Help - Search - Members - Calendar
Full Version: Security Tool, Advanced Virus Protector etc etc
Malwarebytes Forum > Computer Help > Malware Removal - HijackThis Logs
Terrawind
Nov 17 2009, 10:35 AM
I posted this once but am having to try again. I have a security tools issue as well as a few others. This is on a work computer and I'll probably get blamed for it even though it was the shift before me. That's trivial however. In trying to follow people with other problems regarding ST I can't get combofix to run. It gives me a "date error 11-17-2009" when I try to run it. Aside from that I disabled symantics previously.

Task Manager gets grayed out and has a myriad of process after I go to services.msc and enable it. I was wondering if there was any help for this computer at all? I also ran exehelper and lost the first log but I'll post the second log.

This s from Hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:25:38 AM, on 11/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Compaq\SetRefresh\setrefresh.exe
C:\Program Files\Common Files\Symantec Shared\ccapp.exe
C:\Program Files\Common Files\Symantec Shared\ccapp .exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\Intel\AMT\atchk.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe
C:\PROGRA~1\SYMANT~1\vptray .exe
C:\Program Files\Analog Devices\Core\smax4pnp .exe
C:\Program Files\Analog Devices\SoundMAX\smax4 .exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxtray .exe
C:\WINDOWS\system32\hkcmd .exe
C:\WINDOWS\system32\igfxpers .exe
C:\Program Files\Intel\AMT\atchk.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\WINDOWS\system32\winupdate86.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\wxasc.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\notepad.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\wxasc.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\wxasc .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\notepad.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\notepad .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F14C08.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F17BE2.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F1EBD2.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F1816F.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\wxasc .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f17be2.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\notepad .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F1871D.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f17be2 .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\wxasc .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\notepad .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f14c08 .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F1ED78.exe
C:\WINDOWS\system32\svchost.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F187E8.exe
C:\Documents and Settings\OPERA\rundll32.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f1ed78.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f1816f.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F18DD3.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\notepad .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f1871d.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\wxasc .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f1ed78 .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f1816f .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F1944C.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f1871d .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\notepad .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\wxasc .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f1ebd2 .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F193FD.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F19323.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F1DE16.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F3B76A.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F3B5A5.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F3B5F3.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F3B77A.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F3B7E7.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F3B7D7.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F3C489.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F3C516.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f187e8.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f1816f.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f18dd3.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f19323.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F3C66E.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00FF9ACF.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\notepad .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f3b76a.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f1944c.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f193fd.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f3b5a5.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f1de16.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\wxasc .exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f1816f .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f187e8 .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f18dd3 .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f3b5f3.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f3b7e7.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f3b77a.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f3b5a5 .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f19323 .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\notepad .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f3b76a .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f1944c .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f3c489.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f3b7d7.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f3c516.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f3c66e.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f1de16 .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f193fd .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f3b77a .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f3b7e7 .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f3b5f3 .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\wxasc .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f3c489 .exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f3b7d7 .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f3c66e .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\_a00f3c516 .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\notepad .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\notepad .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\wxasc .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\wxasc .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\wxasc .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\wxasc .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\wxasc .exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\wxasc .exe
C:\Program Files\Intel\AMT\UNS.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\DOCUME~1\OPERA\LOCALS~1\Temp\drweb.exe
C:\Program Files\Adobe\acrotray.exe
C:\Program Files\Adobe\acrotray.exe
C:\Program Files\Adobe\acrotray .exe
C:\Program Files\Adobe\acrotray .exe
C:\Program Files\Compaq\SetRefresh\setrefresh.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\winupdate86.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.chwwebapps.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 64.86.17.56 google.ae
O1 - Hosts: 64.86.17.56 google.as
O1 - Hosts: 64.86.17.56 google.at
O1 - Hosts: 64.86.17.56 google.az
O1 - Hosts: 64.86.17.56 google.ba
O1 - Hosts: 64.86.17.56 google.be
O1 - Hosts: 64.86.17.56 google.bg
O1 - Hosts: 64.86.17.56 google.bs
O1 - Hosts: 64.86.17.56 google.ca
O1 - Hosts: 64.86.17.56 google.cd
O1 - Hosts: 64.86.17.56 google.com.gh
O1 - Hosts: 64.86.17.56 google.com.hk
O1 - Hosts: 64.86.17.56 google.com.jm
O1 - Hosts: 64.86.17.56 google.com.mx
O1 - Hosts: 64.86.17.56 google.com.my
O1 - Hosts: 64.86.17.56 google.com.na
O1 - Hosts: 64.86.17.56 google.com.nf
O1 - Hosts: 64.86.17.56 google.com.ng
O1 - Hosts: 64.86.17.56 google.ch
O1 - Hosts: 64.86.17.56 google.com.np
O1 - Hosts: 64.86.17.56 google.com.pr
O1 - Hosts: 64.86.17.56 google.com.qa
O1 - Hosts: 64.86.17.56 google.com.sg
O1 - Hosts: 64.86.17.56 google.com.tj
O1 - Hosts: 64.86.17.56 google.com.tw
O1 - Hosts: 64.86.17.56 google.dj
O1 - Hosts: 64.86.17.56 google.de
O1 - Hosts: 64.86.17.56 google.dk
O1 - Hosts: 64.86.17.56 google.dm
O1 - Hosts: 64.86.17.56 google.ee
O1 - Hosts: 64.86.17.56 google.fi
O1 - Hosts: 64.86.17.56 google.fm
O1 - Hosts: 64.86.17.56 google.fr
O1 - Hosts: 64.86.17.56 google.ge
O1 - Hosts: 64.86.17.56 google.gg
O1 - Hosts: 64.86.17.56 google.gm
O1 - Hosts: 64.86.17.56 google.gr
O1 - Hosts: 64.86.17.56 google.ht
O1 - Hosts: 64.86.17.56 google.ie
O1 - Hosts: 64.86.17.56 google.im
O1 - Hosts: 64.86.17.56 google.in
O1 - Hosts: 64.86.17.56 google.it
O1 - Hosts: 64.86.17.56 google.ki
O1 - Hosts: 64.86.17.56 google.la
O1 - Hosts: 64.86.17.56 google.li
O1 - Hosts: 64.86.17.56 google.lv
O1 - Hosts: 64.86.17.56 google.ma
O1 - Hosts: 64.86.17.56 google.ms
O1 - Hosts: 64.86.17.56 google.mu
O1 - Hosts: 64.86.17.56 google.mw
O1 - Hosts: 64.86.17.56 google.nl
O1 - Hosts: 64.86.17.56 google.no
O1 - Hosts: 64.86.17.56 google.nr
O1 - Hosts: 64.86.17.56 google.nu
O1 - Hosts: 64.86.17.56 google.pl
O1 - Hosts: 64.86.17.56 google.pn
O1 - Hosts: 64.86.17.56 google.pt
O1 - Hosts: 64.86.17.56 google.ro
O1 - Hosts: 64.86.17.56 google.ru
O1 - Hosts: 64.86.17.56 google.rw
O1 - Hosts: 64.86.17.56 google.sc
O1 - Hosts: 64.86.17.56 google.se
O1 - Hosts: 64.86.17.56 google.sh
O1 - Hosts: 64.86.17.56 google.si
O1 - Hosts: 64.86.17.56 google.sm
O1 - Hosts: 64.86.17.56 google.sn
O1 - Hosts: 64.86.17.56 google.st
O1 - Hosts: 64.86.17.56 google.tl
O1 - Hosts: 64.86.17.56 google.tm
O1 - Hosts: 64.86.17.56 google.tt
O1 - Hosts: 64.86.17.56 google.us
O1 - Hosts: 64.86.17.56 google.vu
O1 - Hosts: 64.86.17.56 google.ws
O1 - Hosts: 64.86.17.56 google.co.ck
O1 - Hosts: 64.86.17.56 google.co.id
O1 - Hosts: 64.86.17.56 google.co.il
O1 - Hosts: 64.86.17.56 google.co.in
O1 - Hosts: 64.86.17.56 google.co.jp
O1 - Hosts: 64.86.17.56 google.co.kr
O1 - Hosts: 64.86.17.56 google.co.ls
O1 - Hosts: 64.86.17.56 google.co.ma
O1 - Hosts: 64.86.17.56 google.co.nz
O1 - Hosts: 64.86.17.56 google.co.tz
O1 - Hosts: 64.86.17.56 google.co.ug
O1 - Hosts: 64.86.17.56 google.co.uk
O1 - Hosts: 64.86.17.56 google.co.za
O1 - Hosts: 64.86.17.56 google.co.zm
O1 - Hosts: 64.86.17.56 google.com
O1 - Hosts: 64.86.17.56 google.com.af
O2 - BHO: C:\WINDOWS\system32\r6gjrtbe7.dll - {B45A4B16-23F2-41AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\r6gjrtbe7.dll
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\smax4 .exe" /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [atchk] "C:\Program Files\Intel\AMT\atchk.exe"
O4 - HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe
O4 - HKLM\..\Run: [ladozahome] Rundll32.exe "gafiseze.dll",s
O4 - HKLM\..\Run: [lotonawup] Rundll32.exe "c:\windows\system32\bogopani.dll",a
O4 - HKLM\..\Run: [deiywmnd] C:\Documents and Settings\OPERA\Local Settings\Application Data\wqronr\ckbisysguard.exe
O4 - HKLM\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0
O4 - HKCU\..\Run: [A00F1A07E2C5.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F1A07E2C5.exe
O4 - HKCU\..\Run: [jsh87r3huiehf89esiudgd] C:\DOCUME~1\OPERA\LOCALS~1\Temp\wxasc .exe
O4 - HKCU\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\DOCUME~1\OPERA\LOCALS~1\Temp\drweb.exe
O4 - HKCU\..\Run: [A00F15186.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F15186.exe
O4 - HKCU\..\Run: [A00F14C08.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F14C08.exe
O4 - HKCU\..\Run: [A00F17BE2.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F17BE2.exe
O4 - HKCU\..\Run: [A00F1EBD2.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F1EBD2.exe
O4 - HKCU\..\Run: [A00F1816F.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F1816F.exe
O4 - HKCU\..\Run: [A00F1871D.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F1871D.exe
O4 - HKCU\..\Run: [A00F1ED78.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F1ED78.exe
O4 - HKCU\..\Run: [A00F187E8.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F187E8.exe
O4 - HKCU\..\Run: [A00F18DD3.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F18DD3.exe
O4 - HKCU\..\Run: [A00F1944C.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F1944C.exe
O4 - HKCU\..\Run: [A00F193FD.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F193FD.exe
O4 - HKCU\..\Run: [A00F19323.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F19323.exe
O4 - HKCU\..\Run: [A00F1DE16.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F1DE16.exe
O4 - HKCU\..\Run: [A00F3B76A.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F3B76A.exe
O4 - HKCU\..\Run: [A00F3B5A5.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F3B5A5.exe
O4 - HKCU\..\Run: [A00F3B5F3.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F3B5F3.exe
O4 - HKCU\..\Run: [A00F3B77A.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F3B77A.exe
O4 - HKCU\..\Run: [A00F3B7E7.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F3B7E7.exe
O4 - HKCU\..\Run: [A00F3B7D7.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F3B7D7.exe
O4 - HKCU\..\Run: [A00F3C489.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F3C489.exe
O4 - HKCU\..\Run: [A00F3C516.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F3C516.exe
O4 - HKCU\..\Run: [A00F3C66E.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F3C66E.exe
O4 - HKCU\..\Run: [A00FF9ACF.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00FF9ACF.exe
O4 - HKCU\..\Run: [A00F139C8.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F139C8.exe
O4 - HKCU\..\Run: [A00F16145.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F16145.exe
O4 - HKCU\..\Run: [A00F16443.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F16443.exe
O4 - HKCU\..\Run: [A00F1A311.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F1A311.exe
O4 - HKCU\..\Run: [A00F1B774.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F1B774.exe
O4 - HKCU\..\Run: [A00F1B4F3.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F1B4F3.exe
O4 - HKCU\..\Run: [A00F1B503.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F1B503.exe
O4 - HKCU\..\Run: [A00F1B706.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F1B706.exe
O4 - HKCU\..\Run: [A00F1B735.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F1B735.exe
O4 - HKCU\..\Run: [A00F1B745.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F1B745.exe
O4 - HKCU\..\Run: [A00F1B754.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F1B754.exe
O4 - HKCU\..\Run: [A00F1B793.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F1B793.exe
O4 - HKCU\..\Run: [A00F1B7A2.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F1B7A2.exe
O4 - HKCU\..\Run: [A00F1BC56.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F1BC56.exe
O4 - HKCU\..\Run: [A00F1BE59.exe] C:\DOCUME~1\OPERA\LOCALS~1\Temp\_A00F1BE59.exe
O4 - HKCU\..\Run: [AsusUpd.exe] AsusUpd.exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKCU\..\Run: [deiywmnd] C:\Documents and Settings\OPERA\Local Settings\Application Data\wqronr\ckbisysguard.exe
O4 - HKUS\S-1-5-19\..\Run: [ladozahome] Rundll32.exe "gafiseze.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ladozahome] Rundll32.exe "gafiseze.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AntiVirus Plus] "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\OPERA\Application Data\AntiVirus Plus\AntiVirus Plus.70367201.dll", start 70367201 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AntiVirus Plus] "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\OPERA\Application Data\AntiVirus Plus\AntiVirus Plus.70367201.dll", start 70367201 (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\winhelper86.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winhelper86.dll
O15 - Trusted Zone: http://www.chwwebapps.com
O16 - DPF: {4E1318B0-53F0-4274-99FB-F5621625340D} (OperaPrintControl Object) - http://10.38.250.20:4400/installOperaPrintCtrl.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194964186671
O16 - DPF: {CAFECAFE-0013-0001-0025-ABCDEFABCDEF} (JInitiator 1.3.1.25) -
O16 - DPF: {DAAC8ECF-DB09-4821-8126-E2C9499A20BA} (RegTerminalSrv Object) - http://10.38.250.20:4400/installregterm.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://microsinc.webex.com/client/T26L/support/ieatgpc.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DFADC5A-81D8-40E0-B713-DE6D17587012}: Domain = amer.carlson.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DFADC5A-81D8-40E0-B713-DE6D17587012}: NameServer = 77.74.48.113
O17 - HKLM\System\CS1\Services\Tcpip\..\{7DFADC5A-81D8-40E0-B713-DE6D17587012}: Domain = amer.carlson.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{7DFADC5A-81D8-40E0-B713-DE6D17587012}: NameServer = 77.74.48.113
O17 - HKLM\System\CS2\Services\Tcpip\..\{7DFADC5A-81D8-40E0-B713-DE6D17587012}: Domain = amer.carlson.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{7DFADC5A-81D8-40E0-B713-DE6D17587012}: NameServer = 77.74.48.113
O18 - Filter hijack: text/html - {72079ea8-5e0c-4fcf-a22d-c1aeb827beb3} - C:\WINDOWS\batmeter16.dll
O20 - AppInit_DLLs: c:\windows\system32\bogopani.dll,vanumege.dll
O20 - Winlogon Notify: OneCard - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll
O20 - Winlogon Notify: __c007AC08 - C:\WINDOWS\system32\__c007AC08.dat
O21 - SSODL: vurezomim - {21f46e38-aa2d-45c2-be75-a3c3ceb114aa} - c:\windows\system32\bogopani.dll
O22 - SharedTaskScheduler: jkshf8a3rudbfa873fudfhbdugf87whjdb - {B45A4B16-23F2-41AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\r6gjrtbe7.dll
O22 - SharedTaskScheduler: kupuhivus - {21f46e38-aa2d-45c2-be75-a3c3ceb114aa} - c:\windows\system32\bogopani.dll
O23 - Service: Intel® Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel® Active Management Technology Local Management Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Intel® Active Management Technology User Notification Service (UNS) - Intel - C:\Program Files\Intel\AMT\UNS.exe

--
End of file - 22797 bytes


exehelper log

exeHelper by Raktor
Build 20091021
Run at 03:38:28 on 11/17/09
Now searching...
Checking for numerical processes...
Killed numerical process 97752030
Deleting file C:\Documents and Settings\All Users\Application Data\97752030\97752030.exe
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\97752030
Killed numerical process 34270521
Deleting file C:\Documents and Settings\All Users\Application Data\34270521\34270521.exe
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\34270521
Killed numerical process 51052013
Deleting file C:\Documents and Settings\All Users\Application Data\51052013\51052013.exe
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\51052013
Killed numerical process 25777432
Deleting file C:\Documents and Settings\All Users\Application Data\25777432\25777432.exe
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\25777432
Killed numerical process 26588635
Deleting file C:\Documents and Settings\All Users\Application Data\26588635\26588635.exe
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\26588635
Killed numerical process 34270521
Killed numerical process 51052013
Killed numerical process 97752030
Killed numerical process 25777432
Killed numerical process 44567834
Deleting file C:\Documents and Settings\All Users\Application Data\44567834\44567834.exe
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\44567834
Killed numerical process 79935134
Deleting file C:\Documents and Settings\All Users\Application Data\79935134\79935134.exe
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\79935134
Killed numerical process 34270521
Killed numerical process 97752030
Killed numerical process 51052013
Killed numerical process 25777432
Killed numerical process 26588635
Killed numerical process 44567834
Killed numerical process 79935134
Killed numerical process 97752030
Killed numerical process 34270521
Killed numerical process 51052013
Killed numerical process 25777432
Killed numerical process 26588635
Killed numerical process 26588635
Killed numerical process 69895643
Deleting file C:\Documents and Settings\All Users\Application Data\69895643\69895643.exe
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\69895643
Checking for bad processes...
Checking for bad files...
Deleting file C:\WINDOWS\system32\41.exe
Deleting file C:\WINDOWS\system32\critical_warning.html
Deleting file C:\WINDOWS\system32\calc.dll
Error deleting C:\WINDOWS\system32\calc.dll
Deleting file C:\Documents and Settings\OPERA\ntuser.dll
Deleting file C:\Documents and Settings\OPERA\Start Menu\Programs\Startup\scandisk.dll
Deleting file C:\Documents and Settings\OPERA\Start Menu\Programs\Startup\scandisk.lnk
Error deleting C:\Documents and Settings\OPERA\Start Menu\Programs\Startup\scandisk.lnk
Checking for bad registry entries...
Removing HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Advanced Virus Remover
Removing HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

exeHelper by Raktor
Build 20091021
Run at 03:46:31 on 11/17/09
Now searching...
Checking for numerical processes...
Killed numerical process 44567834
Killed numerical process 44567834
Killed numerical process 25777432
Killed numerical process 34270521
Killed numerical process 51052013
Killed numerical process 97752030
Killed numerical process 25777432
Killed numerical process 34270521
Killed numerical process 51052013
Killed numerical process 97752030
Checking for bad processes...
Checking for bad files...
Deleting file C:\WINDOWS\system32\calc.dll
Error deleting C:\WINDOWS\system32\calc.dll
Deleting file C:\Documents and Settings\OPERA\ntuser.dll
Error deleting C:\Documents and Settings\OPERA\ntuser.dll
Deleting file C:\Documents and Settings\OPERA\Start Menu\Programs\Startup\scandisk.dll
Deleting file C:\Documents and Settings\OPERA\Start Menu\Programs\Startup\scandisk.lnk
Checking for bad registry entries...
Removing HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--


There are a lot of processes like "wxasc .exe", "notepad .exe", and .exes with numbers an letters.

I sincerely hope that I can get help with this.
Terrawind
Nov 17 2009, 11:17 AM
Sorry, I forget to mention? Aside from all that you can't system restore either. Group policy blocked or some such. Will not start at all. Even in going to gpedit.msc you just can't get it to work. That was the only way I could figure out how to run Task Manager was by going to gpedit.msc. When I tried to run win32kdiag, nothing came up there either. The beginning processes but nothing would show up in the log at all. I'm really sorry for the trouble.
Terrawind
Nov 20 2009, 08:38 AM
Success to me! Well, as it seems to be the case that symantecs was pretty much disabling anything and as much as I tried to fix it it was hard. I couldn't disable symantecs and I still can't. However, I did stop it from being a program that would auto run upon boot up in gpedit. This made it easier to get combofix Dled and run. When Combofix cleaned out some of the files that didn't allowed the computer to run mbam. After getting the fix with combofix I ran mbam and this is what I got as attachments. The first is the quickscan and the second is the full scan.

So while my internet on that computer isn't working, it seems everything else is in order. So this can be locked or deleted to avoid wasting server or forum space.

I do sincerely want to thank chamber and the people he tried to help fixing this similar problem. I wouldnt have been able to get anywhere on trying to fix it without the suggestions. THANKIES!
screen317
Dec 18 2009, 01:16 AM
Hi and welcome to Malwarebytes.

My apologies for the delay. Do you still need help?

-screen317
screen317
Dec 26 2009, 09:53 PM
Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.