;"C:\System Volume Information\_restore{0D808AFC-C6CF-494A-B8CD-8CAB520AF4FE}\RP529\A0096234.sys";"Deleted";"8/10/2009, 12:21:17 PM";"file";"C:\WINDOWS\system32\svchost.exe"
Potentially harmful program Logger.GAT;"C:\temp\MPK\MPK64.exe";"Added to PUP exceptions";"3/14/2009, 5:34:02 PM";"file";"C:\temp\MPK\MPK.exe"
Trojan horse PSW.Generic6.AZKA;"C:\System Volume Information\_restore{0D808AFC-C6CF-494A-B8CD-8CAB520AF4FE}\RP338\A0062813.dll";"Moved to Virus Vault";"1/14/2009, 12:39:16 PM";"file";"C:\WINDOWS\System32\svchost.exe"
Virus found FakeAlert;"C:\Documents and Settings\user1\Local Settings\Temporary Internet Files\Content.IE5\QTU5OC26\freescan[1].htm";"Moved to Virus Vault";"11/8/2008, 8:11:38 PM";"file";"C:\DOCUME~1\user1\LOCALS~1\Temp\~tmpd.exe"
Virus found FakeAlert;"C:\DOCUMENTS AND SETTINGS\USER1\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\QTU5OC26\FREESCAN[1].HTM";"Deleted";"11/8/2008, 8:11:38 PM";"file";"C:\Program Files\Spyware Doctor\pctsSvc.exe"
Virus found FakeAlert;"C:\Documents and Settings\user1\Local Settings\Temporary Internet Files\Content.IE5\5KJOIMFC\freescan[1].htm";"Moved to Virus Vault";"11/8/2008, 7:41:32 PM";"file";"C:\DOCUME~1\user1\LOCALS~1\Temp\~tmpd.exe"

patmac
Novice
Novice

Status :
Online
Offline

Posts : 16
Joined : 2009-08-09
OS : xp

View user profile

Back to top Go down

Re: More strange occurences. HijackThis log included...

Post by Belahzur on Tue Sep 01, 2009 5:07 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKLM\..\Run: [forsinit] C:\WINDOWS\sprscore.exe
    O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: More strange occurences. HijackThis log included...

Post by patmac on Wed Sep 02, 2009 4:35 am

Here is my MBAM Log as requested:

Malwarebytes' Anti-Malware 1.40
Database version: 2728
Windows 5.1.2600 Service Pack 3

9/1/2009 9:33:56 PM
mbam-log-2009-09-01 (21-33-56).txt

Scan type: Quick Scan
Objects scanned: 93089
Time elapsed: 3 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

patmac
Novice
Novice

Status :
Online
Offline

Posts : 16
Joined : 2009-08-09
OS : xp

View user profile

Back to top Go down

Re: More strange occurences. HijackThis log included...

Post by patmac on Wed Sep 02, 2009 4:41 am

I still am unable to run mozilla. Also each time I open Explorer my AVG resident shield warning pops up with the same info as I posted above.

patmac
Novice
Novice

Status :
Online
Offline

Posts : 16
Joined : 2009-08-09
OS : xp

View user profile

Back to top Go down

Re: More strange occurences. HijackThis log included...

Post by Belahzur on Wed Sep 02, 2009 1:14 pm

Lets go deeper.


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt just yet.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: More strange occurences. HijackThis log included...

Post by patmac on Thu Sep 03, 2009 3:48 am

Part 2:
================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user1\applic~1\mozilla\firefox\profiles\hbyiztyu.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-8 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-11-8 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-8 108552]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-11-8 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-11-8 298776]
R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\system32\drivers\lne100v5.sys [2008-3-19 36224]
S2 bonnqeuc;bonnqeuc;c:\windows\system32\drivers\whnsz.sys --> c:\windows\system32\drivers\whnsz.sys [?]
S2 gupdate1c985a88476ed5a;Google Update Service (gupdate1c985a88476ed5a);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\nbservice.exe --> c:\program files\common files\nero\nero backitup 4\NBService.exe [?]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]

=============== Created Last 30 ================

2009-08-31 13:32 --d----- c:\windows\system32\wbem\Repository
2009-08-27 14:27 --d----- c:\program files\MSECache
2009-08-11 11:39 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-11 11:39 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-10 10:15 -cd----- c:\windows\system32\dllcache\cache
2009-08-10 09:50 a-dshr-- C:\cmdcons
2009-08-10 09:40 216,064 a------- c:\windows\PEV.exe
2009-08-10 09:40 161,792 a------- c:\windows\SWREG.exe
2009-08-10 09:40 98,816 a------- c:\windows\sed.exe
2009-08-10 09:39 --ds---- C:\Combo-Fix
2009-08-09 17:16 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-09 17:16 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-09 13:55 --d----- c:\windows\pss
2009-08-09 13:36 --d----- c:\windows\system32\LogFiles
2009-08-09 12:49 --d----- C:\2d5cc28737a64e03acdaec9b7be5
2009-08-09 10:48 12,928 ac------ c:\windows\system32\dllcache\dot4prt.sys
2009-08-09 10:48 12,928 a------- c:\windows\system32\drivers\Dot4Prt.sys
2009-08-09 10:48 324,608 ac------ c:\windows\system32\dllcache\hpojwia.dll
2009-08-09 10:48 8,704 ac------ c:\windows\system32\dllcache\dot4scan.sys
2009-08-09 10:48 324,608 a------- c:\windows\system32\hpojwia.dll
2009-08-09 10:48 18,411 a------- c:\windows\system32\hpo5500a.aio
2009-08-09 10:48 18,411 a------- c:\windows\system32\hpo5400a.aio
2009-08-09 10:48 18,411 a------- c:\windows\system32\hpo5300a.aio
2009-08-09 10:48 8,704 a------- c:\windows\system32\drivers\Dot4scan.sys
2009-08-09 10:47 206,976 ac------ c:\windows\system32\dllcache\dot4.sys
2009-08-09 10:47 23,808 ac------ c:\windows\system32\dllcache\dot4usb.sys
2009-08-09 10:47 206,976 a------- c:\windows\system32\drivers\Dot4.sys
2009-08-09 10:47 23,808 a------- c:\windows\system32\drivers\Dot4usb.sys
2009-08-05 02:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll

==================== Find3M ====================

2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 12:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-12 12:36 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-12 12:21 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-07-09 12:16 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-07-09 12:16 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-06-29 09:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 09:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 09:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-25 01:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 01:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 01:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 01:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 01:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 01:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-23 09:19 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 05:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 07:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-09 23:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-04 22:52 1,024 a------- c:\docume~1\alluse~1\applic~1\pdfxls2.dll
2008-12-09 11:05 87,608 a------- c:\docume~1\user1\applic~1\ezpinst.exe
2008-12-09 11:05 47,360 a------- c:\docume~1\user1\applic~1\pcouffin.sys
2009-04-01 09:27 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009040120090402\index.dat

============= FINISH: 20:40:04.84 ===============

patmac
Novice
Novice

Status :
Online
Offline

Posts : 16
Joined : 2009-08-09
OS : xp

View user profile

Back to top Go down

Re: More strange occurences. HijackThis log included...

Post by Belahzur on Thu Sep 03, 2009 2:44 pm

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :services
    bonnqeuc
    PciCon


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: More strange occurences. HijackThis log included...

Post by patmac on Fri Sep 04, 2009 1:53 am

AS requested, here is the OTM log:

========== SERVICES/DRIVERS ==========

Service\Driver bonnqeuc deleted successfully.

Service\Driver PciCon deleted successfully.

OTM by OldTimer - Version 3.0.0.6 log created on 09032009_185152

patmac
Novice
Novice

Status :
Online
Offline

Posts : 16
Joined : 2009-08-09
OS : xp

View user profile

Back to top Go down

Re: More strange occurences. HijackThis log included...

Post by Origin on Fri Sep 04, 2009 4:41 am

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to svchost as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on svchost.exe.
  • Follow the prompts. NOTE:
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Status :
Online
Offline

Posts : 2685
Joined : 2009-05-05
Gender : Male
OS : Windows Xp Sp3

View user profile

Back to top Go down

Re: More strange occurences. HijackThis log included...

Post by patmac on Mon Sep 07, 2009 4:09 pm

As requested ComboFix log: Original msg too big. Posting in two parts.
PART 1

ComboFix 09-09-06.06 - user1 09/07/2009 8:58.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1351 [GMT -7:00]
Running from: E:\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\dep32ceg.dll
c:\windows\Installer\1632a06.msp
c:\windows\Installer\1632a0f.msp
c:\windows\Installer\1632a18.msp
c:\windows\Installer\1632a21.msp
c:\windows\Installer\1ce03a1.msp
c:\windows\Installer\3726bae.msp
c:\windows\iopa32ul.dll
c:\windows\iopb32ul.dll
c:\windows\spr32snl.dll

.
((((((((((((((((((((((((( Files Created from 2009-08-07 to 2009-09-07 )))))))))))))))))))))))))))))))
.

2009-09-04 01:51 . 2009-09-04 01:51 -------- d-----w- C:\_OTM
2009-08-31 20:32 . 2009-08-31 20:32 -------- d-----w- c:\windows\system32\wbem\Repository
2009-08-27 21:27 . 2009-08-27 21:34 -------- d-----w- c:\program files\MSECache
2009-08-11 18:39 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-10 00:16 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 00:16 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-09 20:36 . 2009-08-09 20:36 -------- d-----w- c:\windows\system32\LogFiles
2009-08-09 19:49 . 2009-08-09 19:49 -------- d-----w- C:\2d5cc28737a64e03acdaec9b7be5
2009-08-09 17:48 . 2001-08-17 20:47 12928 -c--a-w- c:\windows\system32\dllcache\dot4prt.sys
2009-08-09 17:48 . 2001-08-17 20:47 12928 ----a-w- c:\windows\system32\drivers\Dot4Prt.sys
2009-08-09 17:48 . 2001-08-18 05:36 324608 -c--a-w- c:\windows\system32\dllcache\hpojwia.dll
2009-08-09 17:48 . 2001-08-18 05:36 324608 ----a-w- c:\windows\system32\hpojwia.dll
2009-08-09 17:48 . 2001-08-17 20:47 8704 -c--a-w- c:\windows\system32\dllcache\dot4scan.sys
2009-08-09 17:48 . 2001-08-17 20:47 8704 ----a-w- c:\windows\system32\drivers\Dot4scan.sys
2009-08-09 17:47 . 2008-04-13 18:39 206976 -c--a-w- c:\windows\system32\dllcache\dot4.sys
2009-08-09 17:47 . 2008-04-13 18:39 206976 ----a-w- c:\windows\system32\drivers\Dot4.sys
2009-08-09 17:47 . 2001-08-17 20:47 23808 -c--a-w- c:\windows\system32\dllcache\dot4usb.sys
2009-08-09 17:47 . 2001-08-17 20:47 23808 ----a-w- c:\windows\system32\drivers\Dot4usb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-07 15:29 . 2008-03-20 00:54 -------- d-----w- c:\program files\Steam
2009-09-07 02:09 . 2008-11-09 02:24 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-07 02:09 . 2008-11-09 02:24 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-09-07 02:09 . 2008-11-09 02:24 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-03 04:30 . 2008-12-10 06:02 -------- d-----w- c:\documents and settings\user1\Application Data\uTorrent
2009-09-02 12:59 . 2008-03-20 04:41 176920 ----a-w- c:\documents and settings\user1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-31 20:31 . 2008-08-07 16:06 -------- d-----w- c:\program files\The Print Shop 20
2009-08-10 00:16 . 2008-11-09 03:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-10 00:05 . 2008-11-09 02:24 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-09 16:33 . 2009-02-03 02:37 -------- d-----w- c:\program files\Google
2009-08-05 09:01 . 2008-11-09 03:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-18 13:29 . 2008-05-16 15:44 -------- d-----w- c:\program files\Apple Software Update
2009-07-18 00:15 . 2009-07-18 00:14 -------- d-----w- c:\program files\iTunes
2009-07-18 00:15 . 2009-07-18 00:14 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-18 00:14 . 2008-05-16 15:44 -------- d-----w- c:\program files\Common Files\Apple
2009-07-18 00:14 . 2008-03-30 23:40 -------- d-----w- c:\program files\iPod
2009-07-18 00:14 . 2009-07-18 00:14 -------- d-----w- c:\program files\Bonjour
2009-07-18 00:14 . 2009-07-18 00:13 -------- d-----w- c:\program files\QuickTime
2009-07-17 19:01 . 2008-11-09 03:48 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 19:21 . 2008-11-09 03:49 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 19:16 . 2009-07-18 00:12 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-07-09 19:16 . 2008-05-16 15:44 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-29 16:12 . 2001-08-18 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2008-11-09 03:49 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2008-11-09 03:48 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-25 08:25 . 2008-11-09 03:48 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2008-11-09 03:48 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2008-11-09 03:48 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2008-11-09 03:48 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2008-11-09 03:48 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2008-03-31 00:05 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-24 11:18 . 2008-11-09 03:48 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2008-11-09 03:48 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2008-11-09 03:48 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2008-11-09 03:48 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 16:19 . 2008-11-09 03:49 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2008-11-09 03:48 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2008-03-31 00:05 132096 ----a-w- c:\windows\system32\wkssvc.dll
.

patmac
Novice
Novice

Status :
Online
Offline

Posts : 16
Joined : 2009-08-09
OS : xp

View user profile

Back to top Go down

Re: More strange occurences. HijackThis log included...

Post by patmac on Mon Sep 07, 2009 4:10 pm

PART 2

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-09 03:49 . 2009-07-14 11:03 46080 c:\windows\system32\tzchange.exe
+ 2008-03-20 04:35 . 2007-07-27 17:41 26488 c:\windows\system32\spupdsvc.exe
- 2008-03-20 04:35 . 2007-11-30 11:18 26488 c:\windows\system32\spupdsvc.exe
- 2008-03-20 04:35 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
+ 2008-03-20 04:35 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
+ 2009-06-25 08:25 . 2009-06-25 08:25 54272 c:\windows\system32\dllcache\wdigest.dll
+ 2009-06-12 12:31 . 2009-06-12 12:31 76288 c:\windows\system32\dllcache\telnet.exe
+ 2009-02-03 19:59 . 2009-06-25 08:25 56832 c:\windows\system32\dllcache\secur32.dll
- 2009-02-03 19:59 . 2009-02-03 19:59 56832 c:\windows\system32\dllcache\secur32.dll
+ 2009-06-24 11:18 . 2009-06-24 11:18 92928 c:\windows\system32\dllcache\ksecdd.sys
+ 2009-06-10 14:13 . 2009-06-10 14:13 84992 c:\windows\system32\dllcache\avifil32.dll
+ 2009-07-17 19:01 . 2009-07-17 19:01 58880 c:\windows\system32\dllcache\atl.dll
+ 2009-09-01 01:33 . 2009-09-04 13:19 40960 c:\windows\Installer\{90850409-6000-11D3-8CFE-0150048383C9}\wrdvicon.exe
+ 2009-09-01 01:35 . 2009-09-01 01:35 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2003-07-15 05:57 . 2003-07-15 05:57 58944 c:\windows\Installer\$PatchCache$\Managed\9040580900063D11C8EF10054038389C\11.0.6506\SEQCHK10.DLL
+ 2003-07-15 05:52 . 2003-07-15 05:52 55360 c:\windows\Installer\$PatchCache$\Managed\9040580900063D11C8EF10054038389C\11.0.6506\MSOHTMED.EXE
+ 2003-07-15 05:52 . 2003-07-15 05:52 67128 c:\windows\Installer\$PatchCache$\Managed\9040580900063D11C8EF10054038389C\11.0.6506\MSOHEV.DLL
+ 2008-03-19 15:56 . 2009-09-02 00:21 536848 c:\windows\system32\FNTCACHE.DAT
+ 2008-09-03 22:43 . 2009-07-12 19:21 233472 c:\windows\system32\dllcache\wmpdxm.dll
- 2008-09-03 22:43 . 2008-04-14 00:12 233472 c:\windows\system32\dllcache\wmpdxm.dll
+ 2009-06-10 06:14 . 2009-06-10 06:14 132096 c:\windows\system32\dllcache\wkssvc.dll
+ 2008-12-05 06:54 . 2009-06-25 08:25 147456 c:\windows\system32\dllcache\schannel.dll
+ 2009-08-05 09:01 . 2009-08-05 09:01 204800 c:\windows\system32\dllcache\mswebdvd.dll
+ 2009-06-25 08:25 . 2009-06-25 08:25 136192 c:\windows\system32\dllcache\msv1_0.dll
+ 2009-04-15 15:08 . 2009-06-25 08:25 730112 c:\windows\system32\dllcache\lsasrv.dll
+ 2009-06-25 08:25 . 2009-06-25 08:25 301568 c:\windows\system32\dllcache\kerberos.dll
+ 2009-08-13 14:05 . 2009-08-13 14:05 516096 c:\windows\system32\config\systemprofile\ntuser.dat
+ 2007-09-12 23:37 . 2007-09-12 23:37 344064 c:\windows\Installer\4242aea.msp
+ 2009-09-01 01:35 . 2009-09-01 01:35 355328 c:\windows\Installer\1123264.msi
+ 2009-09-01 01:33 . 2009-09-01 01:33 886272 c:\windows\Installer\1123247.msi
+ 2009-09-01 01:33 . 2009-09-04 13:19 135168 c:\windows\Installer\{90850409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-11-09 03:49 . 2008-04-14 00:12 4874240 c:\windows\system32\wmp.dll
+ 2008-11-09 03:49 . 2009-07-12 19:21 4874240 c:\windows\system32\wmp.dll
+ 2009-08-31 20:30 . 2009-08-31 20:33 2693364 c:\windows\system32\Restore\rstrlog.dat
+ 2008-09-03 22:43 . 2009-07-12 19:21 4874240 c:\windows\system32\dllcache\wmp.dll
- 2008-09-03 22:43 . 2008-04-14 00:12 4874240 c:\windows\system32\dllcache\wmp.dll
+ 2009-06-10 16:19 . 2009-06-10 16:19 2066432 c:\windows\system32\dllcache\mstscax.dll
+ 2009-05-14 19:34 . 2009-05-14 19:34 3730944 c:\windows\Installer\392012d.msp
+ 2008-10-25 16:15 . 2008-10-25 16:15 6227456 c:\windows\Installer\3920112.msp
+ 2007-05-31 20:37 . 2007-05-31 20:37 8812384 c:\windows\Installer\$PatchCache$\Managed\9040580900063D11C8EF10054038389C\11.0.8173\WORDVIEW.EXE
+ 2005-05-03 19:09 . 2005-05-03 19:09 6864584 c:\windows\Installer\$PatchCache$\Managed\9040580900063D11C8EF10054038389C\11.0.6506\WORDVIEW.EXE
+ 2008-03-30 23:59 . 2009-07-30 00:49 24281536 c:\windows\system32\MRT.exe
+ 2008-07-30 15:50 . 2008-07-30 15:50 12506112 c:\windows\Installer\3920124.msp
+ 2008-06-04 20:29 . 2008-06-04 20:29 16905728 c:\windows\Installer\392011b.msp
+ 2007-07-31 12:29 . 2007-07-31 12:29 12836864 c:\windows\Installer\112325d.msp
+ 2007-06-19 00:16 . 2007-06-19 00:16 12259160 c:\windows\Installer\$PatchCache$\Managed\9040580900063D11C8EF10054038389C\11.0.8173\MSO.DLL
+ 2005-04-22 05:57 . 2005-04-22 05:57 12235968 c:\windows\Installer\$PatchCache$\Managed\9040580900063D11C8EF10054038389C\11.0.6506\MSO.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"Lexmark X6100 Series"="c:\program files\Lexmark X6100 Series\lxbfbmgr.exe" [2003-09-23 57344]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-07 2007832]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-01-23 101136]
"C-Media Mixer"="Mixer.exe" - c:\windows\mixer.exe [2002-10-16 1818624]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-27 1657376]

c:\documents and settings\user1\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-3-19 688128]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-9-11 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-07 02:09 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\azmotoxracer\\counter-strike source\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Steam\\steamapps\\azmotoxracer\\insurgency\\hl2.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\steamapps\\azmotoxracer\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/8/2008 7:24 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/8/2008 7:24 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [11/8/2008 7:24 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/8/2008 7:24 PM 297752]
R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\system32\drivers\lne100v5.sys [3/19/2008 5:24 PM 36224]
S2 gupdate1c985a88476ed5a;Google Update Service (gupdate1c985a88476ed5a);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2009-08-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
Trusted Zone: microsoft.com\office
FF - ProfilePath - c:\documents and settings\user1\Application Data\Mozilla\Firefox\Profiles\hbyiztyu.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-07 09:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-09-07 9:03
ComboFix-quarantined-files.txt 2009-09-07 16:03
ComboFix2.txt 2009-08-10 17:16

Pre-Run: 16,979,312,640 bytes free
Post-Run: 18,221,137,920 bytes free

217 --- E O F --- 2009-09-04 13:19

patmac
Novice
Novice

Status :
Online
Offline

Posts : 16
Joined : 2009-08-09
OS : xp

View user profile

Back to top Go down

Re: More strange occurences. HijackThis log included...

Post by Belahzur on Mon Sep 07, 2009 8:24 pm

Hello.
We need to use OTM one more time.


  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: More strange occurences. HijackThis log included...

Post by patmac on Wed Sep 09, 2009 4:44 am

As requested OTM log:

========== FILES ==========
c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86 moved successfully.
c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86 moved successfully.
c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} moved successfully.

OTM by OldTimer - Version 3.0.0.6 log created on 09082009_214147

patmac
Novice
Novice

Status :
Online
Offline

Posts : 16
Joined : 2009-08-09
OS : xp

View user profile

Back to top Go down

Re: More strange occurences. HijackThis log included...

Post by Dr Jay on Wed Sep 16, 2009 8:48 pm

Hi

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Post the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Administrator
Administrator

Status :
Online
Offline

Posts : 13706
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum