Jump to content

Malwarebytes

Can't Get Malwarebytes to Run

- - - - -
Started by strwlf, Nov 02 2009 05:53 PM

12 replies to this topic

#1
strwlf
Posted 02 November 2009 - 05:53 PM

    New Member

  • Members
  • Pip
  • 7 posts
Okay,
I tried to install MB on a PC that's having all sorts of issues. The install runs fine but as soon as I try to start MB something is deleting the mbam.exe file. I installed Symantec and performed a manual update but I still can't get MB to run. Whatever it is is also fouling up my internet connection. I can acquire an IP and ping the router but I can't ping anything outside of the network. I currently have the pc off of my network and am moving files and utilities back and forth via a usb stick. Below is the Hijackthis log. Any help on this would be greatly appreciated. I've helped a lot of friends and family remove garbage from their computer but this one takes the cake.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:13:10 PM, on 11/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Symantec AntiVirus\DefWatch.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Symantec AntiVirus\Rtvscan.exe
E:\Program Files\Viewpoint\Common\ViewpointService.exe
E:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
E:\WINDOWS\Explorer.exe
E:\Program Files\Java\jre6\bin\jusched.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\PROGRA~1\SYMANT~1\VPTray.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
E:\WINDOWS\system32\NOTEPAD.EXE
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe logon.exe
O1 - Hosts: ::1 localhost
O1 - Hosts: 94.232.248.66 alarm-security.microsoft.com
O1 - Hosts: 94.232.248.66 inetantivir.com
O1 - Hosts: 94.232.248.66 www.inetantivir.com
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - E:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O3 - Toolbar: My.Freeze.com Toolbar - {D0523BB4-21E7-11DD-9AB7-415B56D89593} - E:\Program Files\My.Freeze.com Toolbar\freeze_us.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - E:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.9.0\IEViewBar.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [HPPQVideo] "E:\Program Files\HP\ScheduledLaunch\HP Color LaserJet CM2320 MFP Series\bin\hppschlnch.exe" -r SOFTWARE\Hewlett-Packard\ScheduledLaunch\CLJ_CM2320_MFP_Series -f PQOptimizerVideo.xml -o remindLater
O4 - HKLM\..\Run: [ToolBoxFX] "E:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on /tmcp:on
O4 - HKLM\..\Run: [hpqSRMon] E:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HP Software Update] E:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [tiwelikif] Rundll32.exe "e:\windows\system32\najibite.dll",a
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TomcatStartup 2.5] E:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] E:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~2.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" -"http://www.king.com/single_play.jsp?game=magicspinball&altVer=false&gameMode=2"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.cnet.com
O15 - Trusted Zone: http://*.download.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {1896F800-6EFB-422F-A04B-AA7D44D9A4A9} (ATI Web DVR Control) - http://24.144.169.24...0/WebClient.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://www.worldwinn...jattack/bja.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A4E1FE6-CF08-444B-930B-5F8DE5D18886}: NameServer = 208.67.222.222,208.67.220.220
O20 - AppInit_DLLs: cru629.dat sojohehu.dll e:\windows\system32\najibite.dll
O20 - Winlogon Notify: dcdeebbcbcac - E:\WINDOWS\system32\dcdeebbcbcac.dll (file missing)
O21 - SSODL: nofegogom - {4999c6be-ec74-4cd1-9fee-5fb04ad0e0bb} - e:\windows\system32\sorujawi.dll (file missing)
O21 - SSODL: sanojivon - {58760d6c-ae0b-46c2-b146-d75b963ce5c8} - e:\windows\system32\najibite.dll
O22 - SharedTaskScheduler: jugezatag - {4999c6be-ec74-4cd1-9fee-5fb04ad0e0bb} - e:\windows\system32\sorujawi.dll (file missing)
O22 - SharedTaskScheduler: tokatiluy - {58760d6c-ae0b-46c2-b146-d75b963ce5c8} - e:\windows\system32\najibite.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - E:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - E:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - E:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - E:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7866 bytes

#2
Rosty
Posted 03 November 2009 - 03:41 PM

    Advanced Member

  • Trusted Advisors
  • PipPipPip
  • 126 posts
  • Gender:Male
  • Location:Belgium
  • Interests:Skydiving and helping others with PC problems!!
Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix when you've accomplished that.
Posted Image

#3
strwlf
Posted 03 November 2009 - 06:23 PM

    New Member

  • Members
  • Pip
  • 7 posts

View PostRosty, on Nov 3 2009, 10:41 AM, said:

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix when you've accomplished that.
First,
Thanks for trying to help me with this. It's very much appreciated.
During the install of combofix I was alerted that this pc didn't have windows recovery console and asked to be connected to the internet. I plugged in the network cable and came back to my computer to read the instructions again to see what it said about that. When I got back it was scanning so I'm not sure if it was able to get and install recovery console or not (considering I could get a ping for anything but my router when I was checking that earlier). I have it downloaded and sitting on a usb stick waiting for manual install but didn't want to do that without checking with you first.
Now, that said, below is the log file from combo fix.


ComboFix 09-11-02.05 - User 11/03/2009 12:47.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1247.763 [GMT -5:00]
Running from: e:\documents and settings\User\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

e:\documents and settings\All Users\Application Data\aveniwa.inf
e:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
e:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
e:\documents and settings\User\err.log
e:\documents and settings\User\Local Settings\Temporary Internet Files\ezuvyka.scr
e:\documents and settings\User\Local Settings\Temporary Internet Files\hize.com
e:\documents and settings\User\Local Settings\Temporary Internet Files\imobe.pif
e:\documents and settings\User\Local Settings\Temporary Internet Files\jurymaty.db
e:\documents and settings\User\Local Settings\Temporary Internet Files\lapirabona.db
e:\documents and settings\User\Local Settings\Temporary Internet Files\piwaveb.inf
e:\documents and settings\User\Local Settings\Temporary Internet Files\qoqeho._dl
e:\documents and settings\User\Local Settings\Temporary Internet Files\ubenyxi.scr
e:\documents and settings\User\Local Settings\Temporary Internet Files\ybitutur.reg
e:\program files\Common Files\evopajuhim.reg
e:\program files\Common Files\ypyh.reg
e:\program files\Smart-Shopper
e:\program files\WinPCap
e:\program files\WinPCap\rpcapd.exe
e:\windows\adovehusin.vbs
e:\windows\atotijep.scr
e:\windows\ekisyz.inf
e:\windows\system32\binanuye.dll.tmp
e:\windows\system32\drivers\npf.sys
e:\windows\system32\kukamibi.dll
e:\windows\system32\najibite.dll
e:\windows\system32\Packet.dll
e:\windows\system32\pthreadVC.dll
e:\windows\system32\tahiraga.dll.tmp
e:\windows\system32\vipafiyu.dll
e:\windows\system32\vusuputu.dll
e:\windows\system32\vuzepeta.dll
e:\windows\system32\WanPacket.dll
e:\windows\system32\wpcap.dll
e:\windows\system32\yayosiyi.dll.tmp
e:\windows\system32\yifuyijo.dll
e:\windows\system32\yofolufe.dll
e:\windows\system32\yomabone.dll
e:\windows\system32\zasepago.dll
e:\windows\ufysajyk.inf
e:\windows\uqejydi.scr

----- BITS: Possible infected sites -----

hxxp://77.74.48.111
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_NPF
-------\Legacy_PASSWORD
-------\Service_npf


((((((((((((((((((((((((( Files Created from 2009-10-03 to 2009-11-03 )))))))))))))))))))))))))))))))
.

2009-11-02 17:12 . 2009-11-02 17:12 -------- d-----w- e:\program files\Trend Micro
2009-11-02 00:52 . 2009-11-02 00:52 -------- d-----w- e:\documents and settings\User\Local Settings\Application Data\Symantec
2009-11-02 00:51 . 2005-09-17 05:20 87768 ----a-w- e:\windows\system32\S32EVNT1.DLL
2009-11-02 00:51 . 2005-09-17 05:20 108168 ----a-w- e:\windows\system32\drivers\SYMEVENT.SYS
2009-11-02 00:49 . 2009-11-02 02:58 -------- d-----w- e:\program files\Symantec
2009-11-02 00:48 . 2009-11-03 17:58 -------- d-----w- e:\program files\Symantec AntiVirus
2009-10-29 18:43 . 2009-10-30 13:09 342304 --sha-w- e:\windows\system32\drivers\fidbox.dat
2009-10-29 18:43 . 2009-10-30 13:09 22560 --sha-w- e:\windows\system32\drivers\fidbox2.dat
2009-10-29 18:36 . 2009-10-29 19:11 -------- d-----w- e:\program files\Common Files\ParetoLogic
2009-10-29 18:36 . 2009-10-29 19:11 -------- d-----w- e:\documents and settings\All Users\Application Data\ParetoLogic
2009-10-28 20:44 . 2009-10-28 20:44 -------- d-----w- e:\documents and settings\User\Local Settings\Application Data\Threat Expert
2009-10-28 20:29 . 2009-10-08 15:31 1636304 ----a-w- e:\windows\PCTBDCore.dll
2009-10-28 20:24 . 2009-10-29 14:49 -------- d-----w- e:\program files\Spyware Doctor
2009-10-28 20:24 . 2009-10-29 14:49 -------- d-----w- e:\program files\Common Files\PC Tools
2009-10-27 16:56 . 2009-10-29 14:19 -------- d-----w- e:\documents and settings\All Users\Application Data\avg9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-02 01:48 . 2008-05-29 15:49 -------- d-----w- e:\program files\Common Files\Symantec Shared
2009-11-02 00:49 . 2009-07-24 22:00 -------- d-----w- e:\documents and settings\All Users\Application Data\Symantec
2009-11-02 00:46 . 2009-10-29 19:18 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware
2009-11-02 00:20 . 2009-11-02 00:20 -------- d-----w- e:\program files\Windows Resource Kits
2009-11-02 00:11 . 2009-11-02 00:11 -------- d-----w- e:\program files\Windows Resource Kit
2009-11-01 18:39 . 2006-07-14 18:34 -------- d-----w- e:\program files\Viewpoint
2009-10-30 13:31 . 2009-10-29 19:22 -------- d-----w- e:\documents and settings\User\Application Data\SUPERAntiSpyware.com
2009-10-30 13:09 . 2009-10-29 18:43 5660 --sha-w- e:\windows\system32\drivers\fidbox.idx
2009-10-30 13:09 . 2009-10-29 18:43 3188 --sha-w- e:\windows\system32\drivers\fidbox2.idx
2009-10-29 19:22 . 2009-10-29 19:22 -------- d-----w- e:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-29 14:48 . 2008-07-23 17:38 -------- d---a-w- e:\documents and settings\All Users\Application Data\TEMP
2009-10-28 14:53 . 2006-06-14 13:03 -------- d-----w- e:\program files\Common Files\InstallShield
2009-10-28 14:53 . 2007-04-27 14:20 -------- d--h--w- e:\program files\InstallShield Installation Information
2009-10-27 16:56 . 2008-09-17 19:16 -------- d-----w- e:\program files\AVG
2009-09-30 15:06 . 2006-07-19 14:02 -------- d-----w- e:\program files\Java
2009-09-11 14:18 . 2004-08-04 12:00 136192 ----a-w- e:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2009-11-02 00:46 38224 ----a-w- e:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-11-02 00:46 19160 ----a-w- e:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2004-08-04 12:00 58880 ----a-w- e:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-08-04 12:00 832512 ----a-w- e:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 12:00 78336 ----a-w- e:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-04 12:00 17408 ------w- e:\windows\system32\corpol.dll
2009-08-26 08:00 . 2004-08-04 12:00 247326 ----a-w- e:\windows\system32\strmdll.dll
2009-08-18 20:45 . 2006-06-14 15:31 31200 ----a-w- e:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-30 12:39 . 2009-07-30 12:39 16434 ----a-w- e:\program files\Common Files\kijedudo.pif
2009-07-30 12:39 . 2009-07-30 12:39 15968 ----a-w- e:\program files\Common Files\feqinuvoso.sys
2009-07-30 12:39 . 2009-07-30 12:39 14247 ----a-w- e:\program files\Common Files\kovogobydy.pif
2009-07-29 21:06 . 2009-07-29 21:06 10382 ----a-w- e:\program files\Common Files\esyb.lib
2009-07-29 21:06 . 2009-07-29 21:06 14305 ----a-w- e:\program files\Common Files\icyd.dat
2008-04-04 17:31 . 2008-04-04 17:31 12 ---h--w- e:\program files\SyncToyDirectoryId.txt
2006-08-21 17:51 . 2006-08-21 17:51 774144 ----a-w- e:\program files\RngInterstitial.dll
2008-04-07 06:59 . 2008-06-06 18:21 67696 ----a-w- e:\program files\mozilla firefox\components\jar50.dll
2008-04-07 06:59 . 2008-06-06 18:21 54376 ----a-w- e:\program files\mozilla firefox\components\jsd3250.dll
2008-04-07 06:59 . 2008-06-06 18:21 34952 ----a-w- e:\program files\mozilla firefox\components\myspell.dll
2008-04-07 06:59 . 2008-06-06 18:21 46720 ----a-w- e:\program files\mozilla firefox\components\spellchk.dll
2008-04-07 06:59 . 2008-06-06 18:21 172144 ----a-w- e:\program files\mozilla firefox\components\xpinstal.dll
2009-07-30 00:39 . 2009-07-30 00:39 90112 --sha-w- e:\windows\system32\supiyiha.dll
2009-02-27 21:16 . 2009-02-27 15:15 608 --sha-w- e:\windows\system32\winzvprt5.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D0523BB4-21E7-11DD-9AB7-415B56D89593}"= "e:\program files\My.Freeze.com Toolbar\freeze_us.dll" [2008-11-26 1916024]

[HKEY_CLASSES_ROOT\clsid\{d0523bb4-21e7-11dd-9ab7-415b56d89593}]
[HKEY_CLASSES_ROOT\TBSB00001.TBSB00001.3]
[HKEY_CLASSES_ROOT\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}]
[HKEY_CLASSES_ROOT\TBSB00001.TBSB00001]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D0523BB4-21E7-11DD-9AB7-415B56D89593}"= "e:\program files\My.Freeze.com Toolbar\freeze_us.dll" [2008-11-26 1916024]

[HKEY_CLASSES_ROOT\clsid\{d0523bb4-21e7-11dd-9ab7-415b56d89593}]
[HKEY_CLASSES_ROOT\TBSB00001.TBSB00001.3]
[HKEY_CLASSES_ROOT\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}]
[HKEY_CLASSES_ROOT\TBSB00001.TBSB00001]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPPQVideo"="e:\program files\HP\ScheduledLaunch\HP Color LaserJet CM2320 MFP Series\bin\hppschlnch.exe" [2007-05-07 106496]
"ToolBoxFX"="e:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2008-08-01 53248]
"hpqSRMon"="e:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"HP Software Update"="e:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"SunJavaUpdateSched"="e:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"ccApp"="e:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"vptray"="e:\progra~1\SYMANT~1\VPTray.exe" [2005-11-15 85744]
"TomcatStartup 2.5"="e:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-11-12 245760]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ 'autocheck autochk *'

[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=e:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=e:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\Messenger\\msmsgs.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"e:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"e:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"e:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 Viewpoint Manager Service;Viewpoint Manager Service;e:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 1:09 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;e:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/1/2009 8:17 PM 102448]
S3 HPFXFAX;HPFXFAX;e:\windows\system32\drivers\hpfxfax.sys [2/27/2009 4:12 PM 20504]
S3 HPPLSBULK;HPPLSBULK;e:\windows\system32\drivers\hpplsbulk.sys [2/2/2005 6:29 PM 9344]
S3 SavRoam;SAVRoam;e:\program files\Symantec AntiVirus\SavRoam.exe [11/15/2005 1:27 PM 169200]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-11-03 e:\windows\Tasks\Norton Security Scan for User.job
- e:\program files\Norton Security Scan\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-07-24 23:58]

2009-11-02 e:\windows\Tasks\SyncToy.job
- e:\documents and settings\User\Local Settings\Application Data\SyncToy\SyncToy.exe [2006-10-25 14:04]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
IE: &Search
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: cnet.com\download
Trusted Zone: download.com
TCP: {5A4E1FE6-CF08-444B-930B-5F8DE5D18886} = 208.67.222.222,208.67.220.220
DPF: {1896F800-6EFB-422F-A04B-AA7D44D9A4A9} - hxxp://24.144.169.244:8000/WebClient.cab
FF - ProfilePath - e:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\3z0cuiwe.default\
FF - component: e:\program files\Mozilla Firefox\components\xpinstal.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - e:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{472734EA-242A-422B-ADF8-83D1E48CC825} - (no file)
HKLM-Run-tiwelikif - e:\windows\system32\najibite.dll
SharedTaskScheduler-{4999c6be-ec74-4cd1-9fee-5fb04ad0e0bb} - e:\windows\system32\sorujawi.dll
SharedTaskScheduler-{58760d6c-ae0b-46c2-b146-d75b963ce5c8} - e:\windows\system32\najibite.dll
SSODL-nofegogom-{4999c6be-ec74-4cd1-9fee-5fb04ad0e0bb} - e:\windows\system32\sorujawi.dll
SSODL-sanojivon-{58760d6c-ae0b-46c2-b146-d75b963ce5c8} - e:\windows\system32\najibite.dll
Notify-dcdeebbcbcac - e:\windows\system32\dcdeebbcbcac.dll
AddRemove-Smart-Shopper - e:\program files\Smart-Shopper\Uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-03 12:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2580)
e:\windows\system32\WININET.dll
e:\windows\system32\IEFRAME.dll
.
------------------------ Other Running Processes ------------------------
.
e:\program files\Common Files\Symantec Shared\ccSetMgr.exe
e:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
e:\program files\Symantec AntiVirus\DefWatch.exe
e:\program files\Java\jre6\bin\jqs.exe
e:\windows\system32\nvsvc32.exe
e:\program files\Symantec AntiVirus\Rtvscan.exe
e:\progra~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
e:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2009-11-03 13:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-03 18:08

Pre-Run: 21,237,133,312 bytes free
Post-Run: 25,402,884,096 bytes free

#4
Rosty
Posted 03 November 2009 - 07:12 PM

    Advanced Member

  • Trusted Advisors
  • PipPipPip
  • 126 posts
  • Gender:Male
  • Location:Belgium
  • Interests:Skydiving and helping others with PC problems!!
Recovery Console gives us the ability to recover your computer if such a thing happens.

Nothing is going to change on your computer other than we're going to install Recovery Console.

  • Download combofix.exe by sUBs to your Desktop (it must be in this location).
  • Alternate Download
  • If you already have a previous version, delete it and download a new version.
  • Do not attempt to run Combofix other than in the method described below.
  • Go to Microsoft's website
  • Select the download that's appropriate for your Operating System

Posted Image

  • Download the file & save it as it's originally named, to your Desktop.

Posted Image

  • Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix.
  • When prompted, agree to the End-User License Agreement to install Microsoft Recovery Console.
  • When complete, a log named CF_RC.txt will open.
  • Please post the contents of that log.

Post a new HijackThis log also please!
Please do not shutdown or reboot your machine until we have reviewed the log.
Posted Image

#5
strwlf
Posted 03 November 2009 - 07:47 PM

    New Member

  • Members
  • Pip
  • 7 posts

View PostRosty, on Nov 3 2009, 02:12 PM, said:

Recovery Console gives us the ability to recover your computer if such a thing happens.

Nothing is going to change on your computer other than we're going to install Recovery Console.

  • Download combofix.exe by sUBs to your Desktop (it must be in this location).
  • Alternate Download
  • If you already have a previous version, delete it and download a new version.
  • Do not attempt to run Combofix other than in the method described below.
  • Go to Microsoft's website
  • Select the download that's appropriate for your Operating System

Posted Image

  • Download the file & save it as it's originally named, to your Desktop.

Posted Image

  • Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix.
  • When prompted, agree to the End-User License Agreement to install Microsoft Recovery Console.
  • When complete, a log named CF_RC.txt will open.
  • Please post the contents of that log.

Post a new HijackThis log also please!
Please do not shutdown or reboot your machine until we have reviewed the log.


Okay, I did as instructed and manually installed the recovery console (well I dumped it on combofix). It went through everything as your instructions indicated except for the fact that it never gave me a cf_rc.txt file (I even searched for it but to no avail). It did however run another scan after I accepted the ULA for recovery console and below is that log file.

ComboFix 09-11-02.05 - User 11/03/2009 14:22.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1247.722 [GMT -5:00]
Running from: e:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: e:\documents and settings\User\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((( Files Created from 2009-10-03 to 2009-11-03 )))))))))))))))))))))))))))))))
.

2009-11-02 17:12 . 2009-11-02 17:12 -------- d-----w- e:\program files\Trend Micro
2009-11-02 00:52 . 2009-11-02 00:52 -------- d-----w- e:\documents and settings\User\Local Settings\Application Data\Symantec
2009-11-02 00:51 . 2005-09-17 05:20 87768 ----a-w- e:\windows\system32\S32EVNT1.DLL
2009-11-02 00:51 . 2005-09-17 05:20 108168 ----a-w- e:\windows\system32\drivers\SYMEVENT.SYS
2009-11-02 00:49 . 2009-11-02 02:58 -------- d-----w- e:\program files\Symantec
2009-11-02 00:48 . 2009-11-03 19:21 -------- d-----w- e:\program files\Symantec AntiVirus
2009-10-29 18:43 . 2009-10-30 13:09 342304 --sha-w- e:\windows\system32\drivers\fidbox.dat
2009-10-29 18:43 . 2009-10-30 13:09 22560 --sha-w- e:\windows\system32\drivers\fidbox2.dat
2009-10-29 18:36 . 2009-10-29 19:11 -------- d-----w- e:\program files\Common Files\ParetoLogic
2009-10-29 18:36 . 2009-10-29 19:11 -------- d-----w- e:\documents and settings\All Users\Application Data\ParetoLogic
2009-10-28 20:44 . 2009-10-28 20:44 -------- d-----w- e:\documents and settings\User\Local Settings\Application Data\Threat Expert
2009-10-28 20:29 . 2009-10-08 15:31 1636304 ----a-w- e:\windows\PCTBDCore.dll
2009-10-28 20:24 . 2009-10-29 14:49 -------- d-----w- e:\program files\Spyware Doctor
2009-10-28 20:24 . 2009-10-29 14:49 -------- d-----w- e:\program files\Common Files\PC Tools
2009-10-27 16:56 . 2009-10-29 14:19 -------- d-----w- e:\documents and settings\All Users\Application Data\avg9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-02 01:48 . 2008-05-29 15:49 -------- d-----w- e:\program files\Common Files\Symantec Shared
2009-11-02 00:49 . 2009-07-24 22:00 -------- d-----w- e:\documents and settings\All Users\Application Data\Symantec
2009-11-02 00:46 . 2009-10-29 19:18 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware
2009-11-02 00:20 . 2009-11-02 00:20 -------- d-----w- e:\program files\Windows Resource Kits
2009-11-02 00:11 . 2009-11-02 00:11 -------- d-----w- e:\program files\Windows Resource Kit
2009-11-01 18:39 . 2006-07-14 18:34 -------- d-----w- e:\program files\Viewpoint
2009-10-30 13:31 . 2009-10-29 19:22 -------- d-----w- e:\documents and settings\User\Application Data\SUPERAntiSpyware.com
2009-10-30 13:09 . 2009-10-29 18:43 5660 --sha-w- e:\windows\system32\drivers\fidbox.idx
2009-10-30 13:09 . 2009-10-29 18:43 3188 --sha-w- e:\windows\system32\drivers\fidbox2.idx
2009-10-29 19:22 . 2009-10-29 19:22 -------- d-----w- e:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-29 14:48 . 2008-07-23 17:38 -------- d---a-w- e:\documents and settings\All Users\Application Data\TEMP
2009-10-28 14:53 . 2006-06-14 13:03 -------- d-----w- e:\program files\Common Files\InstallShield
2009-10-28 14:53 . 2007-04-27 14:20 -------- d--h--w- e:\program files\InstallShield Installation Information
2009-10-27 16:56 . 2008-09-17 19:16 -------- d-----w- e:\program files\AVG
2009-09-30 15:06 . 2006-07-19 14:02 -------- d-----w- e:\program files\Java
2009-09-11 14:18 . 2004-08-04 12:00 136192 ----a-w- e:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2009-11-02 00:46 38224 ----a-w- e:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-11-02 00:46 19160 ----a-w- e:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2004-08-04 12:00 58880 ----a-w- e:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-08-04 12:00 832512 ------w- e:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 12:00 78336 ----a-w- e:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-04 12:00 17408 ------w- e:\windows\system32\corpol.dll
2009-08-26 08:00 . 2004-08-04 12:00 247326 ----a-w- e:\windows\system32\strmdll.dll
2009-08-18 20:45 . 2006-06-14 15:31 31200 ----a-w- e:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-30 12:39 . 2009-07-30 12:39 16434 ----a-w- e:\program files\Common Files\kijedudo.pif
2009-07-30 12:39 . 2009-07-30 12:39 15968 ----a-w- e:\program files\Common Files\feqinuvoso.sys
2009-07-30 12:39 . 2009-07-30 12:39 14247 ----a-w- e:\program files\Common Files\kovogobydy.pif
2009-07-29 21:06 . 2009-07-29 21:06 10382 ----a-w- e:\program files\Common Files\esyb.lib
2009-07-29 21:06 . 2009-07-29 21:06 14305 ----a-w- e:\program files\Common Files\icyd.dat
2008-04-04 17:31 . 2008-04-04 17:31 12 ---h--w- e:\program files\SyncToyDirectoryId.txt
2006-08-21 17:51 . 2006-08-21 17:51 774144 ----a-w- e:\program files\RngInterstitial.dll
2008-04-07 06:59 . 2008-06-06 18:21 67696 ----a-w- e:\program files\mozilla firefox\components\jar50.dll
2008-04-07 06:59 . 2008-06-06 18:21 54376 ----a-w- e:\program files\mozilla firefox\components\jsd3250.dll
2008-04-07 06:59 . 2008-06-06 18:21 34952 ----a-w- e:\program files\mozilla firefox\components\myspell.dll
2008-04-07 06:59 . 2008-06-06 18:21 46720 ----a-w- e:\program files\mozilla firefox\components\spellchk.dll
2008-04-07 06:59 . 2008-06-06 18:21 172144 ----a-w- e:\program files\mozilla firefox\components\xpinstal.dll
2009-07-30 00:39 . 2009-07-30 00:39 90112 --sha-w- e:\windows\system32\supiyiha.dll
2009-02-27 21:16 . 2009-02-27 15:15 608 --sha-w- e:\windows\system32\winzvprt5.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D0523BB4-21E7-11DD-9AB7-415B56D89593}"= "e:\program files\My.Freeze.com Toolbar\freeze_us.dll" [2008-11-26 1916024]

[HKEY_CLASSES_ROOT\clsid\{d0523bb4-21e7-11dd-9ab7-415b56d89593}]
[HKEY_CLASSES_ROOT\TBSB00001.TBSB00001.3]
[HKEY_CLASSES_ROOT\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}]
[HKEY_CLASSES_ROOT\TBSB00001.TBSB00001]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D0523BB4-21E7-11DD-9AB7-415B56D89593}"= "e:\program files\My.Freeze.com Toolbar\freeze_us.dll" [2008-11-26 1916024]

[HKEY_CLASSES_ROOT\clsid\{d0523bb4-21e7-11dd-9ab7-415b56d89593}]
[HKEY_CLASSES_ROOT\TBSB00001.TBSB00001.3]
[HKEY_CLASSES_ROOT\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}]
[HKEY_CLASSES_ROOT\TBSB00001.TBSB00001]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPPQVideo"="e:\program files\HP\ScheduledLaunch\HP Color LaserJet CM2320 MFP Series\bin\hppschlnch.exe" [2007-05-07 106496]
"ToolBoxFX"="e:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2008-08-01 53248]
"hpqSRMon"="e:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"HP Software Update"="e:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"SunJavaUpdateSched"="e:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"ccApp"="e:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"vptray"="e:\progra~1\SYMANT~1\VPTray.exe" [2005-11-15 85744]
"TomcatStartup 2.5"="e:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-11-12 245760]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ 'autocheck autochk *'

[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=e:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=e:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\Messenger\\msmsgs.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"e:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"e:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"e:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 Viewpoint Manager Service;Viewpoint Manager Service;e:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 1:09 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;e:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/1/2009 8:17 PM 102448]
S3 HPFXFAX;HPFXFAX;e:\windows\system32\drivers\hpfxfax.sys [2/27/2009 4:12 PM 20504]
S3 HPPLSBULK;HPPLSBULK;e:\windows\system32\drivers\hpplsbulk.sys [2/2/2005 6:29 PM 9344]
S3 SavRoam;SAVRoam;e:\program files\Symantec AntiVirus\SavRoam.exe [11/15/2005 1:27 PM 169200]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-11-03 e:\windows\Tasks\Norton Security Scan for User.job
- e:\program files\Norton Security Scan\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-07-24 23:58]

2009-11-02 e:\windows\Tasks\SyncToy.job
- e:\documents and settings\User\Local Settings\Application Data\SyncToy\SyncToy.exe [2006-10-25 14:04]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
IE: &Search
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: cnet.com\download
Trusted Zone: download.com
TCP: {5A4E1FE6-CF08-444B-930B-5F8DE5D18886} = 208.67.222.222,208.67.220.220
DPF: {1896F800-6EFB-422F-A04B-AA7D44D9A4A9} - hxxp://24.144.169.244:8000/WebClient.cab
FF - ProfilePath - e:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\3z0cuiwe.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - e:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-03 14:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3380)
e:\windows\system32\WININET.dll
e:\windows\system32\IEFRAME.dll
.
Completion time: 2009-11-03 14:32
ComboFix-quarantined-files.txt 2009-11-03 19:30
ComboFix2.txt 2009-11-03 18:08

Pre-Run: 25,405,747,200 bytes free
Post-Run: 25,396,150,272 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
e:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

#6
Rosty
Posted 03 November 2009 - 08:51 PM

    Advanced Member

  • Trusted Advisors
  • PipPipPip
  • 126 posts
  • Gender:Male
  • Location:Belgium
  • Interests:Skydiving and helping others with PC problems!!
And a new Hijackthis please?

Quote

Post a new HijackThis log also please!
Please do not shutdown or reboot your machine until we have reviewed the log.

Posted Image

#7
strwlf
Posted 03 November 2009 - 10:00 PM

    New Member

  • Members
  • Pip
  • 7 posts

View PostRosty, on Nov 3 2009, 03:51 PM, said:

And a new Hijackthis please?

sorry about that. here it is:


ComboFix 09-11-02.05 - User 11/03/2009 14:47.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1247.697 [GMT -5:00]
Running from: e:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: e:\documents and settings\User\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((( Files Created from 2009-10-03 to 2009-11-03 )))))))))))))))))))))))))))))))
.

2009-11-02 17:12 . 2009-11-02 17:12 -------- d-----w- e:\program files\Trend Micro
2009-11-02 00:52 . 2009-11-02 00:52 -------- d-----w- e:\documents and settings\User\Local Settings\Application Data\Symantec
2009-11-02 00:51 . 2005-09-17 05:20 87768 ----a-w- e:\windows\system32\S32EVNT1.DLL
2009-11-02 00:51 . 2005-09-17 05:20 108168 ----a-w- e:\windows\system32\drivers\SYMEVENT.SYS
2009-11-02 00:49 . 2009-11-02 02:58 -------- d-----w- e:\program files\Symantec
2009-11-02 00:48 . 2009-11-03 19:51 -------- d-----w- e:\program files\Symantec AntiVirus
2009-10-29 18:43 . 2009-10-30 13:09 342304 --sha-w- e:\windows\system32\drivers\fidbox.dat
2009-10-29 18:43 . 2009-10-30 13:09 22560 --sha-w- e:\windows\system32\drivers\fidbox2.dat
2009-10-29 18:36 . 2009-10-29 19:11 -------- d-----w- e:\program files\Common Files\ParetoLogic
2009-10-29 18:36 . 2009-10-29 19:11 -------- d-----w- e:\documents and settings\All Users\Application Data\ParetoLogic
2009-10-28 20:44 . 2009-10-28 20:44 -------- d-----w- e:\documents and settings\User\Local Settings\Application Data\Threat Expert
2009-10-28 20:29 . 2009-10-08 15:31 1636304 ----a-w- e:\windows\PCTBDCore.dll
2009-10-28 20:24 . 2009-10-29 14:49 -------- d-----w- e:\program files\Spyware Doctor
2009-10-28 20:24 . 2009-10-29 14:49 -------- d-----w- e:\program files\Common Files\PC Tools
2009-10-27 16:56 . 2009-10-29 14:19 -------- d-----w- e:\documents and settings\All Users\Application Data\avg9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-02 01:48 . 2008-05-29 15:49 -------- d-----w- e:\program files\Common Files\Symantec Shared
2009-11-02 00:49 . 2009-07-24 22:00 -------- d-----w- e:\documents and settings\All Users\Application Data\Symantec
2009-11-02 00:46 . 2009-10-29 19:18 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware
2009-11-02 00:20 . 2009-11-02 00:20 -------- d-----w- e:\program files\Windows Resource Kits
2009-11-02 00:11 . 2009-11-02 00:11 -------- d-----w- e:\program files\Windows Resource Kit
2009-11-01 18:39 . 2006-07-14 18:34 -------- d-----w- e:\program files\Viewpoint
2009-10-30 13:31 . 2009-10-29 19:22 -------- d-----w- e:\documents and settings\User\Application Data\SUPERAntiSpyware.com
2009-10-30 13:09 . 2009-10-29 18:43 5660 --sha-w- e:\windows\system32\drivers\fidbox.idx
2009-10-30 13:09 . 2009-10-29 18:43 3188 --sha-w- e:\windows\system32\drivers\fidbox2.idx
2009-10-29 19:22 . 2009-10-29 19:22 -------- d-----w- e:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-29 14:48 . 2008-07-23 17:38 -------- d---a-w- e:\documents and settings\All Users\Application Data\TEMP
2009-10-28 14:53 . 2006-06-14 13:03 -------- d-----w- e:\program files\Common Files\InstallShield
2009-10-28 14:53 . 2007-04-27 14:20 -------- d--h--w- e:\program files\InstallShield Installation Information
2009-10-27 16:56 . 2008-09-17 19:16 -------- d-----w- e:\program files\AVG
2009-09-30 15:06 . 2006-07-19 14:02 -------- d-----w- e:\program files\Java
2009-09-11 14:18 . 2004-08-04 12:00 136192 ----a-w- e:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2009-11-02 00:46 38224 ----a-w- e:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-11-02 00:46 19160 ----a-w- e:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2004-08-04 12:00 58880 ----a-w- e:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-08-04 12:00 832512 ------w- e:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 12:00 78336 ----a-w- e:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-04 12:00 17408 ------w- e:\windows\system32\corpol.dll
2009-08-26 08:00 . 2004-08-04 12:00 247326 ----a-w- e:\windows\system32\strmdll.dll
2009-08-18 20:45 . 2006-06-14 15:31 31200 ----a-w- e:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-30 12:39 . 2009-07-30 12:39 16434 ----a-w- e:\program files\Common Files\kijedudo.pif
2009-07-30 12:39 . 2009-07-30 12:39 15968 ----a-w- e:\program files\Common Files\feqinuvoso.sys
2009-07-30 12:39 . 2009-07-30 12:39 14247 ----a-w- e:\program files\Common Files\kovogobydy.pif
2009-07-29 21:06 . 2009-07-29 21:06 10382 ----a-w- e:\program files\Common Files\esyb.lib
2009-07-29 21:06 . 2009-07-29 21:06 14305 ----a-w- e:\program files\Common Files\icyd.dat
2008-04-04 17:31 . 2008-04-04 17:31 12 ---h--w- e:\program files\SyncToyDirectoryId.txt
2006-08-21 17:51 . 2006-08-21 17:51 774144 ----a-w- e:\program files\RngInterstitial.dll
2008-04-07 06:59 . 2008-06-06 18:21 67696 ----a-w- e:\program files\mozilla firefox\components\jar50.dll
2008-04-07 06:59 . 2008-06-06 18:21 54376 ----a-w- e:\program files\mozilla firefox\components\jsd3250.dll
2008-04-07 06:59 . 2008-06-06 18:21 34952 ----a-w- e:\program files\mozilla firefox\components\myspell.dll
2008-04-07 06:59 . 2008-06-06 18:21 46720 ----a-w- e:\program files\mozilla firefox\components\spellchk.dll
2008-04-07 06:59 . 2008-06-06 18:21 172144 ----a-w- e:\program files\mozilla firefox\components\xpinstal.dll
2009-07-30 00:39 . 2009-07-30 00:39 90112 --sha-w- e:\windows\system32\supiyiha.dll
2009-02-27 21:16 . 2009-02-27 15:15 608 --sha-w- e:\windows\system32\winzvprt5.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D0523BB4-21E7-11DD-9AB7-415B56D89593}"= "e:\program files\My.Freeze.com Toolbar\freeze_us.dll" [2008-11-26 1916024]

[HKEY_CLASSES_ROOT\clsid\{d0523bb4-21e7-11dd-9ab7-415b56d89593}]
[HKEY_CLASSES_ROOT\TBSB00001.TBSB00001.3]
[HKEY_CLASSES_ROOT\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}]
[HKEY_CLASSES_ROOT\TBSB00001.TBSB00001]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D0523BB4-21E7-11DD-9AB7-415B56D89593}"= "e:\program files\My.Freeze.com Toolbar\freeze_us.dll" [2008-11-26 1916024]

[HKEY_CLASSES_ROOT\clsid\{d0523bb4-21e7-11dd-9ab7-415b56d89593}]
[HKEY_CLASSES_ROOT\TBSB00001.TBSB00001.3]
[HKEY_CLASSES_ROOT\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}]
[HKEY_CLASSES_ROOT\TBSB00001.TBSB00001]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPPQVideo"="e:\program files\HP\ScheduledLaunch\HP Color LaserJet CM2320 MFP Series\bin\hppschlnch.exe" [2007-05-07 106496]
"ToolBoxFX"="e:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2008-08-01 53248]
"hpqSRMon"="e:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"HP Software Update"="e:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"SunJavaUpdateSched"="e:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"ccApp"="e:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"vptray"="e:\progra~1\SYMANT~1\VPTray.exe" [2005-11-15 85744]
"TomcatStartup 2.5"="e:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-11-12 245760]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ 'autocheck autochk *'

[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=e:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=e:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\Messenger\\msmsgs.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"e:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"e:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"e:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 Viewpoint Manager Service;Viewpoint Manager Service;e:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 1:09 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;e:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/1/2009 8:17 PM 102448]
S3 HPFXFAX;HPFXFAX;e:\windows\system32\drivers\hpfxfax.sys [2/27/2009 4:12 PM 20504]
S3 HPPLSBULK;HPPLSBULK;e:\windows\system32\drivers\hpplsbulk.sys [2/2/2005 6:29 PM 9344]
S3 SavRoam;SAVRoam;e:\program files\Symantec AntiVirus\SavRoam.exe [11/15/2005 1:27 PM 169200]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-11-03 e:\windows\Tasks\Norton Security Scan for User.job
- e:\program files\Norton Security Scan\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-07-24 23:58]

2009-11-02 e:\windows\Tasks\SyncToy.job
- e:\documents and settings\User\Local Settings\Application Data\SyncToy\SyncToy.exe [2006-10-25 14:04]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
IE: &Search
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: cnet.com\download
Trusted Zone: download.com
TCP: {5A4E1FE6-CF08-444B-930B-5F8DE5D18886} = 208.67.222.222,208.67.220.220
DPF: {1896F800-6EFB-422F-A04B-AA7D44D9A4A9} - hxxp://24.144.169.244:8000/WebClient.cab
FF - ProfilePath - e:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\3z0cuiwe.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - e:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-03 14:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2009-11-03 14:58
ComboFix-quarantined-files.txt 2009-11-03 19:56
ComboFix2.txt 2009-11-03 19:32
ComboFix3.txt 2009-11-03 18:08

Pre-Run: 25,403,375,616 bytes free
Post-Run: 25,393,557,504 bytes free

#8
strwlf
Posted 04 November 2009 - 12:11 AM

    New Member

  • Members
  • Pip
  • 7 posts
Good Grief, I just now realized my error. Okay, Let's try this again.
Here's the HJT log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:12:18 PM, on 11/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Symantec AntiVirus\DefWatch.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Symantec AntiVirus\Rtvscan.exe
E:\Program Files\Viewpoint\Common\ViewpointService.exe
E:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
E:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
E:\Program Files\HP\HP Software Update\HPWuSchd2.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\PROGRA~1\SYMANT~1\VPTray.exe
E:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
E:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
E:\WINDOWS\explorer.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - E:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O3 - Toolbar: My.Freeze.com Toolbar - {D0523BB4-21E7-11DD-9AB7-415B56D89593} - E:\Program Files\My.Freeze.com Toolbar\freeze_us.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - E:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.9.0\IEViewBar.dll
O4 - HKLM\..\Run: [HPPQVideo] "E:\Program Files\HP\ScheduledLaunch\HP Color LaserJet CM2320 MFP Series\bin\hppschlnch.exe" -r SOFTWARE\Hewlett-Packard\ScheduledLaunch\CLJ_CM2320_MFP_Series -f PQOptimizerVideo.xml -o remindLater
O4 - HKLM\..\Run: [ToolBoxFX] "E:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on /tmcp:on
O4 - HKLM\..\Run: [hpqSRMon] E:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HP Software Update] E:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TomcatStartup 2.5] E:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] E:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~2.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" -"http://www.king.com/single_play.jsp?game=magicspinball&altVer=false&gameMode=2"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.cnet.com
O15 - Trusted Zone: http://*.download.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {1896F800-6EFB-422F-A04B-AA7D44D9A4A9} (ATI Web DVR Control) - http://24.144.169.24...0/WebClient.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://www.worldwinn...jattack/bja.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A4E1FE6-CF08-444B-930B-5F8DE5D18886}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - E:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - E:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - E:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - E:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6983 bytes

#9
Rosty
Posted 04 November 2009 - 02:31 PM

    Advanced Member

  • Trusted Advisors
  • PipPipPip
  • 126 posts
  • Gender:Male
  • Location:Belgium
  • Interests:Skydiving and helping others with PC problems!!
How are things running know?
Posted Image

#10
strwlf
Posted 04 November 2009 - 03:05 PM

    New Member

  • Members
  • Pip
  • 7 posts
Well, everything seems to be okay except that I still can't see anything outside of my local router. I can ping the router and any other computer on the network but I can't ping say google.com or yahoo.com.
I've been looking through everything but can't find anything glaringly wrong. Any thoughts?

#11
Rosty
Posted 04 November 2009 - 06:24 PM

    Advanced Member

  • Trusted Advisors
  • PipPipPip
  • 126 posts
  • Gender:Male
  • Location:Belgium
  • Interests:Skydiving and helping others with PC problems!!
Have you tried to reset your modem yet?
Posted Image

#12
strwlf
Posted 05 November 2009 - 01:31 PM

    New Member

  • Members
  • Pip
  • 7 posts
I tried that and about 100 other things.
My problem is solved now...sort of. :)
After getting the system free of whatever bug was on there and spending hours trying to solve the internet issue my harddrive went down. I just swapped it out with another one and have started to install windows.
Thank you for all of your help and time.
Seeing as I don't require any assistance with my problem anymore I guess you can kill this topic.
Thanks again.

#13
Rosty
Posted 05 November 2009 - 01:35 PM

    Advanced Member

  • Trusted Advisors
  • PipPipPip
  • 126 posts
  • Gender:Male
  • Location:Belgium
  • Interests:Skydiving and helping others with PC problems!!
You're welcome.

May I give you a last advice from my side.

  • Clean out Temporary Files etc.
    This program is for Vista, XP and Windows 2000 only
    Please download ATF Cleaner by Atribune.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All. Then remove the check mark for cookies
    • Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
    • Remove the check mark for Cookies
    • NOTE: If you would like to keep your saved passwords, please click No at the prompt if asked .
    If you use Opera browser
    • Click Opera at the top and
    • choose: Select All.
    • Remove the check mark for Cookies
    • Click the Empty Selected button.
    It is a good idea to do this every few weeks as a lot of junk collects there over time.


  • Create a new, clean System Restore point which you can use in case of future system problems:
    Press Start->All Programs->Accessories->System Tools->System Restore
    Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close

    Now remove old, infected System Restore points:
    Next click Start->Run and type cleanmgr in the box and press OK
    Ensure the boxes for Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
    Select the More Options tab, under System Restore press Clean up... and say Yes to the prompt
    Press OK and Yes to confirm


  • Set correct settings for files that should be hidden in Windows XP
    • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
    • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
    • If unchecked please checkHide protected operating system files (Recommended)
    • If necessary check "Display content of system folders"
    • If necessary Uncheck Hide file extensions for known file types.
    • Click OK

  • Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program. If you want to help the developer of the program and get more information about what the programs that you see in Winpatrol please check out Winpatrol Plus. It does not need a new download.

  • Download and install the free version of Malwarebytes' Anti-Malware to your desktop. Check for the latest updates and perform a full system scan. This is an on-demand scanner and runs very well with Winpatrol.

  • If you are using Internet Explorer v. 7 please read and follow the recommendations at this site. http://surfthenetsaf.../ieseczone8.htm


  • Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

  • Update your Anti Virus Software - It is imperative that you update your Anti virus software at least a few times a week (Once a day is a good idea). If you do not update your anti virus software it will not be able to catch new variants that come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. Windows Firewall is not recommended.
    Be restrictive with granting access to the Internet. If you are unsure if the program really needs the access, test it by denying the access and see if this has any negative effects. If not, make the block permanent.

  • Never run two Antivirus programs or two Firewalls at the same time. They can interfere with each other and cause problems.

  • Visit Microsoft's Windows Update Site Frequently or better yet set computer for automatic updates.

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

  • Read and follow the suggestions given at this web site by Miekiemoes http://users.telenet.be/bluepatchy/miekiem...prevention.html that will give you more information on some of the points above.


  • Please check out Tony Klein's article "How did I get infected in the first place?"
Follow this list and your potential for being infected again will reduce dramatically. (preventionspeech by Elrond)



Regards,

Rosty.
Posted Image
Back to Resolved HijackThis Logs · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Computer Help
  3. Malware Removal - HijackThis Logs
  4. Resolved HijackThis Logs

Products

About

Partners

Follow Us