help with spyware/virus

View previous topic View next topic Go down

Solved help with spyware/virus

Post by joeysvt01 on 6th October 2008, 11:41 am

Hi, I've been having a lot of pop ups come up randomly while browsing online, could you please help me get rid of whatever is causing it? Here is my log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:28:24 AM, on 10/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\ifxspmgt.exe
C:\WINDOWS\system32\ifxtcs.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\IfxPsdSv.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Intel\AMT\atchk.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\prun.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xpre.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winvsnet.exe
C:\WINDOWS\system32\mshta.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [atchk] "C:\Program Files\Intel\AMT\atchk.exe"
O4 - HKLM\..\Run: [PTHOSTTR] c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [IFXSPMGT] C:\WINDOWS\system32\ifxspmgt.exe /NotifyLogon
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [prunnet] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\prun.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [55ba0306] rundll32.exe "C:\WINDOWS\system32\bxwjxtxd.dll",b
O4 - HKLM\..\Run: [BM5689309a] Rundll32.exe "C:\WINDOWS\system32\yglsnmqt.dll",s
O4 - HKLM\..\Run: [IUpd721] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winvsnet.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [prunnet] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\prun.exe"
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\DownloadPDF.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\webhancer\programs\webhdll.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.antispyexpert.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.spyguardpro.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.antispyexpert.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.spyguardpro.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusremover2008.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {7A16F968-8E79-11D4-AFC3-0060978DD938} (SL Map Control) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = COC.local
O17 - HKLM\Software\..\Telephony: DomainName = COC.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = COC.local
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: APSHook.dll,avgrsstx.dll gvvmbf.dll
O23 - Service: McAfee Application Installer Cleanup (0317191222355391) (0317191222355391mcinstcleanup) - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\031719~1.EXE (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Intel(R) Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Drive Encryption Service (HpFkCryptService) - SafeBoot International - C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\ifxspmgt.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\ifxtcs.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Intel(R) Active Management Technology Local Management Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Personal Secure Drive service (PersonalSecureDriveService) - Infineon Technologies AG - C:\WINDOWS\system32\IfxPsdSv.exe
O23 - Service: Intel(R) Active Management Technology User Notification Service (UNS) - Intel - C:\Program Files\Intel\AMT\UNS.exe

--
End of file - 9494 bytes

joeysvt01
Novice
Novice

Posts Posts : 7
Joined Joined : 2008-10-06
Points Points : 29850
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: help with spyware/virus

Post by Belahzur on 6th October 2008, 11:43 am

Vundo has become famous all of a sudden?

Download Combofix from here.
Code:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Do not run it just yet.

Then download the Microsoft Recovery Console from here:
Code:
http://www.microsoft.com/downloads/details.aspx?FamilyId=15491F07-99F7-4A2D-983D-81C2137FF464&displaylang=en
and save it as it's originally named, next to ComboFix.exe.



Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, it will ask you whether or not to continue with the malware scan. Select Yes, and post the resultant log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: help with spyware/virus

Post by joeysvt01 on 6th October 2008, 11:56 am

ComboFix 08-10-05.06 - Joey 2008-10-06 7:48:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.404 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\BM5689309a.txt
C:\WINDOWS\BM5689309a.xml
C:\WINDOWS\faceback.exe
C:\WINDOWS\IA
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bxwjxtxd.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\x64
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2008-09-06 to 2008-10-06 )))))))))))))))))))))))))))))))
.

2008-10-06 07:30 . 2008-10-06 07:30 d-------- C:\Documents and Settings\Administrator\Application Data\IUpd721
2008-10-06 07:28 . 2008-10-06 07:28 d-------- C:\Program Files\Trend Micro
2008-10-06 07:19 . 2008-10-06 07:19 d-------- C:\WINDOWS\Sun
2008-10-03 16:50 . 2008-10-03 16:50 d---s---- C:\Documents and Settings\Administrator\UserData
2008-10-03 16:24 . 2008-10-06 07:48 d--h----- C:\$AVG8.VAULT$
2008-10-03 16:22 . 2008-10-05 08:05 d-------- C:\WINDOWS\system32\drivers\Avg
2008-10-03 16:22 . 2008-10-03 16:22 d-------- C:\Program Files\AVG
2008-10-03 16:22 . 2008-10-03 16:22 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-10-03 16:22 . 2008-10-03 16:22 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-10-03 16:22 . 2008-10-03 16:22 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-10-03 15:51 . 2008-10-06 07:51 118,784 --a------ C:\WINDOWS\system32\chg.exe
2008-10-03 14:48 . 2008-10-03 14:48 d-------- C:\Program Files\Lavasoft
2008-10-03 14:48 . 2008-10-03 14:49 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-03 14:46 . 2008-10-03 14:46 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-03 14:37 . 2008-10-03 15:44 d-------- C:\WINDOWS\system32\pet
2008-10-03 14:37 . 2008-10-03 16:43 d-------- C:\WINDOWS\system32\PAD6
2008-10-03 14:37 . 2008-10-03 15:44 d-------- C:\WINDOWS\system32\icon2
2008-10-03 14:37 . 2008-10-06 07:27 d-------- C:\WINDOWS\system32\EV19
2008-10-03 14:37 . 2008-10-03 14:37 d-------- C:\WINDOWS\system32\bak
2008-10-03 14:37 . 2008-10-03 14:37 d-------- C:\Temp\xp34
2008-10-03 14:37 . 2008-10-06 07:48 d-------- C:\Temp
2008-09-26 14:25 . 2008-09-26 14:25 d-------- C:\Program Files\Common Files\Adobe AIR
2008-09-26 14:24 . 2008-09-26 14:24 d-------- C:\Program Files\Common Files\Adobe
2008-09-26 14:16 . 2008-10-03 15:52 d-------- C:\Program Files\NOS
2008-09-26 14:16 . 2008-10-03 16:46 d-------- C:\Documents and Settings\All Users\Application Data\NOS
2008-09-26 13:54 . 2008-10-03 14:25 d-------- C:\Program Files\slactvx
2008-09-26 11:38 . 2008-09-26 11:40 d-------- C:\Program Files\Return to Castle Wolfenstein
2008-09-26 11:37 . 2008-09-26 11:40 810 --a------ C:\WINDOWS\Rtcw.INI
2008-09-26 09:11 . 2008-09-26 09:11 d-------- C:\Program Files\gs
2008-09-26 09:11 . 2005-05-07 14:14 90,112 --a------ C:\WINDOWS\system32\custmon2k.dll
2008-09-26 08:55 . 2004-06-06 20:17 53,248 --a------ C:\WINDOWS\system32\uninstpw.exe
2008-09-26 08:55 . 2005-05-07 14:15 24,576 --a------ C:\WINDOWS\system32\custsave.exe
2008-09-26 08:51 . 2008-09-26 08:51 d-------- C:\Program Files\Keller
2008-09-26 08:49 . 2008-09-26 08:49 d-------- C:\Program Files\PlotSoft
2008-09-26 07:44 . 2008-09-06 08:50 d--h----- C:\Documents and Settings\__sbs_netsetup__\Templates
2008-09-26 07:44 . 2008-09-06 08:50 dr------- C:\Documents and Settings\__sbs_netsetup__\Start Menu
2008-09-26 07:44 . 2008-09-06 08:50 dr-h----- C:\Documents and Settings\__sbs_netsetup__\SendTo
2008-09-26 07:44 . 2008-09-26 07:44 dr-h----- C:\Documents and Settings\__sbs_netsetup__\Recent
2008-09-26 07:44 . 2008-09-06 08:50 d--h----- C:\Documents and Settings\__sbs_netsetup__\PrintHood
2008-09-26 07:44 . 2008-09-06 08:50 d--h----- C:\Documents and Settings\__sbs_netsetup__\NetHood
2008-09-26 07:44 . 2008-09-26 07:44 dr------- C:\Documents and Settings\__sbs_netsetup__\My Documents
2008-09-26 07:44 . 2008-09-06 08:50 d--h----- C:\Documents and Settings\__sbs_netsetup__\Local Settings
2008-09-26 07:44 . 2008-09-26 07:44 dr------- C:\Documents and Settings\__sbs_netsetup__\Favorites
2008-09-26 07:44 . 2008-09-06 09:08 d-------- C:\Documents and Settings\__sbs_netsetup__\Desktop
2008-09-26 07:44 . 2008-09-06 08:50 d---s---- C:\Documents and Settings\__sbs_netsetup__\Cookies
2008-09-26 07:44 . 2008-09-06 09:03 d-------- C:\Documents and Settings\__sbs_netsetup__\Application Data\Sun
2008-09-26 07:44 . 2008-09-06 09:36 d-------- C:\Documents and Settings\__sbs_netsetup__\Application Data\SiteAdvisor
2008-09-26 07:44 . 2008-09-06 09:41 d-------- C:\Documents and Settings\__sbs_netsetup__\Application Data\SampleView
2008-09-26 07:44 . 2008-10-03 16:20 d---s---- C:\Documents and Settings\__sbs_netsetup__\Application Data\Microsoft
2008-09-26 07:44 . 2008-09-06 09:06 d-------- C:\Documents and Settings\__sbs_netsetup__\Application Data\InstallShield
2008-09-26 07:44 . 2008-09-06 09:07 d-------- C:\Documents and Settings\__sbs_netsetup__\Application Data\Infineon
2008-09-26 07:44 . 2008-09-06 08:50 d-------- C:\Documents and Settings\__sbs_netsetup__\Application Data\Identities
2008-09-26 07:44 . 2008-09-06 09:06 d-------- C:\Documents and Settings\__sbs_netsetup__\Application Data\hpqLog
2008-09-26 07:44 . 2008-09-26 07:44 dr-h----- C:\Documents and Settings\__sbs_netsetup__\Application Data
2008-09-26 07:44 . 2008-10-03 16:22 d-------- C:\Documents and Settings\__sbs_netsetup__
2008-09-26 07:44 . 2008-10-03 16:22 512,000 --a------ C:\Documents and Settings\__sbs_netsetup__\NTUSER.DAT
2008-09-26 07:42 . 2008-09-26 07:42 d-------- C:\WINDOWS\SchCache
2008-09-26 07:42 . 2008-09-26 07:42 d-------- C:\Program Files\Microsoft Windows Small Business Server
2008-09-26 07:41 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-09-26 07:41 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\dllcache\mouhid.sys
2008-09-26 07:41 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-09-26 07:41 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\dllcache\hidusb.sys
2008-09-25 14:23 . 2004-08-03 23:08 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2008-09-25 14:06 . 2008-09-25 14:06 d-------- C:\Program Files\Program Shortcuts
2008-09-25 11:10 . 2008-09-25 11:10 d--hs---- C:\System Recovery
2008-09-25 11:10 . 2008-05-21 05:35 434 --a------ C:\WINDOWS\myClean.bat
2008-09-25 11:08 . 2008-09-25 11:08 d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-09-25 11:08 . 2006-02-27 22:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-09-25 11:07 . 2008-09-06 09:06 d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\InstallShield
2008-09-25 11:07 . 2008-09-06 09:06 d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\hpqLog
2008-09-25 11:06 . 2008-09-06 09:41 d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\SampleView
2008-09-06 09:44 . 2008-09-06 09:44 333 --a------ C:\WINDOWS\system32\$ncsp$.inf
2008-09-06 09:44 . 2004-05-25 07:04 278 --a------ C:\WINDOWS\logonper2.reg
2008-09-06 09:44 . 2004-05-25 07:04 192 --a------ C:\WINDOWS\logoffper2.reg
2008-09-06 09:44 . 2008-09-06 09:44 61 --a------ C:\WINDOWS\smscfg.ini
2008-09-06 09:42 . 2008-09-06 09:42 1,980 -rahs---- C:\WINDOWS\system32\drivers\103C_HP_BPC_HP Compaq dc7800 Convertible Minitower_YB_0Comp_QMXL836_EKA610UTABA_48_I0AACh_SHP_V_B786F1 v01.04_T070718_WXP2_L409_M995_J80_7Intel_8Core2 Duo E4600_92.39_#080906_N808610BD_(KA610UT#ABA)_X_CD6_Z_2.MRK
2008-09-06 09:41 . 2008-09-06 09:07 d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Infineon
2008-09-06 09:41 . 2008-09-06 09:41 d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-09-06 09:41 . 2007-08-24 07:00 172,032 --a------ C:\WINDOWS\system32\igfxres.dll
2008-09-06 09:37 . 2008-09-06 09:37 d-------- C:\WINDOWS\DRIVERS
2008-09-06 09:36 . 2008-10-06 07:52 d-------- C:\WINDOWS\SMINST
2008-09-06 09:36 . 2008-09-25 11:10 d-------- C:\WINDOWS\CREATOR
2008-09-06 09:36 . 2005-10-10 16:03 266,240 --a------ C:\WINDOWS\system32\ShellvRTF64.dll
2008-09-06 09:36 . 2002-09-21 01:42 122,880 --a------ C:\WINDOWS\system32\ShellvRTF.dll
2008-09-06 09:32 . 2003-01-14 14:11 8,038 --a------ C:\WINDOWS\system32\oemlogo.bmp
2008-09-06 09:28 . 2008-09-06 09:28 d-------- C:\Program Files\Compaq
2008-09-06 09:28 . 2005-01-19 12:25 339,968 -ra------ C:\WINDOWS\system32\msvcr70.dll
2008-09-06 09:25 . 2008-09-06 09:25 d-------- C:\Program Files\Microsoft Small Business
2008-09-06 09:25 . 2008-09-06 09:25 d-------- C:\Program Files\Activation Assistant for the 2007 Microsoft Office suites
2008-09-06 09:25 . 2008-09-06 09:25 d-------- C:\Documents and Settings\All Users\Application Data\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}
2008-09-06 09:25 . 2008-09-06 09:25 422 --a------ C:\WINDOWS\system32\mapisvc.inf
2008-09-06 09:23 . 2008-09-06 09:23 d-------- C:\Program Files\MSXML 6.0
2008-09-06 09:23 . 2008-09-06 09:23 d-------- C:\Program Files\Microsoft SQL Server
2008-09-06 09:21 . 2008-09-06 09:21 d-------- C:\Program Files\Microsoft Works
2008-09-06 09:20 . 2008-09-06 09:23 d-------- C:\Program Files\Microsoft.NET
2008-09-06 09:19 . 2008-09-06 09:21 d-------- C:\WINDOWS\SHELLNEW
2008-09-06 09:19 . 2008-09-06 09:19 dr-h----- C:\MSOCache
2008-09-06 09:19 . 2008-10-02 10:21 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-06 09:07 . 2008-09-06 09:07 d-------- C:\Program Files\InterVideo
2008-09-06 09:07 . 2008-09-06 09:07 d-------- C:\Documents and Settings\All Users\Application Data\Infineon
2008-09-06 09:07 . 2008-09-06 09:07 d-------- C:\Documents and Settings\Administrator\Application Data\Infineon
2008-09-06 09:07 . 2002-11-22 05:57 204,800 --a------ C:\WINDOWS\system32\IVIresizeW7.dll
2008-09-06 09:07 . 2002-11-22 05:57 200,704 --a------ C:\WINDOWS\system32\IVIresizeA6.dll
2008-09-06 09:07 . 2002-11-22 05:57 192,512 --a------ C:\WINDOWS\system32\IVIresizeP6.dll
2008-09-06 09:07 . 2002-11-22 05:57 192,512 --a------ C:\WINDOWS\system32\IVIresizeM6.dll
2008-09-06 09:07 . 2002-11-22 05:57 188,416 --a------ C:\WINDOWS\system32\IVIresizePX.dll
2008-09-06 09:07 . 2002-11-22 05:57 20,480 --a------ C:\WINDOWS\system32\IVIresize.dll
2008-09-06 09:06 . 2008-09-06 09:08 d-------- C:\Program Files\HPQ
2008-09-06 09:06 . 2008-09-06 09:06 d-------- C:\Program Files\Common Files\postureAgent
2008-09-06 09:06 . 2008-09-06 09:06 d-------- C:\Program Files\Common Files\InterVideo
2008-09-06 09:06 . 2008-09-06 09:06 d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-09-06 09:06 . 2008-09-06 09:06 d-------- C:\Documents and Settings\Administrator\Application Data\hpqLog
2008-09-06 09:06 . 2007-06-07 11:37 920,344 --a------ C:\WINDOWS\system32\mesoludlg.exe
2008-09-06 09:05 . 2008-09-06 09:06 d-------- C:\Program Files\Intel
2008-09-06 09:05 . 2008-09-06 09:36 d--h----- C:\Program Files\InstallShield Installation Information
2008-09-06 09:05 . 2008-09-06 09:06 d-------- C:\Program Files\Common Files\InstallShield
2008-09-06 09:05 . 2008-09-06 09:05 d-------- C:\Program Files\Analog Devices
2008-09-06 09:05 . 2001-09-11 18:20 1,285,632 --a------ C:\WINDOWS\system32\SMMedia.dll
2008-09-06 09:05 . 2007-06-07 11:37 920,344 --a------ C:\WINDOWS\system32\heciudlg.exe
2008-09-06 09:05 . 2005-05-04 12:20 53,248 --a------ C:\WINDOWS\system32\wdmioctl.dll
2008-09-06 09:05 . 2006-07-10 18:42 49,152 --a------ C:\WINDOWS\system32\DSndUp.exe
2008-09-06 09:05 . 2002-04-17 18:05 45,056 --a------ C:\WINDOWS\system32\CleanUp.exe
2008-09-06 09:03 . 2008-09-06 09:03 d-------- C:\Program Files\Java
2008-09-06 09:03 . 2008-09-06 09:03 d-------- C:\Program Files\Common Files\Java
2008-09-06 09:03 . 2007-03-14 05:04 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-06 12:50 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

joeysvt01
Novice
Novice

Posts Posts : 7
Joined Joined : 2008-10-06
Points Points : 29850
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: help with spyware/virus

Post by joeysvt01 on 6th October 2008, 11:57 am

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-27 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-09-07 141848]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-09-07 166424]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-09-07 137752]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-04-26 1015808]
"atchk"="C:\Program Files\Intel\AMT\atchk.exe" [2007-06-07 408344]
"PTHOSTTR"="c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"IFXSPMGT"="C:\WINDOWS\system32\ifxspmgt.exe" [2007-05-23 677408]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"CognizanceTS"="C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"Recguard"="C:\WINDOWS\Sminst\Recguard.exe" [2006-05-12 1138688]
"Reminder"="C:\WINDOWS\Creator\Remind_XP.exe" [2006-03-31 761856]
"Scheduler"="C:\WINDOWS\SMINST\Scheduler.exe" [2006-07-10 872448]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-10-03 1234712]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=APSHook.dll,avgrsstx.dll gvvmbf.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ SbHpNp scecli ASWLNPkg

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\coc.local\netlogon\WindowsXP-KB931836-x86-ENU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\WINDOWS\\SMINST\\Scheduler.exe"=

R0 SafeBoot;SafeBoot;C:\WINDOWS\system32\drivers\SafeBoot.sys [2007-06-13 101167]
R0 SbAlg;SbAlg;C:\WINDOWS\system32\drivers\SbAlg.sys [2006-10-09 44720]
R0 SbFsLock;SbFsLock;C:\WINDOWS\system32\drivers\SbFsLock.sys [2007-06-14 13184]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-10-03 97928]
R1 PersonalSecureDrive;PersonalSecureDrive;C:\WINDOWS\system32\drivers\psd.sys [2007-04-18 39080]
R1 RsvLock;RsvLock;C:\WINDOWS\system32\drivers\RsvLock.sys [2007-06-13 5808]
R2 ASChannel;Local Communication Channel;C:\WINDOWS\System32\svchost.exe [2006-02-27 14336]
R2 atchksrv;Intel(R) Active Management Technology System Status Service;C:\Program Files\Intel\AMT\atchksrv.exe [2007-06-07 183064]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-10-03 231704]
R2 HpFkCryptService;Drive Encryption Service;C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2007-07-09 221184]
R2 LMS;Intel(R) Active Management Technology Local Management Service;C:\Program Files\Intel\AMT\LMS.exe [2007-06-07 109336]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-10 29178224]
R2 UNS;Intel(R) Active Management Technology User Notification Service;C:\Program Files\Intel\AMT\UNS.exe [2007-06-07 2521880]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2007-12-18 44800]
S1 irenumm;irenumm;C:\WINDOWS\system32\drivers\irenumm.sys [ ]
S2 0317191222355391mcinstcleanup;McAfee Application Installer Cleanup (0317191222355391);C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\031719~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini [ ]
S2 ASBroker;Logon Session Broker;C:\WINDOWS\System32\svchost.exe [2006-02-27 14336]
S3 VirtDisk;XSS Virtual Disk Driver;c:\windows\sminst\VirtDisk.sys [2006-05-05 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel
.
- - - - ORPHANS REMOVED - - - -

BHO-{24F9C7B1-2706-459E-895F-8561FE967CC5} - C:\WINDOWS\system32\hgGawuSI.dll
BHO-{88379D08-C9C1-4636-981D-EBCB315A9B8E} - C:\WINDOWS\system32\xxyXrqqR.dll
BHO-{f06b197d-196d-4ea0-bbe1-6d95a2f1060a} - C:\WINDOWS\system32\gvvmbf.dll
HKLM-Run-55ba0306 - C:\WINDOWS\system32\bxwjxtxd.dll
HKLM-Run-BM5689309a - C:\WINDOWS\system32\yglsnmqt.dll
ShellExecuteHooks-{88379D08-C9C1-4636-981D-EBCB315A9B8E} - C:\WINDOWS\system32\xxyXrqqR.dll
Notify-xxyXrqqR - xxyXrqqR.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = [You must be registered and logged in to see this link.]
R0 -: HKLM-Main,Start Page = [You must be registered and logged in to see this link.]
R1 -: HKCU-Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
O8 -: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O16 -: {7A16F968-8E79-11D4-AFC3-0060978DD938} - [You must be registered and logged in to see this link.]
C:\WINDOWS\Downloaded Program Files\slactvx.inf
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\mfc42.dll
C:\WINDOWS\system32\olepro32.dll
C:\WINDOWS\Downloaded Program Files\slactvx.ocx
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-10-06 07:52:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\IfxPsdSv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
C:\WINDOWS\system32\scardsvr.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Completion time: 2008-10-06 7:53:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-06 11:53:25

Pre-Run: 58,718,793,728 bytes free
Post-Run: 58,758,356,992 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

281

joeysvt01
Novice
Novice

Posts Posts : 7
Joined Joined : 2008-10-06
Points Points : 29850
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: help with spyware/virus

Post by Belahzur on 6th October 2008, 12:04 pm

Now open a new notepad file.
Input this into the notepad file:

File::
C:\WINDOWS\system32\chg.exe

Driver::
0317191222355391mcinstcleanup

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=APSHook.dll,avgrsstx.dll

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: help with spyware/virus

Post by joeysvt01 on 6th October 2008, 1:00 pm

ComboFix 08-10-05.06 - Joey 2008-10-06 8:54:06.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.604 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFscript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\chg.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\chg.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_0317191222355391MCINSTCLEANUP
-------\Service_0317191222355391mcinstcleanup


((((((((((((((((((((((((( Files Created from 2008-09-06 to 2008-10-06 )))))))))))))))))))))))))))))))
.

2008-10-06 07:30 . 2008-10-06 07:30 d-------- C:\Documents and Settings\Administrator\Application Data\IUpd721
2008-10-06 07:28 . 2008-10-06 07:28 d-------- C:\Program Files\Trend Micro
2008-10-06 07:19 . 2008-10-06 07:19 d-------- C:\WINDOWS\Sun
2008-10-03 16:50 . 2008-10-03 16:50 d---s---- C:\Documents and Settings\Administrator\UserData
2008-10-03 16:24 . 2008-10-06 07:48 d--h----- C:\$AVG8.VAULT$
2008-10-03 16:22 . 2008-10-06 08:23 d-------- C:\WINDOWS\system32\drivers\Avg
2008-10-03 16:22 . 2008-10-03 16:22 d-------- C:\Program Files\AVG
2008-10-03 16:22 . 2008-10-03 16:22 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-10-03 16:22 . 2008-10-03 16:22 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-10-03 16:22 . 2008-10-03 16:22 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-10-03 14:48 . 2008-10-03 14:48 d-------- C:\Program Files\Lavasoft
2008-10-03 14:48 . 2008-10-03 14:49 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-03 14:46 . 2008-10-03 14:46 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-03 14:37 . 2008-10-03 15:44 d-------- C:\WINDOWS\system32\pet
2008-10-03 14:37 . 2008-10-03 16:43 d-------- C:\WINDOWS\system32\PAD6
2008-10-03 14:37 . 2008-10-03 15:44 d-------- C:\WINDOWS\system32\icon2
2008-10-03 14:37 . 2008-10-06 07:27 d-------- C:\WINDOWS\system32\EV19
2008-10-03 14:37 . 2008-10-03 14:37 d-------- C:\WINDOWS\system32\bak
2008-10-03 14:37 . 2008-10-03 14:37 d-------- C:\Temp\xp34
2008-10-03 14:37 . 2008-10-06 07:48 d-------- C:\Temp
2008-09-26 14:25 . 2008-09-26 14:25 d-------- C:\Program Files\Common Files\Adobe AIR
2008-09-26 14:24 . 2008-09-26 14:24 d-------- C:\Program Files\Common Files\Adobe
2008-09-26 14:16 . 2008-10-03 15:52 d-------- C:\Program Files\NOS
2008-09-26 14:16 . 2008-10-03 16:46 d-------- C:\Documents and Settings\All Users\Application Data\NOS
2008-09-26 13:54 . 2008-10-03 14:25 d-------- C:\Program Files\slactvx
2008-09-26 11:38 . 2008-09-26 11:40 d-------- C:\Program Files\Return to Castle Wolfenstein
2008-09-26 11:37 . 2008-09-26 11:40 810 --a------ C:\WINDOWS\Rtcw.INI
2008-09-26 09:11 . 2008-09-26 09:11 d-------- C:\Program Files\gs
2008-09-26 09:11 . 2005-05-07 14:14 90,112 --a------ C:\WINDOWS\system32\custmon2k.dll
2008-09-26 08:55 . 2004-06-06 20:17 53,248 --a------ C:\WINDOWS\system32\uninstpw.exe
2008-09-26 08:55 . 2005-05-07 14:15 24,576 --a------ C:\WINDOWS\system32\custsave.exe
2008-09-26 08:51 . 2008-09-26 08:51 d-------- C:\Program Files\Keller
2008-09-26 08:49 . 2008-09-26 08:49 d-------- C:\Program Files\PlotSoft
2008-09-26 07:44 . 2008-09-06 08:50 d--h----- C:\Documents and Settings\__sbs_netsetup__\Templates
2008-09-26 07:44 . 2008-09-06 08:50 dr------- C:\Documents and Settings\__sbs_netsetup__\Start Menu
2008-09-26 07:44 . 2008-09-06 08:50 dr-h----- C:\Documents and Settings\__sbs_netsetup__\SendTo
2008-09-26 07:44 . 2008-09-26 07:44 dr-h----- C:\Documents and Settings\__sbs_netsetup__\Recent
2008-09-26 07:44 . 2008-09-06 08:50 d--h----- C:\Documents and Settings\__sbs_netsetup__\PrintHood
2008-09-26 07:44 . 2008-09-06 08:50 d--h----- C:\Documents and Settings\__sbs_netsetup__\NetHood
2008-09-26 07:44 . 2008-09-26 07:44 dr------- C:\Documents and Settings\__sbs_netsetup__\My Documents
2008-09-26 07:44 . 2008-10-06 07:53 d--h----- C:\Documents and Settings\__sbs_netsetup__\Local Settings
2008-09-26 07:44 . 2008-09-26 07:44 dr------- C:\Documents and Settings\__sbs_netsetup__\Favorites
2008-09-26 07:44 . 2008-09-06 09:08 d-------- C:\Documents and Settings\__sbs_netsetup__\Desktop
2008-09-26 07:44 . 2008-09-06 08:50 d---s---- C:\Documents and Settings\__sbs_netsetup__\Cookies
2008-09-26 07:44 . 2008-09-06 09:03 d-------- C:\Documents and Settings\__sbs_netsetup__\Application Data\Sun
2008-09-26 07:44 . 2008-09-06 09:36 d-------- C:\Documents and Settings\__sbs_netsetup__\Application Data\SiteAdvisor
2008-09-26 07:44 . 2008-09-06 09:41 d-------- C:\Documents and Settings\__sbs_netsetup__\Application Data\SampleView
2008-09-26 07:44 . 2008-10-03 16:20 d---s---- C:\Documents and Settings\__sbs_netsetup__\Application Data\Microsoft
2008-09-26 07:44 . 2008-09-06 09:06 d-------- C:\Documents and Settings\__sbs_netsetup__\Application Data\InstallShield
2008-09-26 07:44 . 2008-09-06 09:07 d-------- C:\Documents and Settings\__sbs_netsetup__\Application Data\Infineon
2008-09-26 07:44 . 2008-09-06 08:50 d-------- C:\Documents and Settings\__sbs_netsetup__\Application Data\Identities
2008-09-26 07:44 . 2008-09-06 09:06 d-------- C:\Documents and Settings\__sbs_netsetup__\Application Data\hpqLog
2008-09-26 07:44 . 2008-09-26 07:44 dr-h----- C:\Documents and Settings\__sbs_netsetup__\Application Data
2008-09-26 07:44 . 2008-10-03 16:22 d-------- C:\Documents and Settings\__sbs_netsetup__
2008-09-26 07:44 . 2008-10-03 16:22 512,000 --a------ C:\Documents and Settings\__sbs_netsetup__\NTUSER.DAT
2008-09-26 07:42 . 2008-09-26 07:42 d-------- C:\WINDOWS\SchCache
2008-09-26 07:42 . 2008-09-26 07:42 d-------- C:\Program Files\Microsoft Windows Small Business Server
2008-09-26 07:41 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-09-26 07:41 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\dllcache\mouhid.sys
2008-09-26 07:41 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-09-26 07:41 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\dllcache\hidusb.sys
2008-09-25 14:23 . 2004-08-03 23:08 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys
2008-09-25 14:06 . 2008-09-25 14:06 d-------- C:\Program Files\Program Shortcuts
2008-09-25 11:10 . 2008-09-25 11:10 d--hs---- C:\System Recovery
2008-09-25 11:10 . 2008-05-21 05:35 434 --a------ C:\WINDOWS\myClean.bat
2008-09-25 11:08 . 2008-09-25 11:08 d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-09-25 11:08 . 2006-02-27 22:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-09-25 11:07 . 2008-09-06 09:06 d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\InstallShield
2008-09-25 11:07 . 2008-09-06 09:06 d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\hpqLog
2008-09-25 11:06 . 2008-09-06 09:41 d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\SampleView
2008-09-06 09:44 . 2008-09-06 09:44 333 --a------ C:\WINDOWS\system32\$ncsp$.inf
2008-09-06 09:44 . 2004-05-25 07:04 278 --a------ C:\WINDOWS\logonper2.reg
2008-09-06 09:44 . 2004-05-25 07:04 192 --a------ C:\WINDOWS\logoffper2.reg
2008-09-06 09:44 . 2008-09-06 09:44 61 --a------ C:\WINDOWS\smscfg.ini
2008-09-06 09:42 . 2008-09-06 09:42 1,980 -rahs---- C:\WINDOWS\system32\drivers\103C_HP_BPC_HP Compaq dc7800 Convertible Minitower_YB_0Comp_QMXL836_EKA610UTABA_48_I0AACh_SHP_V_B786F1 v01.04_T070718_WXP2_L409_M995_J80_7Intel_8Core2 Duo E4600_92.39_#080906_N808610BD_(KA610UT#ABA)_X_CD6_Z_2.MRK
2008-09-06 09:41 . 2008-09-06 09:07 d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Infineon
2008-09-06 09:41 . 2008-09-06 09:41 d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-09-06 09:41 . 2007-08-24 07:00 172,032 --a------ C:\WINDOWS\system32\igfxres.dll
2008-09-06 09:37 . 2008-09-06 09:37 d-------- C:\WINDOWS\DRIVERS
2008-09-06 09:36 . 2008-10-06 07:52 d-------- C:\WINDOWS\SMINST
2008-09-06 09:36 . 2008-09-25 11:10 d-------- C:\WINDOWS\CREATOR
2008-09-06 09:36 . 2005-10-10 16:03 266,240 --a------ C:\WINDOWS\system32\ShellvRTF64.dll
2008-09-06 09:36 . 2002-09-21 01:42 122,880 --a------ C:\WINDOWS\system32\ShellvRTF.dll
2008-09-06 09:32 . 2003-01-14 14:11 8,038 --a------ C:\WINDOWS\system32\oemlogo.bmp
2008-09-06 09:28 . 2008-09-06 09:28 d-------- C:\Program Files\Compaq
2008-09-06 09:28 . 2005-01-19 12:25 339,968 -ra------ C:\WINDOWS\system32\msvcr70.dll
2008-09-06 09:25 . 2008-09-06 09:25 d-------- C:\Program Files\Microsoft Small Business
2008-09-06 09:25 . 2008-09-06 09:25 d-------- C:\Program Files\Activation Assistant for the 2007 Microsoft Office suites
2008-09-06 09:25 . 2008-09-06 09:25 d-------- C:\Documents and Settings\All Users\Application Data\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}
2008-09-06 09:25 . 2008-09-06 09:25 422 --a------ C:\WINDOWS\system32\mapisvc.inf
2008-09-06 09:23 . 2008-09-06 09:23 d-------- C:\Program Files\MSXML 6.0
2008-09-06 09:23 . 2008-09-06 09:23 d-------- C:\Program Files\Microsoft SQL Server
2008-09-06 09:21 . 2008-09-06 09:21 d-------- C:\Program Files\Microsoft Works
2008-09-06 09:20 . 2008-09-06 09:23 d-------- C:\Program Files\Microsoft.NET
2008-09-06 09:19 . 2008-09-06 09:21 d-------- C:\WINDOWS\SHELLNEW
2008-09-06 09:19 . 2008-09-06 09:19 dr-h----- C:\MSOCache
2008-09-06 09:19 . 2008-10-02 10:21 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-06 09:07 . 2008-09-06 09:07 d-------- C:\Program Files\InterVideo
2008-09-06 09:07 . 2008-09-06 09:07 d-------- C:\Documents and Settings\All Users\Application Data\Infineon
2008-09-06 09:07 . 2008-09-06 09:07 d-------- C:\Documents and Settings\Administrator\Application Data\Infineon
2008-09-06 09:07 . 2002-11-22 05:57 204,800 --a------ C:\WINDOWS\system32\IVIresizeW7.dll
2008-09-06 09:07 . 2002-11-22 05:57 200,704 --a------ C:\WINDOWS\system32\IVIresizeA6.dll
2008-09-06 09:07 . 2002-11-22 05:57 192,512 --a------ C:\WINDOWS\system32\IVIresizeP6.dll
2008-09-06 09:07 . 2002-11-22 05:57 192,512 --a------ C:\WINDOWS\system32\IVIresizeM6.dll
2008-09-06 09:07 . 2002-11-22 05:57 188,416 --a------ C:\WINDOWS\system32\IVIresizePX.dll
2008-09-06 09:07 . 2002-11-22 05:57 20,480 --a------ C:\WINDOWS\system32\IVIresize.dll
2008-09-06 09:06 . 2008-09-06 09:08 d-------- C:\Program Files\HPQ
2008-09-06 09:06 . 2008-09-06 09:06 d-------- C:\Program Files\Common Files\postureAgent
2008-09-06 09:06 . 2008-09-06 09:06 d-------- C:\Program Files\Common Files\InterVideo
2008-09-06 09:06 . 2008-09-06 09:06 d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-09-06 09:06 . 2008-09-06 09:06 d-------- C:\Documents and Settings\Administrator\Application Data\hpqLog
2008-09-06 09:06 . 2007-06-07 11:37 920,344 --a------ C:\WINDOWS\system32\mesoludlg.exe
2008-09-06 09:05 . 2008-09-06 09:06 d-------- C:\Program Files\Intel
2008-09-06 09:05 . 2008-09-06 09:36 d--h----- C:\Program Files\InstallShield Installation Information
2008-09-06 09:05 . 2008-09-06 09:06 d-------- C:\Program Files\Common Files\InstallShield
2008-09-06 09:05 . 2008-09-06 09:05 d-------- C:\Program Files\Analog Devices
2008-09-06 09:05 . 2001-09-11 18:20 1,285,632 --a------ C:\WINDOWS\system32\SMMedia.dll
2008-09-06 09:05 . 2007-06-07 11:37 920,344 --a------ C:\WINDOWS\system32\heciudlg.exe
2008-09-06 09:05 . 2005-05-04 12:20 53,248 --a------ C:\WINDOWS\system32\wdmioctl.dll
2008-09-06 09:05 . 2006-07-10 18:42 49,152 --a------ C:\WINDOWS\system32\DSndUp.exe
2008-09-06 09:05 . 2002-04-17 18:05 45,056 --a------ C:\WINDOWS\system32\CleanUp.exe
2008-09-06 09:03 . 2008-09-06 09:03 d-------- C:\Program Files\Java
2008-09-06 09:03 . 2008-09-06 09:03 d-------- C:\Program Files\Common Files\Java
2008-09-06 09:03 . 2007-03-14 05:04 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-06 09:03 . 2004-11-18 13:42 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-06 12:50 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((( snapshot@2008-10-06_ 7.53.12.71 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-06 11:18:47 80,914 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-10-06 11:55:34 80,914 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-10-06 11:18:47 451,006 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-10-06 11:55:34 451,006 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

joeysvt01
Novice
Novice

Posts Posts : 7
Joined Joined : 2008-10-06
Points Points : 29850
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: help with spyware/virus

Post by joeysvt01 on 6th October 2008, 1:00 pm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-27 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-09-07 141848]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-09-07 166424]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-09-07 137752]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-04-26 1015808]
"atchk"="C:\Program Files\Intel\AMT\atchk.exe" [2007-06-07 408344]
"PTHOSTTR"="c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"IFXSPMGT"="C:\WINDOWS\system32\ifxspmgt.exe" [2007-05-23 677408]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"CognizanceTS"="C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"Recguard"="C:\WINDOWS\Sminst\Recguard.exe" [2006-05-12 1138688]
"Reminder"="C:\WINDOWS\Creator\Remind_XP.exe" [2006-03-31 761856]
"Scheduler"="C:\WINDOWS\SMINST\Scheduler.exe" [2006-07-10 872448]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-10-03 1234712]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=APSHook.dll,avgrsstx.dll gvvmbf.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ SbHpNp scecli ASWLNPkg

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\coc.local\netlogon\WindowsXP-KB931836-x86-ENU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\WINDOWS\\SMINST\\Scheduler.exe"=

R0 SafeBoot;SafeBoot;C:\WINDOWS\system32\drivers\SafeBoot.sys [2007-06-13 101167]
R0 SbAlg;SbAlg;C:\WINDOWS\system32\drivers\SbAlg.sys [2006-10-09 44720]
R0 SbFsLock;SbFsLock;C:\WINDOWS\system32\drivers\SbFsLock.sys [2007-06-14 13184]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-10-03 97928]
R1 PersonalSecureDrive;PersonalSecureDrive;C:\WINDOWS\system32\drivers\psd.sys [2007-04-18 39080]
R1 RsvLock;RsvLock;C:\WINDOWS\system32\drivers\RsvLock.sys [2007-06-13 5808]
R2 ASChannel;Local Communication Channel;C:\WINDOWS\System32\svchost.exe [2006-02-27 14336]
R2 atchksrv;Intel(R) Active Management Technology System Status Service;C:\Program Files\Intel\AMT\atchksrv.exe [2007-06-07 183064]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-10-03 231704]
R2 HpFkCryptService;Drive Encryption Service;C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2007-07-09 221184]
R2 LMS;Intel(R) Active Management Technology Local Management Service;C:\Program Files\Intel\AMT\LMS.exe [2007-06-07 109336]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-10 29178224]
R2 UNS;Intel(R) Active Management Technology User Notification Service;C:\Program Files\Intel\AMT\UNS.exe [2007-06-07 2521880]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2007-12-18 44800]
S1 irenumm;irenumm;C:\WINDOWS\system32\drivers\irenumm.sys [ ]
S2 ASBroker;Logon Session Broker;C:\WINDOWS\System32\svchost.exe [2006-02-27 14336]
S3 VirtDisk;XSS Virtual Disk Driver;c:\windows\sminst\VirtDisk.sys [2006-05-05 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel
.

**************************************************************************

joeysvt01
Novice
Novice

Posts Posts : 7
Joined Joined : 2008-10-06
Points Points : 29850
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: help with spyware/virus

Post by Belahzur on 6th October 2008, 1:02 pm

How's everything? The log looks clean, one last scan to pick up leftovers.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log with a fresh copy of HijackThis log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: help with spyware/virus

Post by joeysvt01 on 6th October 2008, 1:09 pm

it is doing much better and seems to be back to normal. Thanks so much for your help. I would like to donate some money to this site if that is possible.

joeysvt01
Novice
Novice

Posts Posts : 7
Joined Joined : 2008-10-06
Points Points : 29850
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: help with spyware/virus

Post by joeysvt01 on 6th October 2008, 1:11 pm

Malwarebytes' Anti-Malware 1.28
Database version: 1233
Windows 5.1.2600 Service Pack 2

2008-10-06 09:09:59
mbam-log-2008-10-06 (09-09-59).txt

Scan type: Quick Scan
Objects scanned: 48776
Time elapsed: 2 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:11, on 2008-10-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\ifxspmgt.exe
C:\WINDOWS\system32\ifxtcs.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\WINDOWS\system32\IfxPsdSv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\AMT\atchk.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\WINDOWS\SMINST\Scheduler.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [atchk] "C:\Program Files\Intel\AMT\atchk.exe"
O4 - HKLM\..\Run: [PTHOSTTR] c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [IFXSPMGT] C:\WINDOWS\system32\ifxspmgt.exe /NotifyLogon
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\DownloadPDF.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {7A16F968-8E79-11D4-AFC3-0060978DD938} (SL Map Control) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = COC.local
O17 - HKLM\Software\..\Telephony: DomainName = COC.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = COC.local
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: APSHook.dll,avgrsstx.dll gvvmbf.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Intel(R) Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Drive Encryption Service (HpFkCryptService) - SafeBoot International - C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\ifxspmgt.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\ifxtcs.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Intel(R) Active Management Technology Local Management Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Personal Secure Drive service (PersonalSecureDriveService) - Infineon Technologies AG - C:\WINDOWS\system32\IfxPsdSv.exe
O23 - Service: Intel(R) Active Management Technology User Notification Service (UNS) - Intel - C:\Program Files\Intel\AMT\UNS.exe

--
End of file - 7289 bytes

joeysvt01
Novice
Novice

Posts Posts : 7
Joined Joined : 2008-10-06
Points Points : 29850
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: help with spyware/virus

Post by Belahzur on 6th October 2008, 1:16 pm


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the box next to this line:


    O20 - AppInit_DLLs: APSHook.dll,avgrsstx.dll gvvmbf.dll


  • Press "Fix Checked"
  • Close Hijack This.

====

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7".
  • Click the "Download" button to the right.
  • In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    - Java 2 Runtime Environment, SE v1.4.2
    - J2SE Runtime Environment 5.0
    - J2SE Runtime Environment 5.0 Update 2
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windows-i586-p.exe that you downloaded to install the newest version.

====

Please download JavaRa from [You must be registered and logged in to see this link.]


  • First, unzip it.
  • Then run JavaRa.
  • Press Remove older versions
  • Press yes to the prompt.
  • It will make a log file of what it's removed.
  • Copy and paste the log back here.

===


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: help with spyware/virus

Post by Doctor Inferno on 6th October 2008, 1:31 pm

[You must be registered and logged in to see this link.] wrote:Thanks so much for your help. I would like to donate some money to this site if that is possible.

Thank you very much for your generosity and support. At the moment, we do not accept donations because we are here to help for free, but we would be very grateful if you can stay active and spread the word of GeekPolice.

Cheers! Cheers Mate


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104620
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum