1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Confused

Discussion in 'Virus & Other Malware Removal' started by JayZee, Feb 18, 2008.

Thread Status:
Not open for further replies.
  1. JayZee

    JayZee Thread Starter

    Joined:
    Feb 18, 2008
    Messages:
    1
    Hello everyone. im here hoping to find an anwser to my little big problem.
    a month ago i went on to visit some family out of the states. as usual i let my sister used my computer thinking that she would do what i always ask her to do about safety in ciberspace. well to make this short i will say that when i came back i've found a total mess in my computer. she told me she had download some files from the net and that the computer started to act weird. at the moment i knew that there was something wrong with the pc so i decided to check it out my self. to my surprise i've found like a million bugs running around my pc doin bad stuff to it. :sad:
    so i log to another tech forum like this one to explain my situation but unfortunatelly the help that i found wasnt that good at all. so i decided to try it again in another forum. and this is the i picked.
    i did some stuff that i was told on the other forum and i got the logs n stuff for u to see. i hope any of you may be able to help me out figure out whats goin on and better yet, figure out how to get rid of what i have on my computer.
    thanks in advance and this are my logs. :happy:




    Logfile of HijackThis v1.99.1
    Scan saved at 10:43:47 PM, on 2/17/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\a-squared Free\a2service.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\WINDOWS\htpatch.exe
    C:\WINDOWS\System32\sistray.EXE
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Support.com\BellSouth\hcenter.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
    C:\WINDOWS\mrofinu1000106.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
    C:\Program Files\RABCO\X_RABCOse.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = bellsouth.net
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: AT&T Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
    O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - Startup: RABCO - Auto Update.lnk = C:\Program Files\RABCO\RABCOse.exe
    O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
    O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: ChatSpace Java Client 4.0.0.320 - http://63.99.211.85/ChatSpace/Java/cms40320.cab
    O16 - DPF: {2CAB81F6-1CBB-49FD-809E-B2D37D0CFFED} - http://www.popmonster.com/control/src/iefeatures.ocx
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1193366371500
    O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
    O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
    O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - file://D:\games\WebDriverFullInstall.exe
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" -r (file missing)
    O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe





    This is the log from Combofix



    ComboFix 08-02-17.2 - David Estrada 2008-02-18 0:56:48.1 - NTFSx86

    Running from: E:\Temporal\ComboFix.exe

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\khfcyvw.dll
    C:\WINDOWS\system32\mlljj.dll
    C:\Documents and Settings\David Estrada\err.log
    C:\Documents and Settings\David Estrada\ResErrors.log
    C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\NetMon
    C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\NetMon\domains.txt
    C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\NetMon\log.txt
    C:\Program Files\video activex object
    C:\Program Files\video activex object\ot.ico
    C:\Program Files\video activex object\Thumbs.db
    C:\Program Files\video activex object\ts.ico
    C:\Temp\1cb
    C:\Temp\1cb\syscheck.log
    C:\Temp\isgTi19
    C:\Temp\isgTi19\lPig.log
    C:\WINDOWS\mrofinu.exe
    C:\WINDOWS\mrofinu1188.exe
    C:\WINDOWS\system32\a1
    C:\WINDOWS\system32\jjllm.ini
    C:\WINDOWS\system32\jjllm.ini2
    C:\WINDOWS\system32\khfcyvw.dll
    C:\WINDOWS\system32\mlljj.dll
    C:\WINDOWS\system32\p9
    C:\WINDOWS\system32\p9\liopud89104.exe
    C:\WINDOWS\system32\pac.txt
    C:\WINDOWS\system32\v6
    C:\WINDOWS\system32\w11
    C:\WINDOWS\system32\w11\hiba3133.exe
    C:\WINDOWS\uninstall_nmon.vbs
    C:\WINDOWS\Fonts\-

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_CMDSERVICE
    -------\LEGACY_NETWORK_MONITOR


    ((((((((((((((((((((((((( Files Created from 2008-01-18 to 2008-02-18 )))))))))))))))))))))))))))))))
    .

    2008-02-17 20:39 . 2008-02-17 20:39 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
    2008-02-17 20:39 . 2008-02-17 20:39 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
    2008-02-17 20:35 . 2008-02-17 20:35 <DIR> d-------- C:\Program Files\Kaspersky Lab
    2008-02-17 20:35 . 2008-02-18 01:12 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
    2008-02-17 20:35 . 2008-02-18 01:12 1,953,312 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
    2008-02-17 20:35 . 2008-02-18 01:11 35,872 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
    2008-02-17 20:35 . 2008-02-18 01:10 27,188 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
    2008-02-17 20:35 . 2008-02-18 01:10 4,412 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
    2008-02-17 20:29 . 2008-02-17 20:29 <DIR> d-------- C:\Program Files\CCleaner
    2008-02-17 19:27 . 2008-02-17 19:27 <DIR> d-------- C:\WINDOWS\0E6AB9FC76C2431B9C066C1CFFFEA8EB.TMP
    2008-02-16 13:57 . 2008-02-16 13:57 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Yahoo!
    2008-02-16 13:54 . 2008-02-16 13:58 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\BLSTOOLBAR
    2008-02-16 13:50 . 2008-02-16 13:50 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Rabio
    2008-02-16 13:49 . 2008-02-16 13:52 <DIR> d-------- C:\Program Files\RABCO
    2008-02-16 13:48 . 2008-02-16 13:48 <DIR> d-------- C:\WINDOWS\system32\nGpxx18
    2008-02-16 13:48 . 2008-02-17 21:05 <DIR> d--hs---- C:\WINDOWS\RGF2aWQgRXN0cmFkYQ
    2008-02-15 19:51 . 2008-02-15 19:51 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
    2008-02-07 12:17 . 2008-02-07 12:17 <DIR> d-------- C:\Program Files\Common Files\Adobe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-02-18 02:10 --------- d-----w C:\Documents and Settings\David Estrada\Application Data\LimeWire
    2008-02-18 02:07 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2008-02-18 01:52 118,222 ----a-w C:\WINDOWS\Fonts\x.zip
    2008-02-18 01:17 --------- d-----w C:\Program Files\Windows Media Connect 2
    2008-02-18 00:49 --------- d-----w C:\Program Files\BFG
    2008-02-11 22:00 --------- d-----w C:\Program Files\LimeWire
    2008-02-01 15:01 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\PCSuperCharger
    2008-01-17 16:22 --------- d-----w C:\Program Files\Yahoo!
    2008-01-17 16:15 --------- d-----w C:\Documents and Settings\David Estrada\Application Data\Move Networks
    2007-12-28 18:34 --------- d-----w C:\Program Files\OpenOffice.org1.1.0
    2007-12-20 00:15 --------- d-----w C:\Program Files\Dell J740
    2007-12-19 19:11 --------- d-----w C:\Documents and Settings\David Estrada\Application Data\Yahoo!
    2007-12-19 19:11 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo! Companion
    2007-12-18 05:43 23,396 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
    2006-07-22 20:59 774,144 ----a-w C:\Program Files\RngInterstitial.dll
    2006-04-21 19:53 21,920 ----a-w C:\Documents and Settings\David Estrada\Application Data\GDIPFONTCACHEV1.DAT
    1784-02-06 00:28 65,536 ------w C:\WINDOWS\inf\copyinf.exe
    1784-02-06 00:28 243,200 ------w C:\WINDOWS\inf\rt2500.sys
    2005-07-29 21:24 472 --sha-r C:\WINDOWS\RGF2aWQgRXN0cmFkYQ\l3IZuqk0lrhXwAI4sk.vbs
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{11d21d3b-edf1-4b58-99ba-8b8149568240}]
    C:\WINDOWS\system32\sayvaoj.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C2E5D27-A17C-4D89-85DD-3553C189380D}]
    2008-01-30 14:02 414992 --a------ C:\Program Files\RABCO\RABCO.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{35E78239-811E-4c3f-B37D-F339AC16C2C0}]
    C:\PROGRA~1\Comet\bin\autosearch.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA77C40C-6BC7-49CC-96EE-A574347BF4DC}]
    2008-02-07 20:07 217088 --a------ C:\Program Files\Windows Media Player\rozyh89104.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-09 22:46 68856]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
    "HTpatch"="C:\WINDOWS\htpatch.exe" [2002-10-30 04:40 28672]
    "BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 20:26 368706]
    "ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 09:29 40960]
    "tgcmd"="C:\Program Files\Support.com\BellSouth\hcenter.exe" [2005-08-31 13:14 1277952]
    "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 01:41 49152]
    "ISW.exe"="C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 13:12 2061816]
    "AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-12-18 00:43 227856]

    C:\Documents and Settings\David Estrada\Start Menu\Programs\Startup\
    RABCO - Auto Update.lnk - C:\Program Files\RABCO\RABCOse.exe [2008-02-16 13:48:35 183216]

    C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Date Manager.lnk]
    path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Date Manager.lnk
    backup=C:\WINDOWS\pss\Date Manager.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^ymetray.lnk]
    path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\ymetray.lnk
    backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^David Estrada^Start Menu^Programs^Startup^OpenOffice.org 1.1.0.lnk]
    backup=C:\WINDOWS\pss\OpenOffice.org 1.1.0.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    --a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2003-12-16 12:06 229376 C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    --a------ 2006-01-25 23:10 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "aawservice"=2 (0x2)


    .
    Contents of the 'Scheduled Tasks' folder
    "2007-11-30 17:55:51 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
    - C:\Program Files\RegistrySmart\RegistrySmart.ex
    - C:\Program Files\RegistrySmart
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-02-18 01:12:53
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\a-squared Free\a2service.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\RABCO\X_RABCOse.exe
    .
    **************************************************************************
    .
    Completion time: 2008-02-18 1:18:08 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-02-18 06:17:38






    This is the start up list from Hijack this (I dont know if its needed)

    StartupList report, 2/17/2008, 10:45:21 PM
    StartupList version: 1.52.2
    Started from : C:\Program Files\HijackThis\HijackThis.EXE
    Detected: Windows XP SP2 (WinNT 5.01.2600)
    Detected: Internet Explorer v7.00 (7.00.5730.0011)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\a-squared Free\a2service.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\WINDOWS\htpatch.exe
    C:\WINDOWS\System32\sistray.EXE
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Support.com\BellSouth\hcenter.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
    C:\WINDOWS\mrofinu1000106.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
    C:\Program Files\RABCO\X_RABCOse.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\HijackThis\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\David Estrada\Start Menu\Programs\Startup]
    RABCO - Auto Update.lnk = C:\Program Files\RABCO\RABCOse.exe

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup]
    Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
    ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    NeroCheck = C:\WINDOWS\system32\NeroCheck.exe
    Smapp = C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
    swg = C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    [OptionalComponents]
    =

    --------------------------------------------------

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=*INI section not found*
    run=*INI section not found*

    Load/Run keys from Registry:

    HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\Windows: load=
    HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=
    SCRNSAVE.EXE=C:\WINDOWS\System32\BUTTER~1.SCR
    drivers=

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=*Registry value not found*
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry value not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Task Scheduler jobs:

    RegistrySmart Scheduled Scan.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\system32\macromed\Director\SwDir.dll
    CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [{2CAB81F6-1CBB-49FD-809E-B2D37D0CFFED}]
    CODEBASE = http://www.popmonster.com/control/src/iefeatures.ocx

    [{33564D57-0000-0010-8000-00AA00389B71}]
    CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

    [WUWebControl Class]
    InProcServer32 = C:\WINDOWS\System32\wuweb.dll
    CODEBASE = http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1193366371500

    [{64311111-1111-1121-1111-111191113457}]
    CODEBASE = file://c:\eied_s7.cab

    [{70522FA2-4656-11D5-B0E9-0050DAC24E8F}]
    CODEBASE = http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab

    [{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
    CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

    [{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38040.3355671296

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9d.ocx
    CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

    [{FA13A9FA-CA9B-11D2-9780-00104B242EA3}]
    CODEBASE = file://D:\games\WebDriverFullInstall.exe

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\system32\webcheck.dll
    SysTray: C:\WINDOWS\system32\stobject.dll
    WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

    --------------------------------------------------
    End of report, 7,675 bytes
    Report generated in 0.125 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only






    and finally the results from my scan with kaspersky AV



    Trojan.Win32.BHO.ab c:\program files\common files\qugav601.dll 68.5 KB
    Backdoor.Win32.IRCBot.aro C:\WINDOWS\FONTS\SVCHOST.EXE 284 KB
    AdWare.Win32.CommAd.a C:\WINDOWS\RGF2aWQgRXN0cmFkYQ\command.exe 287 KB
    Trojan.Win32.BHO.ab c:\system volume information\_restore{823bf949-7682-4546-a649-24e975132106}\rp413\a1230717.exe 132 KB
    Trojan-Downloader.WMA.Wimad.l C:\Documents and Settings\David Estrada\My Documents\LimeWire\Saved\Rare Recording.wma 2.4 MB
    Backdoor.Win32.IRCBot.aro C:\WINDOWS\Fonts\Setup.exe 284 KB
    Trojan-Downloader.WMA.Wimad.l C:\Documents and Settings\David Estrada\My Documents\LimeWire\Saved\Wicked Remix.wma 1.8 MB
    AdWare.Win32.CommAd.a C:\WINDOWS\RGF2aWQgRXN0cmFkYQ\asappsrv.dll 183.5 KB



    i will be really thankfull for any help that i may get from you guys, thank you, thank you, thank you!!!:happy:
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/684676

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice