lurkingatu2 Posted June 13, 2008 ID:20193 Share Posted June 13, 2008 hellook i'm doing this for a friend of my dads she is about 65-70 when i got it the sound was turned offwhen i turned it on i could hear a phone ringing then it would stop for a few and start to ring againover and over also i could hear a cork pop sound over and over and it was not online lol so i went into sounds and audio in the control panel and put the sound scheme back to defalt and the sounds stopedok heres what i have done so far she had took off Avira and comodo that i put on last year and did notupdate or scan with Superantispyware or Avg antispyware and was just using windows firewall avg antispyware i quarantinedadware whyppcmbam i quarantinedRegistry Keys Infected:HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> No action taken.HKEY_LOCAL_MACHINE\SOFTWARE\Screensavers.com (Adware.Comet) -> No action taken.Registry Data Items Infected:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> No action taken.a-squared i quarantinedValue: HKEY_LOCAL_MACHINE\SOFTWARE\RealTime Gaming Software --> RTGCLSID detected: Trace.Registry.Diamond Deal CasinoValue: HKEY_USERS\S-1-5-21-1173631084-2267833327-4106529673-1007\Software\MicroGaming\Thumper\Casino\ITSM --> cookie detected: Trace.Registry.Phoenician CasinoValue: HKEY_USERS\S-1-5-21-1173631084-2267833327-4106529673-1007\Software\MicroGaming\Thumper\Detect --> BD detected: Trace.Registry.Phoenician CasinoValue: HKEY_USERS\S-1-5-21-1173631084-2267833327-4106529673-1007\Software\MicroGaming\Thumper\Detect --> DXVerN detected: Trace.Registry.Phoenician CasinoValue: HKEY_USERS\S-1-5-21-1173631084-2267833327-4106529673-1007\Software\MicroGaming\Thumper\Detect --> FlashVerN detected: Trace.Registry.Phoenician CasinoValue: HKEY_USERS\S-1-5-21-1173631084-2267833327-4106529673-1007\Software\MicroGaming\Thumper\Detect --> IEVerN detected: Trace.Registry.Phoenician CasinoValue: HKEY_USERS\S-1-5-21-1173631084-2267833327-4106529673-1007\Software\MicroGaming\Thumper\Detect --> ScreenX detected: Trace.Registry.Phoenician CasinoValue: HKEY_USERS\S-1-5-21-1173631084-2267833327-4106529673-1007\Software\MicroGaming\Thumper\Detect --> ScreenY detected: Trace.Registry.Phoenician CasinoValue: HKEY_USERS\S-1-5-21-1173631084-2267833327-4106529673-1007\Software\CasinonetInstaller --> fullpath detected: Trace.Registry.CasinoOnNetValue: HKEY_USERS\S-1-5-21-1173631084-2267833327-4106529673-1007\Software\CasinonetInstaller --> INSTALLER_GUID detected: Trace.Registry.CasinoOnNetValue: HKEY_USERS\S-1-5-21-1173631084-2267833327-4106529673-1007\Software\CasinonetInstaller --> URL_CASINO_2 detected: Trace.Registry.CasinoOnNetValue: HKEY_USERS\S-1-5-21-1173631084-2267833327-4106529673-1007\Software\casinoonnet\casino\init --> serial detected: Trace.Registry.CasinoOnNetValue: HKEY_USERS\S-1-5-21-1173631084-2267833327-4106529673-1007\Software\casinoonnet\casino\init --> test_data detected: Trace.Registry.CasinoOnNetValue: HKEY_USERS\S-1-5-21-1173631084-2267833327-4106529673-1007\Software\casinoonnet\casino\SDL --> Upd_Flag detected: Trace.Registry.CasinoOnNetValue: HKEY_USERS\S-1-5-21-1173631084-2267833327-4106529673-1007\Software\casinoonnet\casino\SDL --> Upg_Date detected: Trace.Registry.CasinoOnNetValue: HKEY_USERS\S-1-5-21-1173631084-2267833327-4106529673-1007\Software\casinoonnet\casino\init --> COOKIE_ID detected: Trace.Registry.CasinoOnNetValue: HKEY_USERS\S-1-5-21-1173631084-2267833327-4106529673-1007\Software\casinoonnet\casino\init --> DEMO_PASSWORD detected: Trace.Registry.CasinoOnNetValue: HKEY_USERS\S-1-5-21-1173631084-2267833327-4106529673-1007\Software\casinoonnet\casino\init --> DEMO_USERNAME detected: Trace.Registry.CasinoOnNetValue: HKEY_USERS\S-1-5-21-1173631084-2267833327-4106529673-1007\Software\casinoonnet\casino\init --> P detected: Trace.Registry.CasinoOnNetValue: HKEY_USERS\S-1-5-21-1173631084-2267833327-4106529673-1007\Software\casinoonnet\casino\init --> P1 detected: Trace.Registry.CasinoOnNetValue: HKEY_USERS\S-1-5-21-1173631084-2267833327-4106529673-1007\Software\casinoonnet\casino\Movies --> LobbyMovAct detected: Trace.Registry.CasinoOnNetC:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe detected: Worm.Win32.Otwycal.k<--- i scaned at virus,org only a-2 and prevex(trojan,downloader.gen) found it so i think a f/pscaned it at jotti also and nothingspybot s&d found wildtangent that i left because of games on the pc i quarantinedCassava: [sBI $FFCCB2E4] Settings (Registry key, nothing done) HKEY_USERS\S-1-5-21-1173631084-2267833327-4106529673-1007\Software\casinoonnet\casinoCassava: [sBI $63C16629] Settings (Registry key, nothing done) HKEY_USERS\S-1-5-21-1173631084-2267833327-4106529673-1007\Software\casinoonnetCassava: [sBI $A71030A2] Settings (Registry key, nothing done) HKEY_USERS\S-1-5-21-1173631084-2267833327-4106529673-1007\Software\CasinonetInstallerAvira Antivir doint find this no moreC:\Downloads\WinBej2Setup.exe [DETECTION] Is the Trojan horse TR/Agent.9828960<---- i uninstalled [WARNING] The file was ignored!C:\Program Files\AztecBricks_at\Aztec Bricks.exe<----- uninstalled [DETECTION] File has been compressed with an unusual runtime compression tool (PCK/Molebox). Please verify the origin of the file [WARNING] The file was ignored!i scaned at eset online scan and found nothing i tryed panda online and after 7 hours of it scanning and gettingto only 42% i gave up Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:48:05 AM, on 6/13/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeC:\WINDOWS\system32\hkcmd.exeC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\HP\HP Software Update\HPWuSchd.exeC:\Program Files\HP\hpcoretech\hpcmpmgr.exeC:\Program Files\HPQ\Quick Launch Buttons\EabServr.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exeC:\Program Files\Java\jre1.6.0_05\bin\jusched.exeC:\Program Files\a-squared Free\a2service.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\UPHClean\uphclean.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptopO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /StartO4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exeO4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exeO4 - HKLM\..\Run: [updateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /rO4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /minO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTMLO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptopO16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CABO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cabO16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cabO16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cabO16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cabO16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cabO16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/A...ersion=1,0,0,10O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exeO23 - Service: Avira AntiVir Personal Link to post Share on other sites More sharing options...
JeanInMontana Posted June 13, 2008 ID:20210 Share Posted June 13, 2008 Hiya Lurking. What ya doin? Did you take action? I need to see the log after action taken, and a HJT log where I know you removed the stuff. Please update MBAM run a quick scan and post a new log for it and HJT. Link to post Share on other sites More sharing options...
lurkingatu2 Posted June 13, 2008 Author ID:20217 Share Posted June 13, 2008 hello Jean hope your doing goodi was watching nascar qualifying on wheels that shows the speed channel with the TVUPlayerbut had to switch to this lappy lol ok here you go i'v quarantined everything i'v found so farAvira is just finding the 2 games i uninstalled in system restore and i'll delete them lastMalwarebytes' Anti-Malware 1.17Database version: 8541:29:25 PM 6/13/2008mbam-log-6-13-2008 (13-29-25).txtScan type: Quick ScanObjects scanned: 39051Time elapsed: 5 minute(s), 34 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Logfile of Trend Micro HijackThis v2.0.2Scan saved at 1:34:30 PM, on 6/13/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeC:\WINDOWS\system32\hkcmd.exeC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\HP\HP Software Update\HPWuSchd.exeC:\Program Files\HP\hpcoretech\hpcmpmgr.exeC:\Program Files\HPQ\Quick Launch Buttons\EabServr.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exeC:\Program Files\Java\jre1.6.0_05\bin\jusched.exeC:\Program Files\a-squared Free\a2service.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\UPHClean\uphclean.exeC:\WINDOWS\system32\notepad.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptopO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /StartO4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exeO4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exeO4 - HKLM\..\Run: [updateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /rO4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /minO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTMLO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptopO16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CABO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cabO16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cabO16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cabO16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cabO16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/A...ersion=1,0,0,10O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exeO23 - Service: Avira AntiVir Personal Link to post Share on other sites More sharing options...
JeanInMontana Posted June 13, 2008 ID:20223 Share Posted June 13, 2008 Ok looks like you have a bad trojan on thereO4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe If you can find that please upload it to http://uploads.malwarebytes.org/Now let's run ComboFixReview this article here how to use ComboFix Be sure you cover the section on How to install and use the Windows XP Recovery Console and make sure it is installed on your machine. This is important shoudl anything go wrong and we need to recover your PC and not lose all the data.1. Download this file :http://download.bleepingcomputer.com/sUBs/ComboFix.exe2. Double click combofix.exe. It will be a red icon with a white X on your desktop. Follow the prompts you will get a blue cmd prompt screen and a choice to choose Y or N. Choose Y and hit enter.3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt.Post that log and a HiJack log in your next replyNote:Do not mouseclick combofix's window while its running. That may cause it to stall. Link to post Share on other sites More sharing options...
lurkingatu2 Posted June 13, 2008 Author ID:20228 Share Posted June 13, 2008 ok here you goComboFix 08-06-12.2 - sharon 2008-06-13 15:31:26.1 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.206 [GMT -7:00]Running from: C:\Documents and Settings\sharon\Desktop\ComboFix.exeCommand switches used :: C:\Documents and Settings\sharon\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe * Created a new restore point.((((((((((((((((((((((((( Files Created from 2008-05-13 to 2008-06-13 ))))))))))))))))))))))))))))))).2008-06-13 09:54 . 2008-06-13 09:54 <DIR> d-------- C:\Program Files\FastStone Capture2008-06-13 09:54 . 2008-06-13 09:54 <DIR> d-------- C:\Documents and Settings\sharon\Application Data\FastStone2008-06-12 19:57 . 2008-06-13 12:14 <DIR> d-------- C:\Program Files\Panda Security2008-06-12 18:45 . 2008-06-12 18:45 <DIR> d-------- C:\WINDOWS\system32\Adobe2008-06-12 16:21 . 2008-06-12 16:22 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy2008-06-12 16:21 . 2008-06-12 16:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy2008-06-12 15:37 . 2008-06-12 15:39 <DIR> d-------- C:\Program Files\EsetOnlineScanner2008-06-12 12:56 . 2008-06-12 12:56 <DIR> d-------- C:\Program Files\CCleaner2008-06-12 12:55 . 2008-06-12 12:55 <DIR> d-------- C:\Program Files\UPHClean2008-06-12 12:38 . 2008-06-12 12:38 <DIR> d-------- C:\Program Files\VS Revo Group2008-06-12 02:26 . 2008-06-12 02:26 <DIR> d-------- C:\Documents and Settings\sharon\Application Data\Apple Computer2008-06-11 19:51 . 2008-06-11 19:51 <DIR> d-------- C:\Program Files\Auslogics2008-06-11 19:51 . 2008-06-11 19:51 <DIR> d-------- C:\Documents and Settings\sharon\Application Data\Auslogics2008-06-11 19:45 . 2008-06-12 13:54 <DIR> d-------- C:\Program Files\SpywareBlaster2008-06-11 17:54 . 2008-06-13 09:42 <DIR> d-------- C:\Program Files\a-squared Free2008-06-11 17:25 . 2008-06-11 17:25 <DIR> d-------- C:\Program Files\Trend Micro2008-06-11 17:22 . 2008-06-11 17:22 <DIR> d-------- C:\Program Files\SUPERAntiSpyware2008-06-11 17:22 . 2008-06-11 17:22 <DIR> d-------- C:\Documents and Settings\sharon\Application Data\SUPERAntiSpyware.com2008-06-11 17:21 . 2008-06-11 17:21 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware2008-06-11 17:21 . 2008-06-11 17:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard2008-06-11 17:21 . 2008-06-11 17:21 <DIR> d-------- C:\Documents and Settings\sharon\Application Data\Malwarebytes2008-06-11 17:21 . 2008-06-11 17:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes2008-06-11 17:21 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys2008-06-11 17:21 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys2008-06-11 17:08 . 2008-06-11 17:08 <DIR> d-------- C:\Program Files\Avira2008-06-11 17:08 . 2008-06-11 17:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira2008-06-11 16:19 . 2008-06-11 16:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft2008-06-11 15:57 . 2008-04-14 04:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys2008-05-29 15:28 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl2008-05-25 13:04 . 2008-05-25 13:05 <DIR> d-------- C:\Program Files\Atlantis_at.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-06-12 20:54 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP2008-06-12 20:47 --------- d-----w C:\Program Files\Google2008-06-12 20:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer2008-06-12 20:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar2008-06-12 19:45 --------- d-----w C:\Program Files\Kodak2008-06-12 19:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak2008-06-12 17:39 --------- d-----w C:\Program Files\Games2008-06-12 17:38 --------- d-----w C:\Program Files\AztecBricks_at2008-05-29 23:30 --------- d-----w C:\Documents and Settings\sharon\Application Data\MSN62008-05-29 22:35 --------- d-----w C:\Program Files\JewelQuest_at2008-05-29 22:28 --------- d-----w C:\Program Files\Java2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll2008-04-21 07:04 615,936 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll2008-04-21 07:04 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll2008-04-21 07:04 1,494,528 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll2008-04-17 10:52 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe2008-04-14 11:01 272,128 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-10-30 01:46 155648]"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-10-30 01:33 118784]"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-26 10:15 98304]"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-26 10:15 536576]"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 17:28 49152]"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18 241664]"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-07-30 09:33 286720]"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-04-30 11:32 208958]"DXDllRegExe"="dxdllreg.exe" []"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784][hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]"quickcare"=C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QUICKCARE[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusDisableNotify"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN\\MSNCoreFiles\\msn.exe"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=*Newly Created Service* - CATCHME*Newly Created Service* - HTTPFILTER.**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-06-13 15:32:36Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????8?3?3?3??????? ???B???????????????B? ?????? scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.Completion time: 2008-06-13 15:34:46ComboFix-quarantined-files.txt 2008-06-13 22:34:38Pre-Run: 31,884,337,152 bytes freePost-Run: 31,859,056,640 bytes freeWindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetectC:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons129 --- E O F --- 2008-06-11 23:06:49Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:37:50 PM, on 6/13/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeC:\WINDOWS\system32\hkcmd.exeC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\HP\HP Software Update\HPWuSchd.exeC:\Program Files\HP\hpcoretech\hpcmpmgr.exeC:\Program Files\HPQ\Quick Launch Buttons\EabServr.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exeC:\Program Files\Java\jre1.6.0_05\bin\jusched.exeC:\Program Files\a-squared Free\a2service.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\UPHClean\uphclean.exeC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\explorer.exeC:\WINDOWS\system32\notepad.exeC:\Program Files\internet explorer\iexplore.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /StartO4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exeO4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exeO4 - HKLM\..\Run: [updateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /rO4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /minO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTMLO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptopO16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CABO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cabO16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/A...ersion=1,0,0,10O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exeO23 - Service: Avira AntiVir Personal Link to post Share on other sites More sharing options...
JeanInMontana Posted June 14, 2008 ID:20251 Share Posted June 14, 2008 OK, run HJT in scan only and check then fix the following:O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exeO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)Then please upload these files to Bruce.C:\WINDOWS\system32\dllcache\iedw.exeC:\Program Files\HPQ\Default Settings\cpqset.exe????????8?3?3?3??????? ???B???????????????B? ?????? Link to post Share on other sites More sharing options...
lurkingatu2 Posted June 14, 2008 Author ID:20260 Share Posted June 14, 2008 ok i uploaded them there was 2 cpqset.exe in HPQ so i sent both also i forgot in my last posti forgot to say i could not find that dxdllreg.exealso is it ok to remove this because there is no AOL on here no more O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTMLLogfile of Trend Micro HijackThis v2.0.2Scan saved at 10:22:15 PM, on 6/13/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeC:\WINDOWS\system32\hkcmd.exeC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\HP\HP Software Update\HPWuSchd.exeC:\Program Files\HP\hpcoretech\hpcmpmgr.exeC:\Program Files\HPQ\Quick Launch Buttons\EabServr.exeC:\Program Files\Common Files\Sonic\Update Manager\sgtray.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exeC:\Program Files\Java\jre1.6.0_05\bin\jusched.exeC:\Program Files\a-squared Free\a2service.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\UPHClean\uphclean.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /StartO4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exeO4 - HKLM\..\Run: [updateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /rO4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /minO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTMLO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptopO16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CABO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cabO16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/A...ersion=1,0,0,10O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exeO23 - Service: Avira AntiVir Personal Link to post Share on other sites More sharing options...
JeanInMontana Posted June 14, 2008 ID:20293 Share Posted June 14, 2008 Log looks good. Let's do another MBAM scan, be sure to update it. Post that log and a new HJT. Link to post Share on other sites More sharing options...
lurkingatu2 Posted June 14, 2008 Author ID:20299 Share Posted June 14, 2008 hellosorry it took so long i seen you post but i was running chkdsk on this laptop watching the craftsmantruck race (great finsh) on my pc and reading you post on my other lolMalwarebytes' Anti-Malware 1.17Database version: 8562:13:45 PM 6/14/2008mbam-log-6-14-2008 (14-13-45).txtScan type: Quick ScanObjects scanned: 39155Time elapsed: 6 minute(s), 22 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:14:42 PM, on 6/14/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeC:\WINDOWS\system32\hkcmd.exeC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\HP\HP Software Update\HPWuSchd.exeC:\Program Files\HP\hpcoretech\hpcmpmgr.exeC:\Program Files\HPQ\Quick Launch Buttons\EabServr.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exeC:\Program Files\Java\jre1.6.0_05\bin\jusched.exeC:\Program Files\a-squared Free\a2service.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\UPHClean\uphclean.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /StartO4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exeO4 - HKLM\..\Run: [updateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /rO4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /minO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTMLO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptopO16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CABO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cabO16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/A...ersion=1,0,0,10O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exeO23 - Service: Avira AntiVir Personal Link to post Share on other sites More sharing options...
JeanInMontana Posted June 14, 2008 ID:20303 Share Posted June 14, 2008 No worries I usually do a daily check, your getting special treatment. Yes AOL can go and I would do a CCleaner scan it should find all the AOL crap on there.O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTMLYou are running an outdated and unsafe version of Java. You need to uninstall it via Add/Remove programs and delete the program file also. Then go here http://java.sun.com/javase/downloads/index.jsp and install the correct version for your system. Choose the offline installation.You have both AVG and SAS running as active services, I would cut out AVG active and have it as backup only or just get rid of it. With SAS and MBAM she won't need AVG.Her Windows updates are not current get SP3 on for her. Do all this before you reset System Restore is best I think. Just in case SP3 breaks something.Be sure you warn her about MSN and the huge rise in infections from it. Make sure she knows not to click on links even if she thinks she knows who sent it.Your log looks clean. We need to now reset a clean System Restore point. If you don't and you need to use System Restore you will reinfect yourself. Go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK. Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it. Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenal. Keep Spybot Search & Destroy and always immunize when you update. You will also need at least one other scanning program AVG is good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use.A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient.Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan.SpywareBlaster from Javacool SoftwareWinPatrol by BillPStudios SiteHound by FireTrustRogueRemoverhpHostsThe windows firewall is not sufficient to protect. It doesn't monitor outgoing traffic and this is a must. I use and recommend Online Armor Free She can join my site and we will spoon feed her safe surfing too. LOL Link to post Share on other sites More sharing options...
lurkingatu2 Posted June 14, 2008 Author ID:20305 Share Posted June 14, 2008 ok thank you so very much Link to post Share on other sites More sharing options...
JeanInMontana Posted June 15, 2008 ID:20391 Share Posted June 15, 2008 Your welcome and what a nice thing for you to do. Karma point for you!! Race time from the sounds of RaceBuddy. Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.The fixes and advice in this thread are for this machine only. Do not apply to your machine. Please start a thread of your own and someone will be happy to help you. Link to post Share on other sites More sharing options...
Recommended Posts