1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: my control panel is also missing

Discussion in 'Virus & Other Malware Removal' started by nicky0520, Nov 27, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. nicky0520

    nicky0520 Thread Starter

    Joined:
    Nov 27, 2007
    Messages:
    24
    My control panel is also missing and I have run the file and have the log from word pad.

    What does this mean?

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:09:53 PM, on 11/27/2007
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\ibmpmsvc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\QCONSVC.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\BRMFRSMG.EXE
    C:\Program Files\Network Associates\VirusScan\VsStat.exe
    C:\Program Files\Network Associates\VirusScan\Avconsol.exe
    C:\WINNT\Explorer.exe
    C:\WINNT\shell.exe
    C:\WINNT\system32\tp4serv.exe
    C:\WINNT\system32\atiptaxx.exe
    C:\WINNT\AGRSMMSG.exe
    C:\WINNT\system32\PRPCUI.exe
    C:\WINNT\system32\wuauclt.exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
    C:\WINNT\system32\RunDll32.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\progra~1\scansoft\paperp~1\pptd40nt.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\winstall.exe
    C:\Program Files\PestTrap\PestTrap.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\shell.exe
    F3 - REG:win.ini: run=c:\winnt\system32\cdcompat.exe
    O2 - BHO: (no name) - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - (no file)
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Video On-line - {065B1210-E57F-41AD-90C5-F70D63388640} - C:\WINNT\system32\PowerVideo.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {34E6F97C-34E0-4CE5-B92B-F83634BEDC01} - C:\Program Files\Video ActiveX Access\iesplg.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
    O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
    O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
    O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\BRMFLPRO\SetDefPrt.exe
    O4 - HKLM\..\Run: [MRT] "C:\WINNT\system32\MRT.exe" /R
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [Printer] C:\WINNT\system32\printer.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Spoolsv] C:\WINNT\system32\spoolvs.exe
    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
    O4 - HKCU\..\Run: [Download] "C:\Documents and Settings\ngriffin\Local Settings\Temp\HC4\SSGet.exe" 120 "" ""
    O4 - HKCU\..\Run: [SpywareBot] C:\PROGRA~1\SPYWAR~1\SpywareBot.exe -boot
    O4 - HKCU\..\Run: [PestTrap] C:\Program Files\PestTrap\PestTrap.exe
    O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video ActiveX Access\iesmn.exe
    O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
    O4 - Startup: findfast.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: msn_0711_upd072301.exe
    O4 - Global Startup: autorun.exe
    O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://dload.ipbill.com/del/loader.cab
    O22 - SharedTaskScheduler: hutlet - {c82e1789-207a-4b8a-806f-76b62dfac2a2} - (no file)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
    O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
    O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: QCONSVC - Unknown owner - C:\WINNT\System32\QCONSVC.EXE
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

    --
    End of file - 8837 bytes
     
  2. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    --------------------------------------------------------------------
    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • ...
    --------------------------------------------------------------------

    Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
     
  3. nicky0520

    nicky0520 Thread Starter

    Joined:
    Nov 27, 2007
    Messages:
    24
    ComboFix 07-11-19.4C - ngriffin 11/28/2007 13:02:43.2 - FAT32x86
    Running from: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CDUJWHYR\ComboFix[1].exe
    .

    ((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 )))))))))))))))))))))))))))))))
    .

    2007-11-28 13:02 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_3a0.dat
    2007-11-28 12:49 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_520.dat
    2007-11-27 15:08 <DIR> d-------- C:\Program Files\Trend Micro
    2007-11-26 17:37 <DIR> d-------- C:\FOUND.006
    2007-11-26 15:34 222,720 --a------ C:\WINNT\system32\PowerVideo.dll
    2007-11-19 09:54 <DIR> d-------- C:\FOUND.005
    2007-11-16 14:41 22,396 --a------ C:\Documents and Settings\Administrator\Application Data\info.dat
    2007-11-15 15:42 <DIR> d-------- C:\Program Files\Symantec
    2007-11-15 15:42 <DIR> d-------- C:\Program Files\Norton AntiVirus
    2007-11-15 15:42 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
    2007-11-15 15:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
    2007-11-15 15:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
    2007-11-14 20:48 <DIR> d-------- C:\Program Files\SpywareBot
    2007-11-14 20:48 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SpywareBot
    2007-11-14 19:29 150,584 --a------ C:\Documents and Settings\Administrator\Application Data\spyguard.exe
    2007-11-14 17:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ultra

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-08-08 13:18 66,458 ----a-w C:\Program Files\INSTALL.LOG
    2002-11-05 14:08 16,808 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
    2002-05-11 22:22 271 ---h--w C:\Program Files\desktop.ini
    2002-05-11 22:22 21,952 ---h--w C:\Program Files\folder.htt
    2001-05-08 17:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
    .

    ((((((((((((((((((((((((((((( [email protected] 2007-11-28_12.09.02.16 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2007-03-13 15:57:12 163,328 ----a-w C:\WINNT\erdnt\subs\F3M\ERDNT.EXE
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{000004CC-E4FF-4F2C-BC30-DBEF0B983BC9}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{065B1210-E57F-41AD-90C5-F70D63388640}]
    11/26/07 03:34p 222720 --a------ C:\WINNT\system32\PowerVideo.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{34E6F97C-34E0-4CE5-B92B-F83634BEDC01}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="ctfmon.exe" [02/20/01 01:09p C:\WINNT\system32\CTFMON.EXE]
    "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [12/05/02 05:24p]
    "Download"="C:\Documents and Settings\ngriffin\Local Settings\Temp\HC4\SSGet.exe" [10/30/06 12:02p]
    "PestTrap"="C:\Program Files\PestTrap\PestTrap.exe" []

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TrackPointSrv"="tp4serv.exe" [01/18/02 03:04a C:\WINNT\system32\tp4serv.exe]
    "ATIModeChange"="Ati2mdxx.exe" [09/04/01 04:24p C:\WINNT\system32\Ati2mdxx.exe]
    "AtiPTA"="atiptaxx.exe" [01/19/02 12:04a C:\WINNT\system32\atiptaxx.exe]
    "AGRSMMSG"="AGRSMMSG.exe" [01/15/02 01:03p C:\WINNT\AGRSMMSG.exe]
    "tourpath"="regedit /s c:\winnt\tour.reg" []
    "Synchronization Manager"="mobsync.exe" [05/08/01 12:00p C:\WINNT\system32\mobsync.exe]
    "PRPCMonitor"="PRPCUI.exe" [11/28/01 02:20p C:\WINNT\system32\prpcui.exe]
    "TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [01/28/02 01:04p]
    "TP4EX"="tp4ex.exe" [01/10/02 01:03a C:\WINNT\system32\TP4EX.exe]
    "QCTRAY"="C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe" [01/25/02 02:00a]
    "TPTRAY"="C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE" [02/20/02 01:23a]
    "BMMGAG"="RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" []
    "RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [07/16/03 10:02p]
    "tgcmd"="C:\Program Files\Support.com\BellSouth\hcenter.exe" []
    "PaperPort PTD"="c:\progra~1\scansoft\paperp~1\pptd40nt.exe" [04/02/01 09:40a]
    "SetDefPrt"="C:\Program Files\Brother\BRMFLPRO\SetDefPrt.exe" [05/08/01 03:22p]
    "MRT"="C:\WINNT\system32\MRT.exe" [06/28/07 12:57a]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/07 04:00a]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [05/08/01 12:00p]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
    msn_0711_upd072301.exe [2007-11-12 12:02:46]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll

    R0 NaiFsRec;NaiFsRec;C:\WINNT\system32\drivers\NaiFsRec.sys
    R1 IBMTPCHK;IBMTPCHK;C:\WINNT\system32\drivers\IBMBLDID.SYS
    R1 TPPWR;TPPWR;C:\WINNT\system32\drivers\Tppwr.sys
    R2 AvSynMgr;AVSync Manager;"C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe"
    R2 BrSerial;Brother Serial Driver;\??\C:\WINNT\system32\drivers\BrSerial.sys
    R2 PMEMNT.SYS;PMEMNT.SYS;\??\C:\WINNT\System32\drivers\PMEMNT.SYS
    R2 PRPC;PRPC;C:\WINNT\system32\drivers\PRPC.sys
    R3 NaiFiltr;NaiFiltr;\??\C:\Program Files\Common Files\Network Associates\McShield\NaiFiltr.sys
    R3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINNT\system32\DRIVERS\tp4track.sys
    S3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINNT\system32\DRIVERS\ipsecw2k.sys
    S3 SMALUSB;Digital Camera Driver;C:\WINNT\system32\DRIVERS\smalidt.sys

    .
    Contents of the 'Scheduled Tasks' folder
    "2007-11-28 17:29:22 C:\WINNT\Tasks\BMMTask.job"
    - C:\PROGRA~1\ThinkPad\UTILIT~1\Bmmtask.exe
    "2007-11-15 01:54:02 C:\WINNT\Tasks\SpywareBot Scheduled Scan.job"
    - C:\PROGRA~1\SPYWAR~1\SpywareBot.ex
    - C:\PROGRA~1\SPYWAR~1
    "2007-11-15 20:48:14 C:\WINNT\Tasks\Symantec NetDetect.job"
    - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
    .
    **************************************************************************

    catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-28 13:03:51
    Windows 5.0.2195 Service Pack 3 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 11/28/2007 13:04:16
    C:\ComboFix2.txt ... 11/28/07 12:10p
    .
    --- E O F ---


    So, what should my next step be? I can now access my control panel - Thanks so much

    But I am still receiving a pop stating trojan.zlob-x.a has been detected....
     
  4. nicky0520

    nicky0520 Thread Starter

    Joined:
    Nov 27, 2007
    Messages:
    24
    Okay so I didn't realize my husband tried to run the program before I did. Not sure if it makes a difference but here is the original log

    ComboFix 07-11-19.4C - ngriffin 11/28/2007 12:03:37.1 - FAT32x86
    Microsoft Windows 2000 Professional 5.0.2195.3.1252.1.1033.18.81 [GMT -5:00]
    Running from: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GH6JGPEJ\ComboFix[1].exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Administrator\Application Data\install.dat
    C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\findfast.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
    C:\Program Files\PestTrap
    C:\Program Files\PestTrap\base.avd
    C:\Program Files\PestTrap\base001.avd
    C:\Program Files\PestTrap\base002.avd
    C:\Program Files\PestTrap\found.wav
    C:\Program Files\PestTrap\notfound.wav
    C:\Program Files\PestTrap\PestTrap.dvm
    C:\Program Files\PestTrap\PestTrap.exe
    C:\Program Files\PestTrap\removed.wav
    C:\Program Files\PestTrap\Uninstall.exe
    C:\Program Files\Ultimate Cleaner
    C:\Program Files\video activex access
    C:\Program Files\video activex access\ot.ico
    C:\Program Files\video activex access\ts.ico
    C:\Program Files\VirusProtectPro 3.5
    C:\Program Files\VirusProtectPro 3.5\VirusProtectPro 3.5.exe
    C:\WINNT\dat.txt
    C:\WINNT\privacy_danger
    C:\WINNT\privacy_danger\images\capt.gif
    C:\WINNT\privacy_danger\images\danger.jpg
    C:\WINNT\privacy_danger\images\down.gif
    C:\WINNT\privacy_danger\images\spacer.gif
    C:\WINNT\privacy_danger\index.htm
    C:\WINNT\rs.txt
    C:\WINNT\shell.exe
    C:\WINNT\sounddrv.dll
    C:\WINNT\system32\kdyeu.exe
    C:\WINNT\system32\printer.exe
    C:\WINNT\system32\spoolvs.exe
    C:\WINNT\system32\xlibgfl254.dll
    C:\winstall.exe

    .
    ((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 )))))))))))))))))))))))))))))))
    .

    2007-11-27 15:08 <DIR> d-------- C:\Program Files\Trend Micro
    2007-11-16 14:41 22,396 --a------ C:\Documents and Settings\Administrator\Application Data\info.dat
    2007-11-15 15:42 <DIR> d-------- C:\Program Files\Symantec
    2007-11-15 15:42 <DIR> d-------- C:\Program Files\Norton AntiVirus
    2007-11-15 15:42 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
    2007-11-15 15:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
    2007-11-15 15:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
    2007-11-14 21:05 <DIR> d-------- C:\Program Files\Lavasoft
    2007-11-14 21:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2007-11-14 21:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-11-14 20:48 <DIR> d-------- C:\Program Files\SpywareBot
    2007-11-14 20:48 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SpywareBot
    2007-11-14 19:29 150,584 --a------ C:\Documents and Settings\Administrator\Application Data\spyguard.exe
    2007-11-14 17:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ultra

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-26 20:34 222,720 ----a-w C:\WINNT\system32\PowerVideo.dll
    2007-08-08 13:18 66,458 ----a-w C:\Program Files\INSTALL.LOG
    2002-11-05 14:08 16,808 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
    2002-05-11 22:22 271 ---h--w C:\Program Files\desktop.ini
    2002-05-11 22:22 21,952 ---h--w C:\Program Files\folder.htt
    2001-05-08 17:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{000004CC-E4FF-4F2C-BC30-DBEF0B983BC9}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{065B1210-E57F-41AD-90C5-F70D63388640}]
    07-11-26 15:34 222720 --a------ C:\WINNT\system32\PowerVideo.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{34E6F97C-34E0-4CE5-B92B-F83634BEDC01}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 C:\WINNT\system32\CTFMON.EXE]
    "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [02-12-05 17:24 ]
    "Download"="C:\Documents and Settings\ngriffin\Local Settings\Temp\HC4\SSGet.exe" [06-10-30 12:02 ]
    "SpywareBot"="C:\PROGRA~1\SPYWAR~1\SpywareBot.exe" [07-11-12 16:33 ]
    "PestTrap"="C:\Program Files\PestTrap\PestTrap.exe" []

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TrackPointSrv"="tp4serv.exe" [02-01-18 03:04 C:\WINNT\system32\tp4serv.exe]
    "ATIModeChange"="Ati2mdxx.exe" [01-09-04 16:24 C:\WINNT\system32\Ati2mdxx.exe]
    "AtiPTA"="atiptaxx.exe" [02-01-19 00:04 C:\WINNT\system32\atiptaxx.exe]
    "AGRSMMSG"="AGRSMMSG.exe" [02-01-15 13:03 C:\WINNT\AGRSMMSG.exe]
    "tourpath"="regedit /s c:\winnt\tour.reg" []
    "Synchronization Manager"="mobsync.exe" [01-05-08 12:00 C:\WINNT\system32\mobsync.exe]
    "PRPCMonitor"="PRPCUI.exe" [01-11-28 14:20 C:\WINNT\system32\prpcui.exe]
    "TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [02-01-28 13:04 ]
    "TP4EX"="tp4ex.exe" [02-01-10 01:03 C:\WINNT\system32\TP4EX.exe]
    "QCTRAY"="C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe" [02-01-25 02:00 ]
    "TPTRAY"="C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE" [02-02-20 01:23 ]
    "BMMGAG"="RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" []
    "RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [03-07-16 22:02 ]
    "tgcmd"="C:\Program Files\Support.com\BellSouth\hcenter.exe" []
    "PaperPort PTD"="c:\progra~1\scansoft\paperp~1\pptd40nt.exe" [01-04-02 09:40 ]
    "SetDefPrt"="C:\Program Files\Brother\BRMFLPRO\SetDefPrt.exe" [01-05-08 15:22 ]
    "MRT"="C:\WINNT\system32\MRT.exe" [07-06-28 00:57 ]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07-07-12 04:00 ]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [01-05-08 12:00 ]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
    msn_0711_upd072301.exe [2007-11-12 12:02:46]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll

    R0 NaiFsRec;NaiFsRec;C:\WINNT\system32\drivers\NaiFsRec.sys
    R1 IBMTPCHK;IBMTPCHK;C:\WINNT\system32\drivers\IBMBLDID.SYS
    R1 TPPWR;TPPWR;C:\WINNT\system32\drivers\Tppwr.sys
    R2 AvSynMgr;AVSync Manager;"C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe"
    R2 BrSerial;Brother Serial Driver;\??\C:\WINNT\system32\drivers\BrSerial.sys
    R2 PMEMNT.SYS;PMEMNT.SYS;\??\C:\WINNT\System32\drivers\PMEMNT.SYS
    R2 PRPC;PRPC;C:\WINNT\system32\drivers\PRPC.sys
    R3 NaiFiltr;NaiFiltr;\??\C:\Program Files\Common Files\Network Associates\McShield\NaiFiltr.sys
    R3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINNT\system32\DRIVERS\tp4track.sys
    S3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINNT\system32\DRIVERS\ipsecw2k.sys
    S3 SMALUSB;Digital Camera Driver;C:\WINNT\system32\DRIVERS\smalidt.sys

    *Newly Created Service* - IPNAT
    *Newly Created Service* - RASAUTO
    *Newly Created Service* - SHAREDACCESS
    .
    Contents of the 'Scheduled Tasks' folder
    "2007-11-27 21:23:28 C:\WINNT\Tasks\BMMTask.job"
    - C:\PROGRA~1\ThinkPad\UTILIT~1\Bmmtask.exe
    "2007-11-15 01:54:02 C:\WINNT\Tasks\SpywareBot Scheduled Scan.job"
    - C:\PROGRA~1\SPYWAR~1\SpywareBot.ex
    - C:\PROGRA~1\SPYWAR~1
    "2007-11-15 20:48:14 C:\WINNT\Tasks\Symantec NetDetect.job"
    - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
    .
    **************************************************************************

    catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-28 12:08:52
    Windows 5.0.2195 Service Pack 3 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-11-28 12:10:13 - machine was rebooted
    .
    --- E O F ---
     
  5. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    1. Please download The Avenger by Swandog46 to your Desktop.
    • Click on Avenger.zip to open the file
    • Extract avenger.exe to your desktop

    2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


    3. Now, start The Avenger program by clicking on its icon on your desktop.
    • Under "Script file to execute" choose "Input Script Manually".
    • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    • Click Done
    • Now click on the Green Light to begin execution of the script
    • Answer "Yes" twice when prompted.
    4. The Avenger will automatically do the following:
    • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    • On reboot, it will briefly open a black command window on your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avenger¬ís actions. This log file will be located at C:\avenger.txt
    • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
    5. Please copy/paste the content of c:\avenger.txt into your reply.

    6. Post a new Hijack This log.
     
  6. nicky0520

    nicky0520 Thread Starter

    Joined:
    Nov 27, 2007
    Messages:
    24
    When I click on the avenger file, I am asked how do I want to open it. I am not sure.

    Can you please tell me what to select?
     
  7. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    When you open the exe?
     
  8. nicky0520

    nicky0520 Thread Starter

    Joined:
    Nov 27, 2007
    Messages:
    24
    I am clicking on avenger and I get a box that asks how do I want to open the file.

    I believe when I try to open it on my desktop it is as a .zip file. It saves as a word pad document...

    Do you think the file should be resent?

    I am not sure what to do. Right now I have a wordpad file on my desktop with a jumbled up code in it.
     
  9. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
  10. nicky0520

    nicky0520 Thread Starter

    Joined:
    Nov 27, 2007
    Messages:
    24
    I believe this is the correct info that you requested...


    Logfile of The Avenger version 1, by Swandog46
    Running from registry key:
    \Registry\Machine\System\CurrentControlSet\Services\eynwgecm

    *******************

    Script file located at: \??\C:\WINNT\jqrnhkax.txt
    Script file opened successfully.

    Script file read successfully

    Backups directory opened successfully at a:\Avenger

    *******************

    Beginning to process script file:



    Could not open file C:\WINNT\system32\PowerVideo.dll for deletion
    Deletion of file C:\WINNT\system32\PowerVideo.dll failed!

    Could not process line:
    C:\WINNT\system32\PowerVideo.dll
    Status: 0xc0000043

    Could not create backups directory to delete file C:\Documents and Settings\Administrator\Application Data\spyguard.exe
    Deletion of file C:\Documents and Settings\Administrator\Application Data\spyguard.exe failed!

    Could not process line:
    C:\Documents and Settings\Administrator\Application Data\spyguard.exe
    Status: 0xc0000043

    Could not create backups directory to delete folder C:\Program Files\SpywareBot
    Deletion of folder C:\Program Files\SpywareBot failed!

    Could not process line:
    C:\Program Files\SpywareBot
    Status: 0xc0000043

    Could not create backups directory to delete folder C:\Documents and Settings\Administrator\Application Data\SpywareBot
    Deletion of folder C:\Documents and Settings\Administrator\Application Data\SpywareBot failed!

    Could not process line:
    C:\Documents and Settings\Administrator\Application Data\SpywareBot
    Status: 0xc0000043


    Completed script processing.

    *******************

    Finished! Terminate.


    Did I post the right info?? Are there any more steps???
     
  11. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    You did well (y) Now post a new Hijack This log
     
  12. nicky0520

    nicky0520 Thread Starter

    Joined:
    Nov 27, 2007
    Messages:
    24
    I think I may have deleted hijack this when my control panel was restored because I thought it wa a file related to the virus :confused:

    Is there a way to get it back? Is there something else I can do?:eek:
     
  13. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Go to here and download 'Hijack This!' self installer.
    Save it to the desktop or other suitable place. DO NOT just press run from the website
    Double click on the file and it will install to C:\program files\hijackthis and create an entry in the start menu.
    Click on the entry in start menu to run HijackThis
    Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
    so do NOT fix anything yet.
     
  14. nicky0520

    nicky0520 Thread Starter

    Joined:
    Nov 27, 2007
    Messages:
    24
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:05:22 PM, on 12/3/2007
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\ibmpmsvc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINNT\System32\QCONSVC.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
    C:\Program Files\Network Associates\VirusScan\VsStat.exe
    C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\Avconsol.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\tp4serv.exe
    C:\WINNT\system32\atiptaxx.exe
    C:\WINNT\AGRSMMSG.exe
    C:\WINNT\system32\PRPCUI.exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
    C:\WINNT\system32\RunDll32.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\progra~1\scansoft\paperp~1\pptd40nt.exe
    C:\WINNT\system32\wuauclt.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\NOTEPAD.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: (no name) - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - (no file)
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {34E6F97C-34E0-4CE5-B92B-F83634BEDC01} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
    O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
    O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
    O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\BRMFLPRO\SetDefPrt.exe
    O4 - HKLM\..\Run: [MRT] "C:\WINNT\system32\MRT.exe" /R
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Download] "C:\Documents and Settings\ngriffin\Local Settings\Temp\HC4\SSGet.exe" 120 "" ""
    O4 - HKCU\..\Run: [PestTrap] C:\Program Files\PestTrap\PestTrap.exe
    O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://dload.ipbill.com/del/loader.cab
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
    O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
    O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    O23 - Service: QCONSVC - Unknown owner - C:\WINNT\System32\QCONSVC.EXE

    --
    End of file - 6902 bytes

    Will this get rid of the last virus on my PC?:eek:
     
  15. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Rescan with Hijack This.
    Close all browser windows except Hijack This.
    Put a check mark beside these entries and click "Fix Checked".

    O2 - BHO: (no name) - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - (no file)

    O2 - BHO: (no name) - {34E6F97C-34E0-4CE5-B92B-F83634BEDC01} - (no file)

    O4 - HKCU\..\Run: [Download] "C:\Documents and Settings\ngriffin\Local Settings\Temp\HC4\SSGet.exe" 120 "" ""

    O4 - HKCU\..\Run: [PestTrap] C:\Program Files\PestTrap\PestTrap.exe


    Reboot, post a new log.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/656561

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice