1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Spware, Adware, Virus...PLEASE HELP!

Discussion in 'Virus & Other Malware Removal' started by itrocks4u, Nov 8, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. itrocks4u

    itrocks4u Thread Starter

    Joined:
    Nov 27, 2004
    Messages:
    225
    I know for sure my computer is messed up. As usual, my IE homepage is hacked, I get a number of random popups continously. NO activity and I'm still getting 20 popups. And worst of all, there is this yellow triangle with exclamation mark which keeps on blinking and telling me about a number of popups I have. I've attached my HJT log file. please help.
    I'll really appreciate it...

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:49:00 AM, on 08/11/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\System32\Ati2evxx.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\LEXBCES.EXE
    D:\WINDOWS\system32\spoolsv.exe
    D:\WINDOWS\system32\LEXPPS.EXE
    D:\WINDOWS\System32\CTsvcCDA.exe
    D:\Program Files\Symantec AntiVirus\DefWatch.exe
    D:\WINDOWS\System32\ainmuqdw.exe
    D:\Program Files\ewido anti-malware\ewidoctrl.exe
    D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Symantec AntiVirus\Rtvscan.exe
    D:\WINDOWS\system32\ZoneLabs\vsmon.exe
    D:\WINDOWS\system32\Ati2evxx.exe
    D:\WINDOWS\Explorer.EXE
    D:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe
    D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    D:\Program Files\Athan\Athan.exe
    D:\Program Files\MSN Messenger\msnmsgr.exe
    D:\Program Files\3M\PSNLite\PsnLite.exe
    D:\Program Files\WinZip\WZQKPICK.EXE
    D:\WINDOWS\System32\wuauclt.exe
    D:\PROGRA~1\3M\PSNLite\PSNGive.exe
    D:\Program Files\Internet Explorer\IEXPLORE.EXE
    D:\Documents and Settings\Ours\Desktop\Salman\hijackthis1.99\New Folder\HijackThis.exe
    D:\WINDOWS\system32\NOTEPAD.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (D:\Documents and Settings\OURS\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (D:\Documents and Settings\OURS\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar4.dll
    O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - D:\WINDOWS\System32\rhpmylmb.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe" /tray
    O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Lexmark 2200 Series] "D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
    O4 - HKLM\..\Run: [FaxCenterServer] "D:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\bak\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [CloudPlugin] "D:\Program Files\IMT Labs Messenger Plugin\Cloud.exe"
    O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [DataLayer] D:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
    O4 - HKLM\..\Run: [SsAAD.exe] D:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [Google Desktop Search] "D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [Athan] D:\Program Files\Athan\Athan.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
    O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Creative Detector] "D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
    O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Post-it® Software Notes Lite.lnk = D:\Program Files\3M\PSNLite\PsnLite.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Download with Download Accelerator Lite - D:\Program Files\Download Accelerator Lite\dal.htm
    O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://beowulf.schulich.yorku.ca/dwa7W.cab
    O20 - AppInit_DLLs: D:\PROGRA~1\Google\GO333C~1\GOEC62~1.DLL
    O23 - Service: Adobe LM Service - Unknown owner - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - D:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: DomainService - - D:\WINDOWS\System32\ainmuqdw.exe
    O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: GoogleDesktopManager - Google - D:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
    O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: MSCSPTISRV - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: PACSPTISVR - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 7757 bytes
     
  2. itrocks4u

    itrocks4u Thread Starter

    Joined:
    Nov 27, 2004
    Messages:
    225
    when will I get a reply? :(
     
  3. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,192
    You are dealing with several infections here and it has probably eaten your anti-virus program since it's not working properly.

    I wonder why you never installed SP2? This is one reason your computer was wide open for exploits. Do NOT install it now as doing so on an infected computer will cause serious problems. But do so after the cleanup is complete.


    Download ComboFix and save it to your desktop.

    **Note: In the event you already have ComboFix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

    1. Close any open browsers.

    2. Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

    **Note: Do not mouseclick comboFix's window while it's running. That may cause it to stall**
     
  4. itrocks4u

    itrocks4u Thread Starter

    Joined:
    Nov 27, 2004
    Messages:
    225
    Hey, Thank you SO much for you reply. You have no idea how long I've been waiting for it. I'm glad I finally recieved it! Ok so while I was waiting for your reply, I did run a number of things on the computer, including spybot, countersky, Bitdefender online scanner. I tried running Pandaactive scanner after that but it did not work.

    I did as you said. I've attached the Combofix log and posted the HJT log. Even though I ran a number of programs, I'm still getting a lot of popups. To be more specfic, there is still a security toolbar, and a few icons on desktop including Live Saftey centre and online security guide. In addition to all that, there is still the yellow triangle with exclamation mark in my system tray which keeps on blinking and giving these notifications that I have almost all the trojan and viruses on my computer.

    Anyways, please do let me know wats next.
     

    Attached Files:

  5. itrocks4u

    itrocks4u Thread Starter

    Joined:
    Nov 27, 2004
    Messages:
    225
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:42:03 AM, on 11/11/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\System32\Ati2evxx.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\LEXBCES.EXE
    D:\WINDOWS\system32\spoolsv.exe
    D:\WINDOWS\system32\LEXPPS.EXE
    D:\WINDOWS\system32\Ati2evxx.exe
    D:\WINDOWS\Explorer.EXE
    D:\WINDOWS\System32\CTsvcCDA.exe
    D:\Program Files\Symantec AntiVirus\DefWatch.exe
    D:\Program Files\ewido anti-malware\ewidoctrl.exe
    D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Symantec AntiVirus\Rtvscan.exe
    D:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe
    D:\Program Files\Athan\Athan.exe
    D:\Program Files\MSN Messenger\msnmsgr.exe
    D:\Program Files\3M\PSNLite\PsnLite.exe
    D:\Program Files\WinZip\WZQKPICK.EXE
    D:\PROGRA~1\3M\PSNLite\PSNGive.exe
    D:\WINDOWS\System32\wuauclt.exe
    D:\Program Files\Internet Explorer\IEXPLORE.EXE
    D:\WINDOWS\system32\NOTEPAD.EXE
    D:\Documents and Settings\Ours\Desktop\Salman\hijackthis1.99\New Folder\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (D:\Documents and Settings\OURS\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (D:\Documents and Settings\OURS\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
    O2 - BHO: {9f912eeb-a7b4-10bb-1f64-c5a4ace1b410} - {014b1eca-4a5c-46f1-bb01-4b7abee219f9} - D:\WINDOWS\System32\psegthts.dll
    O2 - BHO: (no name) - {183807B8-BC07-48A2-8DAD-ABC96FA6C7A8} - D:\WINDOWS\system32\yayaaya.dll (file missing)
    O2 - BHO: SysApp - {4AE2A9A0-DC33-4C27-B521-5B6C68C1C53D} - D:\Program Files\ApplePie\ie-improver.dll
    O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - D:\WINDOWS\system32\rhpmylmb.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar4.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar4.dll
    O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - D:\WINDOWS\system32\rhpmylmb.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe" /tray
    O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Lexmark 2200 Series] "D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
    O4 - HKLM\..\Run: [FaxCenterServer] "D:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\bak\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [CloudPlugin] "D:\Program Files\IMT Labs Messenger Plugin\Cloud.exe"
    O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [DataLayer] D:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
    O4 - HKLM\..\Run: [SsAAD.exe] D:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [Athan] D:\Program Files\Athan\Athan.exe
    O4 - HKLM\..\Run: [SBCSTray] D:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
    O4 - HKLM\..\Run: [b88fa9cc] rundll32.exe "D:\WINDOWS\System32\dbuwusdp.dll",b
    O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
    O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Creative Detector] "D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
    O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Post-it® Software Notes Lite.lnk = D:\Program Files\3M\PSNLite\PsnLite.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Download with Download Accelerator Lite - D:\Program Files\Download Accelerator Lite\dal.htm
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
    O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://beowulf.schulich.yorku.ca/dwa7W.cab
    O20 - Winlogon Notify: rhpmylmb - D:\WINDOWS\SYSTEM32\rhpmylmb.dll
    O20 - Winlogon Notify: yayaaya - yayaaya.dll (file missing)
    O23 - Service: Adobe LM Service - Unknown owner - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - D:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: MSCSPTISRV - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: PACSPTISVR - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - D:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 8765 bytes
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,192
    Open Notepad and copy and paste the text in the quote box below into it:

    Save the file to your desktop and name it CFScript.txt

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

    [​IMG]

    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.


    File::
    D:\WINDOWS\system32\psegthts.dll
    D:\WINDOWS\system32\dbuwusdp.dll
    D:\WINDOWS\system32\nyadgmmc.exe
    D:\WINDOWS\system32\vrbrwfla.dll
    D:\WINDOWS\system32\futgidlx.dll
    D:\WINDOWS\system32\wvsuitjv.dll
    D:\WINDOWS\system32\rhpmylmb.dll
    D:\WINDOWS\system32\avoiyjhg.dll
    D:\WINDOWS\system32\yayaaya.dll

    Folder::
    D:\Program Files\ApplePie

    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{014b1eca-4a5c-46f1-bb01-4b7abee219f9}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{183807B8-BC07-48A2-8DAD-ABC96FA6C7A8}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4AE2A9A0-DC33-4C27-B521-5B6C68C1C53D}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
    [-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
    "{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
    [-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "b88fa9cc"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{183807B8-BC07-48A2-8DAD-ABC96FA6C7A8}"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rhpmylmb]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayaaya]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
     
  7. itrocks4u

    itrocks4u Thread Starter

    Joined:
    Nov 27, 2004
    Messages:
    225
    Did as you said...

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:43:34 AM, on 12/11/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\System32\Ati2evxx.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\LEXBCES.EXE
    D:\WINDOWS\system32\spoolsv.exe
    D:\WINDOWS\system32\LEXPPS.EXE
    D:\WINDOWS\system32\Ati2evxx.exe
    D:\WINDOWS\Explorer.EXE
    D:\WINDOWS\System32\CTsvcCDA.exe
    D:\Program Files\Symantec AntiVirus\DefWatch.exe
    D:\Program Files\ewido anti-malware\ewidoctrl.exe
    D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Symantec AntiVirus\Rtvscan.exe
    D:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe
    D:\Program Files\Athan\Athan.exe
    D:\Program Files\MSN Messenger\msnmsgr.exe
    D:\Program Files\3M\PSNLite\PsnLite.exe
    D:\Program Files\WinZip\WZQKPICK.EXE
    D:\PROGRA~1\3M\PSNLite\PSNGive.exe
    D:\WINDOWS\System32\wuauclt.exe
    D:\Program Files\Internet Explorer\IEXPLORE.EXE
    D:\Documents and Settings\Ours\Desktop\Salman\hijackthis1.99\New Folder\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (D:\Documents and Settings\OURS\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (D:\Documents and Settings\OURS\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
    O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - D:\WINDOWS\system32\rhpmylmb.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar4.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar4.dll
    O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - D:\WINDOWS\system32\rhpmylmb.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe" /tray
    O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Lexmark 2200 Series] "D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
    O4 - HKLM\..\Run: [FaxCenterServer] "D:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\bak\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [CloudPlugin] "D:\Program Files\IMT Labs Messenger Plugin\Cloud.exe"
    O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [DataLayer] D:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
    O4 - HKLM\..\Run: [SsAAD.exe] D:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [Athan] D:\Program Files\Athan\Athan.exe
    O4 - HKLM\..\Run: [SBCSTray] D:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
    O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Creative Detector] "D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
    O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Post-it® Software Notes Lite.lnk = D:\Program Files\3M\PSNLite\PsnLite.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Download with Download Accelerator Lite - D:\Program Files\Download Accelerator Lite\dal.htm
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
    O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://beowulf.schulich.yorku.ca/dwa7W.cab
    O20 - Winlogon Notify: rhpmylmb - D:\WINDOWS\SYSTEM32\rhpmylmb.dll
    O23 - Service: Adobe LM Service - Unknown owner - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - D:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: MSCSPTISRV - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: PACSPTISVR - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - D:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 8252 bytes
     

    Attached Files:

  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,192
    Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

    Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
    • In the Processes group click ALL
    • In the Win32 Services group click ALL
    • In the Driver Services group click ALL
    • In the Registry group click ALL
    • In the Files Created Within group click 60 days Make sure Non-Microsoft only is UNCHECKED
    • In the Files Modified Within group select 30 days Make sure Non-Microsoft only is UNCHECKED
    • In the File String Search group click SELECT ALL
    • in the Additional Scans sections please press select ALL
    • Now click the Run Scan button on the toolbar.
    • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
    • When the scan is complete Notepad will open with the report file loaded in it.
    • Save that notepad file but click on the "Format" menu and make sure that "word wrap" is not checked. If it is then click on it to uncheck it.
    Please post the resulting log here as an attachment.
     
  9. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,192
    Then let's address the other infection before doing a WinpFind3u log.

    You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups and then restore them.

    Download FindAWF.exe from here or here and save it to your desktop.
    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to "Press any key to continue".
    • You will be presented with the following Menu.
      1. Press 1 then Enter to scan for bak folders
      2. Press 2 then Enter to restore files from bak folders
      3. Press 3 then Enter to remove bak folders
      4. Press 4 then Enter to reset domain zones
      5. Press E then Enter to EXIT​
    • Select option 1, then press Enter
    • It may take a few minutes to complete so be patient.
    • When it is complete, it will open a text file in Notepad called AWF.txt.
    • Please copy and paste the contents of the AWF.txt file in your next reply.
     
  10. itrocks4u

    itrocks4u Thread Starter

    Joined:
    Nov 27, 2004
    Messages:
    225
    Ok I'm about to run the scan. But I dont get it, the exclamation mark and the popups are still there. Its just impossible to work on this computer!! How do i get rid of those??
     
  11. itrocks4u

    itrocks4u Thread Starter

    Joined:
    Nov 27, 2004
    Messages:
    225
    I dont know if this is wat you wanted...


    Find AWF report by noahdfear ©2006
    Version 1.40

    The current date is: 12/11/2007
    The current time is: 22:07:35.35


    bak folders found
    ~~~~~~~~~~~



    Duplicate files of bak directory contents
    ~~~~~~~~~~~~~~~~~~~~~~~



    end of report
     
  12. itrocks4u

    itrocks4u Thread Starter

    Joined:
    Nov 27, 2004
    Messages:
    225
    new HJT and the requested file attached... I compressed the other file to .rar cause it exceeded the max limit of 500 KB

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:09:32 PM, on 12/11/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\System32\Ati2evxx.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\LEXBCES.EXE
    D:\WINDOWS\system32\spoolsv.exe
    D:\WINDOWS\system32\LEXPPS.EXE
    D:\WINDOWS\system32\Ati2evxx.exe
    D:\WINDOWS\Explorer.EXE
    D:\WINDOWS\System32\CTsvcCDA.exe
    D:\Program Files\ewido anti-malware\ewidoctrl.exe
    D:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe
    D:\Program Files\Athan\Athan.exe
    D:\Program Files\3M\PSNLite\PsnLite.exe
    D:\Program Files\WinZip\WZQKPICK.EXE
    D:\PROGRA~1\3M\PSNLite\PSNGive.exe
    D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\System32\wuauclt.exe
    D:\Program Files\Internet Explorer\IEXPLORE.EXE
    D:\WINDOWS\System32\msiexec.exe
    D:\Documents and Settings\Ours\Desktop\Salman\hijackthis1.99\New Folder\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (D:\Documents and Settings\OURS\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (D:\Documents and Settings\OURS\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
    O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - D:\WINDOWS\system32\rhpmylmb.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar4.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar4.dll
    O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - D:\WINDOWS\system32\rhpmylmb.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe" /tray
    O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Lexmark 2200 Series] "D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
    O4 - HKLM\..\Run: [FaxCenterServer] "D:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\bak\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [CloudPlugin] "D:\Program Files\IMT Labs Messenger Plugin\Cloud.exe"
    O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [DataLayer] D:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
    O4 - HKLM\..\Run: [SsAAD.exe] D:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [Athan] D:\Program Files\Athan\Athan.exe
    O4 - HKLM\..\Run: [SBCSTray] D:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
    O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Creative Detector] "D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
    O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Post-it® Software Notes Lite.lnk = D:\Program Files\3M\PSNLite\PsnLite.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Download with Download Accelerator Lite - D:\Program Files\Download Accelerator Lite\dal.htm
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
    O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://beowulf.schulich.yorku.ca/dwa7W.cab
    O20 - Winlogon Notify: rhpmylmb - D:\WINDOWS\SYSTEM32\rhpmylmb.dll
    O23 - Service: Adobe LM Service - Unknown owner - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - D:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: MSCSPTISRV - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: PACSPTISVR - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - D:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 8142 bytes
     

    Attached Files:

  13. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,192
    Disconnect from the Internet and disable your anti-virus and firewall programs. Be sure to remember to re-start them before going on-line again.

    Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program. Copy and paste the information in the box below into the pane where it says "Paste fix here" and then click the Run Fix button. The fix should only take a very short time and then you will be asked if you want to reboot. Choose Yes.

    Post the latest .log file from the WinPFind3u folder (it will have a name in the format mmddyyyy_hhmmss.log) back here along with a new HijackThis log please.


    Code:
    [Kill Explorer]
    [Unregister Dlls]
    [Registry - All]
    < Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
    YY -> rhpmylmb -> %System32%\rhpmylmb.dll
    < BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    YY -> {A95B2816-1D7E-4561-A202-68C0DE02353A} [HKLM] -> %System32%\rhpmylmb.dll [Reg Data - Value does not exist]
    < Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
    YY -> {11A69AE4-FBED-4832-A2BF-45AF82825583} [HKLM] -> %System32%\rhpmylmb.dll [Security Toolbar]
    < Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
    YY -> WebBrowser\\{11A69AE4-FBED-4832-A2BF-45AF82825583} [HKLM] -> %System32%\rhpmylmb.dll [Security Toolbar]
    [Files/Folders - Created Within 60 days]
    NY -> grbminsu.ini -> %System32%\grbminsu.ini
    NY -> mcrh.tmp -> %System32%\mcrh.tmp
    NY -> pdsuwubd.ini -> %System32%\pdsuwubd.ini
    NY -> qbipmkok.ini -> %System32%\qbipmkok.ini
    NY -> rhpmylmb.dll -> %System32%\rhpmylmb.dll
    NY -> rhpmylmb.dllbox -> %System32%\rhpmylmb.dllbox
    NY -> vjtiusvw.ini -> %System32%\vjtiusvw.ini
    NY -> Live Safety Center.lnk -> %UserDesktop%\Live Safety Center.lnk
    NY -> Online Security Guide.lnk -> %UserDesktop%\Online Security Guide.lnk
    [Files/Folders - Modified Within 30 days]
    NY -> grbminsu.ini -> %System32%\grbminsu.ini
    NY -> mcrh.tmp -> %System32%\mcrh.tmp
    NY -> pdsuwubd.ini -> %System32%\pdsuwubd.ini
    NY -> rhpmylmb.dll -> %System32%\rhpmylmb.dll
    NY -> rhpmylmb.dllbox -> %System32%\rhpmylmb.dllbox
    NY -> vjtiusvw.ini -> %System32%\vjtiusvw.ini
    NY -> Live Safety Center.lnk -> %UserDesktop%\Live Safety Center.lnk
    NY -> Online Security Guide.lnk -> %UserDesktop%\Online Security Guide.lnk
    [Empty Temp Folders]
    [Start Explorer]
    [Reboot]

    Also, after you've done the above, please run ComboFix again and post that log.
     
  14. itrocks4u

    itrocks4u Thread Starter

    Joined:
    Nov 27, 2004
    Messages:
    225
    Explorer killed successfully
    [Registry - All]
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rhpmylmb deleted successfully.
    D:\WINDOWS\SYSTEM32\rhpmylmb.dll unregistered successfully.
    File move failed. D:\WINDOWS\SYSTEM32\rhpmylmb.dll scheduled to be moved on reboot.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A} deleted successfully.
    D:\WINDOWS\SYSTEM32\rhpmylmb.dll unregistered successfully.
    File move failed. D:\WINDOWS\SYSTEM32\rhpmylmb.dll scheduled to be moved on reboot.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar\\{11A69AE4-FBED-4832-A2BF-45AF82825583} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583} deleted successfully.
    D:\WINDOWS\SYSTEM32\rhpmylmb.dll unregistered successfully.
    File move failed. D:\WINDOWS\SYSTEM32\rhpmylmb.dll scheduled to be moved on reboot.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{11A69AE4-FBED-4832-A2BF-45AF82825583} deleted successfully.
    D:\WINDOWS\SYSTEM32\rhpmylmb.dll unregistered successfully.
    File move failed. D:\WINDOWS\SYSTEM32\rhpmylmb.dll scheduled to be moved on reboot.
    [Files/Folders - Created Within 60 days]
    D:\WINDOWS\SYSTEM32\grbminsu.ini moved successfully.
    D:\WINDOWS\SYSTEM32\mcrh.tmp moved successfully.
    D:\WINDOWS\SYSTEM32\pdsuwubd.ini moved successfully.
    D:\WINDOWS\SYSTEM32\qbipmkok.ini moved successfully.
    D:\WINDOWS\SYSTEM32\rhpmylmb.dll unregistered successfully.
    File move failed. D:\WINDOWS\SYSTEM32\rhpmylmb.dll scheduled to be moved on reboot.
    D:\WINDOWS\SYSTEM32\rhpmylmb.dllbox moved successfully.
    D:\WINDOWS\SYSTEM32\vjtiusvw.ini moved successfully.
    D:\Documents and Settings\Ours\Desktop\Live Safety Center.lnk moved successfully.
    D:\Documents and Settings\Ours\Desktop\Online Security Guide.lnk moved successfully.
    [Files/Folders - Modified Within 30 days]
    File D:\WINDOWS\SYSTEM32\grbminsu.ini not found!
    File D:\WINDOWS\SYSTEM32\mcrh.tmp not found!
    File D:\WINDOWS\SYSTEM32\pdsuwubd.ini not found!
    D:\WINDOWS\SYSTEM32\rhpmylmb.dll unregistered successfully.
    File move failed. D:\WINDOWS\SYSTEM32\rhpmylmb.dll scheduled to be moved on reboot.
    File D:\WINDOWS\SYSTEM32\rhpmylmb.dllbox not found!
    File D:\WINDOWS\SYSTEM32\vjtiusvw.ini not found!
    File D:\Documents and Settings\Ours\Desktop\Live Safety Center.lnk not found!
    File D:\Documents and Settings\Ours\Desktop\Online Security Guide.lnk not found!
    [Empty Temp Folders]
    D:\DOCUME~1\Ours\LOCALS~1\Temp\ -> emptied.
    D:\Documents and Settings\Ours\Local Settings\Temporary Internet Files\Content.IE5\ -> emptied
    RecycleBin -> emptied.
    Explorer started successfully
    < End of log >
    Created on 11/13/2007 11:13:52



    ---------------------


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:33:31 AM, on 13/11/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\System32\Ati2evxx.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\LEXBCES.EXE
    D:\WINDOWS\system32\spoolsv.exe
    D:\WINDOWS\system32\LEXPPS.EXE
    D:\WINDOWS\System32\CTsvcCDA.exe
    D:\Program Files\Symantec AntiVirus\DefWatch.exe
    D:\Program Files\ewido anti-malware\ewidoctrl.exe
    D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Symantec AntiVirus\Rtvscan.exe
    D:\WINDOWS\system32\Ati2evxx.exe
    D:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe
    D:\Program Files\Athan\Athan.exe
    D:\Program Files\MSN Messenger\msnmsgr.exe
    D:\Program Files\3M\PSNLite\PsnLite.exe
    D:\Program Files\WinZip\WZQKPICK.EXE
    D:\WINDOWS\System32\wuauclt.exe
    D:\PROGRA~1\3M\PSNLite\PSNGive.exe
    D:\WINDOWS\explorer.exe
    D:\Program Files\Internet Explorer\IEXPLORE.EXE
    D:\WINDOWS\System32\msiexec.exe
    D:\WINDOWS\system32\NOTEPAD.EXE
    D:\Documents and Settings\Ours\Desktop\Salman\hijackthis1.99\New Folder\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (D:\Documents and Settings\OURS\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (D:\Documents and Settings\OURS\Application Data\Mozilla\Profiles\default\j99kq3o5.slt\prefs.js)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar4.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar4.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe" /tray
    O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Lexmark 2200 Series] "D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
    O4 - HKLM\..\Run: [FaxCenterServer] "D:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\bak\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [CloudPlugin] "D:\Program Files\IMT Labs Messenger Plugin\Cloud.exe"
    O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [DataLayer] D:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
    O4 - HKLM\..\Run: [SsAAD.exe] D:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [Athan] D:\Program Files\Athan\Athan.exe
    O4 - HKLM\..\Run: [SBCSTray] D:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
    O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Creative Detector] "D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
    O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Post-it® Software Notes Lite.lnk = D:\Program Files\3M\PSNLite\PsnLite.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Download with Download Accelerator Lite - D:\Program Files\Download Accelerator Lite\dal.htm
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
    O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://beowulf.schulich.yorku.ca/dwa7W.cab
    O20 - Winlogon Notify: rhpmylmb - rhpmylmb.dll (file missing)
    O23 - Service: Adobe LM Service - Unknown owner - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - D:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: MSCSPTISRV - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: PACSPTISVR - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - D:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 8108 bytes
     
  15. itrocks4u

    itrocks4u Thread Starter

    Joined:
    Nov 27, 2004
    Messages:
    225
    ComboFix 07-11-08.3 - Ours 2007-11-13 11:25:42.3 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.179 [GMT -5:00]
    Running from: D:\Documents and Settings\Ours\Desktop\Spyware\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    D:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
    D:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
    D:\Documents and Settings\Ours\Favorites\Online Security Guide.lnk

    .
    ((((((((((((((((((((((((( Files Created from 2007-10-13 to 2007-11-13 )))))))))))))))))))))))))))))))
    .

    2007-11-11 04:47 51,200 --a------ D:\WINDOWS\NirCmd.exe
    2007-11-11 04:38 11,254 --a------ D:\WINDOWS\system32\locate.com
    2007-11-10 20:14 <DIR> d---s---- D:\Documents and Settings\Administrator\UserData
    2007-11-10 12:33 5,200,228 --a------ D:\WINDOWS\system32\SBSP.dat
    2007-11-10 03:43 438 --a------ D:\WINDOWS\system32\SBFC.dat
    2007-11-10 03:42 <DIR> d-------- D:\Documents and Settings\Administrator\Application Data\Sunbelt Software
    2007-11-10 02:55 <DIR> d-------- D:\Documents and Settings\Ours\Application Data\Sunbelt Software
    2007-11-10 02:55 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Sunbelt Software
    2007-11-10 02:54 <DIR> d-------- D:\Program Files\Sunbelt Software
    2007-11-10 02:51 <DIR> d-------- D:\Spyware
    2007-11-10 02:11 <DIR> d-------- D:\WINDOWS\pss
    2007-10-25 10:26 53,248 --a------ D:\WINDOWS\bdoscandel.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-13 16:15 --------- d-----w D:\Program Files\Symantec AntiVirus
    2007-11-11 05:45 --------- d-----w D:\Program Files\Common Files\Autodesk Shared
    2007-11-11 05:42 --------- d-----w D:\Program Files\Athan
    2007-11-11 05:02 --------- d-----w D:\Program Files\MSN Messenger
    2007-11-11 05:02 --------- d-----w D:\Program Files\Lexmark 2200 Series
    2007-11-11 05:02 --------- d-----w D:\Program Files\Google
    2007-11-11 05:02 --------- d-----w D:\Program Files\ewido anti-malware
    2007-11-11 04:14 --------- d-----w D:\Program Files\Picasa2
    2007-11-11 04:14 --------- d-----w D:\Program Files\Lexmark Fax Solutions
    2007-11-11 04:14 --------- d-----w D:\Program Files\IMT Labs Messenger Plugin
    2007-11-10 08:20 --------- d-----w D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-11-07 04:49 48,846 ----a-w D:\Documents and Settings\Ours\Application Data\wklnhst.dat
    2007-11-06 07:55 --------- d-----w D:\Documents and Settings\Ours\Application Data\LimeWire
    2007-11-02 20:00 --------- d-----w D:\Program Files\Norton Security Scan
    2007-10-07 04:19 737,280 ----a-w D:\WINDOWS\iun6002.exe
    2007-10-04 02:57 --------- d-----w D:\Program Files\QuickTime
    2007-09-28 19:05 --------- d-----w D:\Program Files\Common Files\Symantec Shared
    2007-08-27 16:26 27,120 ----a-w D:\WINDOWS\system32\SBBD.exe
    2006-05-20 22:41 840 ----a-w D:\Documents and Settings\Administrator\Application Data\wklnhst.dat
    2005-01-07 21:21 284 ----a-w D:\Documents and Settings\Ours\Application Data\ViewerApp.dat
    .

    ((((((((((((((((((((((((((((( [email protected]_ 4.59.49.56 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2007-11-11 05:01:52 16,384 ----a-w D:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    + 2007-11-13 16:15:05 16,384 ----a-w D:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    - 2007-11-11 05:01:52 32,768 ----a-w D:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2007-11-13 16:15:05 32,768 ----a-w D:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2007-11-13 16:15:05 32,768 ----a-w D:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    - 2007-10-28 21:03:38 52,968 ----a-w D:\WINDOWS\system32\perfc009.dat
    + 2007-11-11 10:02:52 52,968 ----a-w D:\WINDOWS\system32\perfc009.dat
    - 2007-10-28 21:03:38 380,680 ----a-w D:\WINDOWS\system32\perfh009.dat
    + 2007-11-11 10:02:52 380,680 ----a-w D:\WINDOWS\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    ----a-w 585,728 2003-05-30 16:42:22 D:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe

    ----a-w 790,528 2003-05-29 23:28:32 D:\Program Files\Analog Devices\SoundMAX\bak\SMax4PNP.exe

    ----a-w 937,984 2005-09-12 00:02:32 D:\Program Files\Athan\bak\Athan.exe
    ----a-w 1,003,520 2007-09-06 18:25:02 D:\Program Files\Athan\Athan.exe

    ----a-w 344,064 2004-12-01 02:10:00 D:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

    ----a-w 50,688 2003-06-07 11:32:32 D:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe

    ----a-w 820,736 2005-09-06 19:45:24 D:\Program Files\Common Files\PCSuite\DataLayer\bak\DataLayer.exe

    ----a-w 102,400 2004-12-02 23:23:34 D:\Program Files\Creative\MediaSource\Detector\bak\CTDetect.exe

    ----a-w 32,768 2004-11-03 00:24:46 D:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe

    ----a-w 81,920 2005-01-26 21:57:49 D:\Program Files\IMT Labs Messenger Plugin\bak\Cloud.exe

    ----a-w 36,975 2005-11-10 17:03:52 D:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe

    ----a-w 57,344 2004-02-13 13:08:00 D:\Program Files\Lexmark 2200 Series\bak\lxbvbmgr.exe

    ----a-w 294,912 2004-02-04 19:33:20 D:\Program Files\Lexmark Fax Solutions\bak\fm3032.exe

    ----a-w 176,128 2005-06-29 20:29:26 D:\Program Files\Nokia\Nokia PC Suite 6\bak\LaunchApplication.exe

    ----a-w 135,168 2005-02-04 23:32:51 D:\Program Files\Picasa2\bak\PicasaMediaDetector.exe

    ----a-w 98,304 2004-12-14 03:23:23 D:\Program Files\QuickTime\bak\qttask.exe
    ----a-w 27,660 2007-10-04 02:54:44 D:\Program Files\QuickTime\qttask.exe

    ----a-w 81,920 2005-01-25 00:58:02 D:\Program Files\Sony\SonicStage\bak\SsAAD.exe

    ----a-w 124,232 2004-08-03 00:36:40 D:\Program Files\Symantec AntiVirus\bak\VPTray.exe

    ----a-w 3,084,288 2005-08-19 23:34:02 D:\Program Files\Yahoo!\Messenger\bak\ypager.exe

    ----a-w 155,648 2001-07-09 15:50:42 D:\WINDOWS\system32\bak\NeroCheck.exe

    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMAXPnP"="D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" []
    "SoundMAX"="D:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe" [2003-05-30 11:42]
    "ATIPTA"="D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" []
    "Lexmark 2200 Series"="D:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe" []
    "FaxCenterServer"="D:\Program Files\Lexmark Fax Solutions\fm3032.exe" []
    "Microsoft Works Update Detection"="D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" []
    "NeroFilterCheck"="D:\WINDOWS\system32\NeroCheck.exe" []
    "QuickTime Task"="D:\Program Files\QuickTime\bak\qttask.exe" [2004-12-13 22:23]
    "CloudPlugin"="D:\Program Files\IMT Labs Messenger Plugin\Cloud.exe" []
    "vptray"="D:\PROGRA~1\SYMANT~1\VPTray.exe" []
    "Picasa Media Detector"="D:\Program Files\Picasa2\PicasaMediaDetector.exe" []
    "RemoteControl"="D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" []
    "DataLayer"="D:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe" []
    "PCSuiteTrayApplication"="D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" []
    "SsAAD.exe"="D:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" []
    "SunJavaUpdateSched"="D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" []
    "ZoneAlarm Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]
    "Athan"="D:\Program Files\Athan\Athan.exe" [2007-09-06 13:25]
    "SBCSTray"="D:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-08-27 12:09]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Yahoo! Pager"="D:\Program Files\Yahoo!\Messenger\ypager.exe" []
    "msnmsgr"="D:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54]
    "Creative Detector"="D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" []

    D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56]
    Post-itr Software Notes Lite.lnk - D:\Program Files\3M\PSNLite\PsnLite.exe [2004-10-15 13:26:54]
    WinZip Quick Pick.lnk - D:\Program Files\WinZip\WZQKPICK.EXE [2005-03-11 17:09:46]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rhpmylmb]
    rhpmylmb.dll

    R1 cdrbsvsd;cdrbsvsd;D:\WINDOWS\System32\drivers\cdrbsvsd.sys
    R2 eusk2par;EUTRON SmartKey Parallel Driver;\??\D:\WINDOWS\System32\Drivers\eusk2par.sys
    R2 Vcs;Vcs support;\??\D:\WINDOWS\System32\Drivers\Vcs.sys
    S3 JL2005;JL2005A Toy Camera;D:\WINDOWS\System32\Drivers\toywdm.sys
    S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);D:\WINDOWS\System32\DRIVERS\ss_bus.sys
    S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;D:\WINDOWS\System32\DRIVERS\ss_mdfl.sys
    S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;D:\WINDOWS\System32\DRIVERS\ss_mdm.sys

    .
    Contents of the 'Scheduled Tasks' folder
    "2007-11-03 05:09:14 D:\WINDOWS\Tasks\Norton Security Scan.job"
    .
    **************************************************************************

    catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-13 11:29:28
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    **************************************************************************
    .
    Completion time: 2007-11-13 11:31:01
    D:\ComboFix2.txt ... 2007-11-11 23:52
    D:\ComboFix3.txt ... 2007-11-11 05:04
    .
    --- E O F ---
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/649249

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice