1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Please Help! Being attacked by a variety of Trojans/Viruses...

Discussion in 'Virus & Other Malware Removal' started by LilyNBlue, Jan 9, 2008.

Thread Status:
Not open for further replies.
  1. LilyNBlue

    LilyNBlue Thread Starter

    Joined:
    Jan 9, 2008
    Messages:
    953
    PLEASE HELP ME discover where/how I am still vulnerable!! (logs and system info below)
    ___________________

    My teenage kids have their own computer, and frequent a few sites that I fear have let some baddies in. For the last week, I've been trying to clean this thing up... as the avast! anti-virus and on-access scanner has recently gone CRAZY notifying me of various Trojans and viruses.

    I've run: avast!, Spybot, Ad-Aware, WinCleaner; I've loaded up Spyware Blaster, and have now run HijackThis! . We have a home network with NetGear router and wireless adaptors. Our router is password-secured with WPA-PSK.

    This machine is an eMachine W3050, running Win XP (80G, 512 MB), one AMD processor (x86 family); NVIDIA nForce Networking.

    I will include at the bottom of this post, a few entries of possible interest that I found in the System Information (msinfo32) file tonight, too.

    Before posting my HijackThis log, here are some examples of what avast! is blocking. Here's the Warning Log from the last couple hours:
    1/9/2008 5:48:10 PM 1199918890 Julie 1384 Sign of "Win32:TratBHO [Trj]" has been found in "C:\WINDOWS\system32\awtss.dll" file.
    1/9/2008 5:49:24 PM 1199918964 Julie 3888 Sign of "Win32:Agent-NMX [Trj]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP947\A0202099.exe\[UPX]" file.
    1/9/2008 5:49:38 PM 1199918978 Julie 3888 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP948\A0204049.dll" file.
    1/9/2008 5:49:43 PM 1199918983 Julie 3888 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP948\A0204058.exe" file.
    1/9/2008 5:49:48 PM 1199918988 Julie 3888 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP949\A0206066.dll" file.
    1/9/2008 5:49:51 PM 1199918991 Julie 3888 Sign of "Win32:Agent-NMX [Trj]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP949\A0206084.exe\[UPX]" file.
    1/9/2008 5:49:54 PM 1199918994 Julie 3888 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP950\A0207089.dll" file.
    1/9/2008 5:49:56 PM 1199918996 Julie 3888 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP950\A0207090.dll" file.
    1/9/2008 5:49:58 PM 1199918998 Julie 3888 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP950\A0207114.dll" file.
    1/9/2008 5:50:01 PM 1199919001 Julie 3888 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP951\A0209114.dll" file.
    1/9/2008 5:50:03 PM 1199919003 Julie 3888 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP951\A0210114.dll" file.
    1/9/2008 5:50:05 PM 1199919005 Julie 3888 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP951\A0210115.dll" file.
    1/9/2008 5:50:09 PM 1199919009 Julie 3888 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP952\A0211115.dll" file.
    1/9/2008 5:50:18 PM 1199919018 Julie 3888 Sign of "Win32:Agent-NMX [Trj]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP953\A0211248.exe\[UPX]" file.
    1/9/2008 5:50:32 PM 1199919032 Julie 3888 Sign of "Win32:Vundo-gen57 [Adw]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP954\A0211446.dll" file.
    1/9/2008 5:50:34 PM 1199919034 Julie 3888 Sign of "Win32:Vundo-gen57 [Adw]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP954\A0211447.dll" file.
    1/9/2008 5:50:35 PM 1199919035 Julie 3888 Sign of "Win32:Vundo-gen57 [Adw]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP954\A0211448.dll" file.
    1/9/2008 5:50:38 PM 1199919038 Julie 3888 Sign of "Win32:Vundo-gen57 [Adw]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP954\A0211449.dll" file.
    1/9/2008 5:50:40 PM 1199919040 Julie 3888 Sign of "Win32:Vundo-gen57 [Adw]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP954\A0211450.dll" file.
    1/9/2008 5:50:48 PM 1199919048 Julie 3888 Sign of "Win32:Agent-NMX [Trj]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP954\A0212050.exe\[UPX]" file.
    1/9/2008 5:51:23 PM 1199919083 Julie 3888 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP955\A0217802.dll" file.
    1/9/2008 5:51:27 PM 1199919087 Julie 3888 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP955\A0218802.dll" file.
    1/9/2008 5:52:00 PM 1199919120 Julie 3888 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP957\A0221021.dll" file.
    1/9/2008 5:52:05 PM 1199919125 Julie 3888 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP957\A0221022.dll" file.
    1/9/2008 5:52:14 PM 1199919134 Julie 3888 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP959\A0227046.dll" file.
    1/9/2008 5:52:18 PM 1199919138 Julie 3888 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP959\A0227063.dll" file.
    1/9/2008 5:52:20 PM 1199919140 Julie 3888 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP959\A0227081.dll" file.
    1/9/2008 5:52:23 PM 1199919143 Julie 3888 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP960\A0228081.dll" file.
    1/9/2008 5:52:41 PM 1199919161 Julie 3888 Sign of "Win32:Agent-PCJ [Adw]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP967\A0234174.exe" file.
    1/9/2008 5:52:44 PM 1199919164 Julie 3888 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP967\A0234197.dll" file.
    1/9/2008 5:52:45 PM 1199919165 Julie 3888 Sign of "Win32:Vundo-gen57 [Adw]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP967\A0234198.dll" file.
    1/9/2008 5:52:49 PM 1199919169 Julie 3888 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP967\A0234199.dll" file.
    1/9/2008 5:52:52 PM 1199919172 Julie 3888 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP967\A0234200.dll" file.
    1/9/2008 5:52:54 PM 1199919174 Julie 3888 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP967\A0234201.dll" file.
    1/9/2008 5:52:55 PM 1199919175 Julie 3888 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP967\A0234202.exe" file.
    1/9/2008 5:52:57 PM 1199919177 Julie 3888 Sign of "Win32:Agent-PCJ [Adw]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP967\A0234204.exe" file.
    1/9/2008 5:53:02 PM 1199919182 Julie 3888 Sign of "Win32:Agent-PCJ [Adw]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP967\A0234205.exe" file.
    1/9/2008 5:53:04 PM 1199919184 Julie 3888 Sign of "Win32:Agent-PCJ [Adw]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP967\A0234206.exe" file.
    1/9/2008 5:53:05 PM 1199919185 Julie 3888 Sign of "Win32:Agent-PCJ [Adw]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP967\A0234207.exe" file.
    1/9/2008 5:53:07 PM 1199919187 Julie 3888 Sign of "Win32:Agent-PCJ [Adw]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP967\A0234208.exe" file.
    1/9/2008 5:53:09 PM 1199919189 Julie 3888 Sign of "Win32:Agent-PCJ [Adw]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP967\A0234209.exe" file.
    1/9/2008 5:53:10 PM 1199919190 Julie 3888 Sign of "Win32:Agent-PCJ [Adw]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP967\A0234210.exe" file.
    1/9/2008 5:53:11 PM 1199919191 Julie 3888 Sign of "Win32:Agent-PCJ [Adw]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP967\A0234211.exe" file.
    1/9/2008 5:53:12 PM 1199919192 Julie 3888 Sign of "Win32:Agent-PCJ [Adw]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP967\A0234212.exe" file.
    1/9/2008 5:53:13 PM 1199919193 Julie 3888 Sign of "Win32:Agent-LAP [Trj]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP967\A0234213.exe" file.
    1/9/2008 5:53:14 PM 1199919194 Julie 3888 Sign of "Win32:Agent-PCJ [Adw]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP967\A0234214.exe" file.
    1/9/2008 5:53:15 PM 1199919195 Julie 3888 Sign of "Win32:Agent-PCJ [Adw]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP967\A0234215.exe" file.
    1/9/2008 5:53:16 PM 1199919196 Julie 3888 Sign of "Win32:Tiny-IF [Trj]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP967\A0234216.exe" file.
    1/9/2008 5:53:17 PM 1199919197 Julie 3888 Sign of "Win32:Agent-PCJ [Adw]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP967\A0234217.exe" file.
    1/9/2008 5:53:17 PM 1199919197 Julie 3888 Sign of "Win32:Agent-PCJ [Adw]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP967\A0234218.exe" file.
    1/9/2008 5:53:18 PM 1199919198 Julie 3888 Sign of "Win32:Agent-PCJ [Adw]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP967\A0234219.exe" file.
    1/9/2008 5:53:18 PM 1199919198 Julie 3888 Sign of "Win32:Agent-PCJ [Adw]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP967\A0234220.exe" file.
    1/9/2008 5:53:19 PM 1199919199 Julie 3888 Sign of "Win32:Agent-PCJ [Adw]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP967\A0234221.exe" file.
    1/9/2008 5:53:20 PM 1199919200 Julie 3888 Sign of "Win32:Agent-PCJ [Adw]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP967\A0234222.exe" file.
    1/9/2008 5:53:21 PM 1199919201 Julie 3888 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP967\A0234224.dll" file.
    1/9/2008 5:53:22 PM 1199919202 Julie 3888 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP967\A0234225.dll" file.
    1/9/2008 5:53:22 PM 1199919202 Julie 3888 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP967\A0234226.dll" file.
    1/9/2008 5:53:23 PM 1199919203 Julie 3888 Sign of "Win32:Virtumonde-EZ [Adw]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP967\A0234227.dll" file.
    1/9/2008 5:53:24 PM 1199919204 Julie 3888 Sign of "Win32:Virtumonde-EZ [Adw]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP967\A0234228.dll" file.
    1/9/2008 5:53:28 PM 1199919208 Julie 3888 Sign of "Win32:TratBHO [Trj]" has been found in "C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP968\A0235159.dll" file.
    1/9/2008 6:02:27 PM 1199919747 Julie 3888 Sign of "Win32:Small-IKZ [Trj]" has been found in "C:\WINDOWS\system32\ipd1\zpr121dll.exe\[UPX]" file.
    1/9/2008 6:48:11 PM 1199922491 Julie 1384 Sign of "Win32:TratBHO [Trj]" has been found in "C:\WINDOWS\system32\mllmk.dll" file.
    1/9/2008 7:48:15 PM 1199926095 Julie 1384 Sign of "Win32:TratBHO [Trj]" has been found in "C:\WINDOWS\system32\jkklk.dll" file.


    And here's my HiJackThis! log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:57:52 PM, on 1/9/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Digital Media Reader\shwiconem.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\RunDLL32.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: {32ff41d9-d354-192a-f7d4-3a434306e2f7} - {7f2e6034-34a3-4d7f-a291-453d9d14ff23} - C:\WINDOWS\system32\wedcgacc.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O2 - BHO: (no name) - {C292AF62-EA9D-4595-873D-9D66575822AD} - (no file)
    O2 - BHO: (no name) - {DC622A2C-A2D7-4B60-8990-6AD3583F4E46} - C:\WINDOWS\system32\geedb.dll (file missing)
    O2 - BHO: (no name) - {F0634FEF-5974-4F8C-8CE0-FE1D4D7C1B6A} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O2 - BHO: (no name) - {FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856} - C:\WINDOWS\system32\awtqrqn.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [102cf39a] rundll32.exe "C:\WINDOWS\system32\gkcfgubw.dll",b
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O20 - Winlogon Notify: awtqrqn - C:\WINDOWS\SYSTEM32\awtqrqn.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

    --
    End of file - 7540 bytes


    And, finally, these may be worth noting:

    Found in SYSTEM INFORMATION:

    UNDER "SOFTWARE ENVIRONMENT/STARTUP PROGRAMS":

    102cf39a rundll32.exe "c:\windows\system32\gkcfgubw.dll",b All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Adobe Gamma Loader c:\progra~1\common~1\adobe\calibr~1\adobeg~1.exe All Users Common Startup
    NVMixerTray "c:\program files\nvidia corporation\nvmixer\nvmixertray.exe" All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    NeroFilterCheck c:\windows\system32\nerocheck.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    NvCplDaemon rundll32.exe c:\windows\system32\nvcpl.dll,nvstartup All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    NvMediaCenter rundll32.exe c:\windows\system32\nvmctray.dll,nvtaskbarinit All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    QuickTime Task "c:\program files\quicktime\qttask.exe" -atboottime All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Recguard c:\windows\sminst\recguard.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    RemoteControl "c:\program files\cyberlink\powerdvd\pdvdserv.exe" All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    SunKistEM c:\program files\digital media reader\shwiconem.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    avast! c:\progra~1\alwils~1\avast4\ashdisp.exe All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    ctfmon.exe c:\windows\system32\ctfmon.exe TAYLOR-NICK\Julie HKU\S-1-5-21-1880956434-1162627139-4111917216-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    desktop desktop.ini NT AUTHORITY\SYSTEM Startup
    desktop desktop.ini TAYLOR-NICK\Julie Startup
    desktop desktop.ini .DEFAULT Startup
    desktop desktop.ini All Users Common Startup
    nwiz nwiz.exe /install All Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run



    UNDER "COMPONENTS/NETWORK/ADAPTER":
    Besides NVIDIA nForce, I also see 2 other entries:

    Name [00000005] WAN Miniport (PPTP)
    Adapter Type Wide Area Network (WAN)
    Product Type WAN Miniport (PPTP)
    Installed Yes
    PNP Device ID ROOT\MS_PPTPMINIPORT\0000
    Last Reset 1/9/2008 6:38 AM
    Index 5
    Service Name PptpMiniport
    IP Address Not Available
    IP Subnet Not Available
    Default IP Gateway Not Available
    DHCP Enabled No
    DHCP Server Not Available
    DHCP Lease Expires Not Available
    DHCP Lease Obtained Not Available
    MAC Address 50:50:54:50:30:30
    Driver c:\windows\system32\drivers\raspptp.sys (5.1.2600.2180 (xpsp_sp2_rtm.040803-2158), 47.25 KB (48,384 bytes), 8/26/2004 12:12 PM)

    Name [00000006] WAN Miniport (PPPOE)
    Adapter Type Wide Area Network (WAN)
    Product Type WAN Miniport (PPPOE)
    Installed Yes
    PNP Device ID ROOT\MS_PPPOEMINIPORT\0000
    Last Reset 1/9/2008 6:38 AM
    Index 6
    Service Name RasPppoe
    IP Address Not Available
    IP Subnet Not Available
    Default IP Gateway Not Available
    DHCP Enabled No
    DHCP Server Not Available
    DHCP Lease Expires Not Available
    DHCP Lease Obtained Not Available
    MAC Address 33:50:6F:45:30:30
    Driver c:\windows\system32\drivers\raspppoe.sys (5.1.2600.2180 (xpsp_sp2_rtm.040803-2158), 40.50 KB (41,472 bytes), 8/26/2004 12:12 PM)

    ______________

    Also, before I posted this, I DID DELETE ONE FILE that was showing up on the HijackThis! scan because -- in reading posts to THIS forum and others -- I knew it was safe to delete. It was a baddie: P0620Pin.dll
    There was an entry that looked something like this:
    O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP
    ....and I allowed HijackThis! to "FIX" it!


    NOW, I'm at a loss as to what I can/should do!!

    I would SINCERELY and deeply appreciate any help I can get with this. I know only enough to be dangerous, when it comes to computers. And I've NEVER had to remove trojans before... so I'm really struggling.

    PLEASE HELP????

    Thank you, in advance!!

    ~Julie~
     
  2. LilyNBlue

    LilyNBlue Thread Starter

    Joined:
    Jan 9, 2008
    Messages:
    953
    I originally made a request for help in analyzing on January 9th.
    Zero replies.

    I've done a little homework since then and have run a few other programs. A few items were tagged and fixed. In the last 3 weeks, I've run: avast! anti-virus, Spybot, Ad-Aware, WinCleaner, SuperAntiSpyware, SDFix; I've loaded up Spyware Blaster, and have now run HijackThis! . We have a home network with NetGear router and wireless adaptors. Our router is password-secured with WPA-PSK. I've also set the router to block a LONG list of known ad-servers (I can monitor all activity through the router's IP address and subsequently block what I see come through.)

    ___________________


    Here's the latest HijackThis log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:52:05 PM, on 1/14/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Digital Media Reader\shwiconem.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: {32ff41d9-d354-192a-f7d4-3a434306e2f7} - {7f2e6034-34a3-4d7f-a291-453d9d14ff23} - C:\WINDOWS\system32\wedcgacc.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O2 - BHO: (no name) - {C292AF62-EA9D-4595-873D-9D66575822AD} - (no file)
    O2 - BHO: (no name) - {F0634FEF-5974-4F8C-8CE0-FE1D4D7C1B6A} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [102cf39a] rundll32.exe "C:\WINDOWS\system32\gkcfgubw.dll",b
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS_____________________________

    And here is the SDFix report (which I ran in safe mode):

    SDFix: Version 1.125
    Run by Julie on Sun 01/13/2008 at 06:58 PM
    Microsoft Windows XP [Version 5.1.2600]
    Running From: C:\SDFix
    Safe Mode:
    Checking Services:

    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting...

    Normal Mode:
    Checking Files:

    Trojan Files Found:

    C:\Temp\1cb\syscheck.log - Deleted
    C:\WINDOWS\system32\pac.txt - Deleted


    Folder C:\Temp\1cb - Removed

    Removing Temp Files...

    ADS Check:

    C:\WINDOWS
    No streams found.

    C:\WINDOWS\system32
    No streams found.

    C:\WINDOWS\system32\svchost.exe
    No streams found.

    C:\WINDOWS\system32\ntoskrnl.exe
    No streams found.



    Final Check:

    catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-13 19:07:25
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    scanning hidden registry entries ...

    scanning hidden files ...


    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 2


    Remaining Services:
    ------------------

    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
    "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
    "C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"="C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Engine"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
    "C:\\WINDOWS\\system32\\xbseecml.exe"="C:\\WINDOWS\\system32\\xbs"
    "C:\\WINDOWS\\system32\\muzapp.exe"="C:\\WINDOWS\\system32\\muzapp.exe:*:Disabled:MUZ AOD APP player"
    "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Disabled:Windows Live Messenger 8.1 (Phone)"
    "C:\\Program Files\\Netscape\\Netscape Browser\\netscape.exe"="C:\\Program Files\\Netscape\\Netscape Browser\\netscape.exe:*:Disabled:Navigator"
    "C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:mad:xpsp2res.dll,-22019"
    "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Disabled:Windows Messenger"
    "C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"="C:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe:*:Disabled:Zoo Tycoon 2 Executable"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
    "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
    "C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
    "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

    Remaining Files:
    ---------------

    File Backups: - C:\SDFix\backups\backups.zip

    Files with Hidden Attributes:

    Wed 10 Oct 2007 625,152 A.SH. --- "C:\Program Files\Internet Explorer\iexplore.exe"
    Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
    Wed 4 Aug 2004 4,639 A.SH. --- "C:\Program Files\Windows Media Player\mplayer2.exe"
    Wed 11 Aug 2004 73,728 A.SH. --- "C:\Program Files\Windows Media Player\wmplayer.exe"
    Sun 26 Dec 2004 0 A.SH. --- "C:\WINDOWS\SMINST\HPCD.sys"
    Mon 20 Oct 2003 73,688 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe"
    Sat 24 Jan 2004 5,120 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll"
    Sat 22 Sep 2007 2,007,055 ..SH. --- "C:\Documents and Settings\Guest\Local Settings\Temp\uttss.bak1"
    Sun 23 Sep 2007 2,008,461 ..SH. --- "C:\Documents and Settings\Guest\Local Settings\Temp\uttss.bak2"


    What more needs my attention? Please?? ANYONE??
     
  3. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    55,532
    First Name:
    Derek
    Delete any existing version of ComboFix you have sitting on your desktop

    Download ComboFix from Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    --------------------------------------------------------------------
    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results"
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Remember to re enable the protection again afterwards before connecting to the net
    --------------------------------------------------------------------
    2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
    • WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
    • Please do not re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
    Double click on combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
    Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review


    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/670103

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice