Syke360 Posted June 15, 2008 Report Share Posted June 15, 2008 I have a brand new HP 6720s laptop with Windows Vista Home Basic installedand within a matter of hours I start to get popups and registry entiries being made from something called MSserverI have Norton Internet Security (which came with the lappy) also install Spybot search and destroy (Which is picking up the reg edits)Windows Defender also picks up the problem but it being MS own program it cant fix it.I have a feeling this is not all i have problem-wiseHere is my Hijack LogLogfile of HijackThis v1.99.1Scan saved at 01:20:27, on 15/06/2008Platform: Unknown Windows (WinNT 6.00.1904)MSIE: Internet Explorer v7.00 (7.00.6000.16681)Running processes:C:\Windows\system32\Dwm.exeC:\Windows\system32\taskeng.exeC:\Program Files\Windows Defender\MSASCui.exeC:\Windows\System32\hkcmd.exeC:\Windows\System32\igfxpers.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\Program Files\PDF Complete\pdfsty.exeC:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exeC:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Java\jre1.6.0_01\bin\jusched.exeC:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exeC:\Program Files\Hp\HP Software Update\hpwuSchd2.exeC:\Windows\System32\rundll32.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exeC:\Program Files\Hewlett-Packard\Shared\HpqToaster.exeC:\Windows\System32\mobsync.exeC:\Windows\explorer.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\system32\igfxsrvc.exeC:\Users\Syke360\Desktop\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...b&pf=laptopR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...b&pf=laptopR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...b&pf=laptopR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhostO3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dllO4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hideO4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exeO4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exeO4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe"O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /StartO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exeO4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exeO4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exeO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /StartO4 - HKLM\..\Run: [HP Software Update] c:\Program Files\Hp\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"O4 - HKLM\..\RunOnce: [sT Recovery Launcher] %WINDIR%\SMINST\launcher.exeO4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Syke360\AppData\Local\Temp\geBtSIyW.dll,#1O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Syke360\AppData\Local\Temp\xxyyaBqo.dll,cO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKCU\..\Run: [58004740] rundll32.exe "C:\Users\Syke360\AppData\Local\Temp\vwfwcbot.dll",bO4 - HKCU\..\Run: [bM5b3374dc] Rundll32.exe "C:\Users\Syke360\AppData\Local\Temp\cuhtxydl.dll",sO4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dllO10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dllO11 - Options group: [iNTERNATIONAL] International*O13 - Gopher Prefix: O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLLO18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dllO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLLO18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLLO23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXEO23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exeO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exeO23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exeO23 - Service: HP ProtectTools Device Locking / Auditing (FLCDLOCK) - Hewlett-Packard Ltd - C:\Windows\system32\flcdlock.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exeO23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exeO23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exeO23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exeO23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exeO23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exeO23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exeO23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)hope you guys can help I ran VundoFix also, it found something, but now thats gone Link to post Share on other sites
rmurphy Posted June 15, 2008 Report Share Posted June 15, 2008 Welcome to BestTechie! I'm Ryan, and I'll be helping you clean your computer.Please download ComboFix from Here or Here to your Desktop.**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**Please, never rename Combofix unless instructed.Close any open browsers.Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.-----------------------------------------------------------Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.-----------------------------------------------------------Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it startsPlease do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.If there is no internet connection after running Combofix, then restart your computer to restore back your connection.-----------------------------------------------------------[*]Double click on combofix.exe & follow the prompts.[*]When finished, it will produce a report for you. [*]Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**-Ryan Link to post Share on other sites
Syke360 Posted June 16, 2008 Author Report Share Posted June 16, 2008 Thanks for the help Ryan. I did as instructed.heres the ComboFix LogComboFix 08-06-15.4 - Syke360 2008-06-16 19:13:48.1 - NTFSx86Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.186 [GMT 1:00]Running from: C:\Users\Syke360\Desktop\ComboFix.exe * Created a new restore point.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\Windows\system32\x64F:\Autorun.inf.((((((((((((((((((((((((( Files Created from 2008-05-16 to 2008-06-16 ))))))))))))))))))))))))))))))).2008-06-16 18:58 . 2008-06-16 18:59 <DIR> d-------- C:\Windows\LastGood2008-06-15 17:06 . 2008-06-15 17:06 <DIR> d-------- C:\Users\Syke360\AppData\Roaming\Grisoft2008-06-15 17:06 . 2008-06-15 17:06 <DIR> d-------- C:\Users\All Users\Grisoft2008-06-15 17:06 . 2007-05-30 13:10 10,872 --a------ C:\Windows\System32\drivers\AvgAsCln.sys2008-06-14 23:58 . 2008-06-15 01:26 <DIR> d-------- C:\VundoFix Backups2008-06-12 19:01 . 2008-06-12 19:01 <DIR> d-------- C:\Users\All Users\LightScribe2008-06-12 18:47 . 2008-06-12 18:50 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy2008-06-12 18:47 . 2008-06-12 18:47 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy2008-06-12 18:29 . 2008-06-12 18:29 <DIR> d-------- C:\Users\All Users\FLEXnet2008-06-12 18:16 . 2008-06-12 18:16 <DIR> d-------- C:\Program Files\Bonjour2008-06-12 02:50 . 2008-06-12 02:50 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared2008-06-12 02:47 . 2008-06-12 18:16 <DIR> d-------- C:\Program Files\Common Files\Adobe2008-06-11 21:03 . 2008-06-12 18:31 <DIR> d-------- C:\Users\Syke360\AppData\Roaming\uTorrent2008-06-11 21:03 . 2008-06-11 21:03 <DIR> d-------- C:\Program Files\uTorrent2008-06-11 16:50 . 2008-06-11 16:50 113,664 --a------ C:\Windows\System32\drivers\rmcast.sys2008-06-11 16:50 . 2008-06-11 16:50 14,848 --a------ C:\Windows\System32\wshrm.dll2008-06-11 16:49 . 2008-06-11 16:49 1,327,104 --a------ C:\Windows\System32\quartz.dll2008-06-11 16:47 . 2008-06-11 16:47 826,368 --a------ C:\Windows\System32\wininet.dll2008-06-11 02:10 . 2008-06-11 02:10 16 --a------ C:\Windows\System32\coh.cache2008-06-11 01:46 . 2007-03-05 08:53 92,032 --a------ C:\Windows\System32\drivers\ewusbmdm.sys2008-06-11 01:46 . 2007-03-05 08:52 23,424 --a------ C:\Windows\System32\drivers\ewdcsc.sys2008-06-11 01:44 . 2008-06-11 01:44 <DIR> d-------- C:\Program Files\T-Mobile2008-06-11 01:39 . 2008-06-11 01:39 <DIR> d-------- C:\Program Files\7-Zip2008-06-11 01:31 . 2008-06-11 01:31 <DIR> d-------- C:\Users\Syke360\AppData\Roaming\Roxio2008-06-10 18:09 . 2008-06-10 18:09 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys2008-06-10 18:09 . 2008-06-10 18:09 41,984 --a------ C:\Windows\System32\drivers\monitor.sys2008-06-10 18:06 . 2008-06-10 18:06 8,147,968 --a------ C:\Windows\System32\wmploc.DLL2008-06-10 18:06 . 2008-06-10 18:06 356,864 --a------ C:\Windows\System32\MediaMetadataHandler.dll2008-06-10 18:06 . 2008-06-10 18:06 7,680 --a------ C:\Windows\System32\spwmp.dll2008-06-10 18:06 . 2008-06-10 18:06 4,096 --a------ C:\Windows\System32\msdxm.ocx2008-06-10 18:06 . 2008-06-10 18:06 4,096 --a------ C:\Windows\System32\dxmasf.dll2008-06-10 17:58 . 2008-06-10 17:58 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.22008-06-10 17:58 . 2008-06-10 17:58 3,504,696 --a------ C:\Windows\System32\ntkrnlpa.exe2008-06-10 17:58 . 2008-06-10 17:58 3,470,392 --a------ C:\Windows\System32\ntoskrnl.exe2008-06-10 17:58 . 2008-06-10 17:58 211,000 --a------ C:\Windows\System32\drivers\volsnap.sys2008-06-10 17:58 . 2008-06-10 17:58 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys2008-06-10 17:58 . 2008-06-10 17:58 109,624 --a------ C:\Windows\System32\drivers\ataport.sys2008-06-10 17:58 . 2008-06-10 17:58 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys2008-06-10 17:58 . 2008-06-10 17:58 21,560 --a------ C:\Windows\System32\drivers\atapi.sys2008-06-10 17:58 . 2008-06-10 17:58 15,928 --a------ C:\Windows\System32\drivers\pciide.sys2008-06-10 17:55 . 2008-06-10 17:55 806,400 --a------ C:\Windows\System32\drivers\tcpip.sys2008-06-10 17:55 . 2008-06-10 17:55 217,144 --a------ C:\Windows\System32\drivers\netio.sys2008-06-10 17:55 . 2008-06-10 17:55 167,424 --a------ C:\Windows\System32\tcpipcfg.dll2008-06-10 17:55 . 2008-06-10 17:55 24,064 --a------ C:\Windows\System32\netcfg.exe2008-06-10 17:55 . 2008-06-10 17:55 22,016 --a------ C:\Windows\System32\netiougc.exe2008-06-10 17:51 . 2008-06-10 17:51 1,585,664 --a------ C:\Windows\System32\setupapi.dll2008-06-10 17:46 . 2008-06-10 17:46 2,027,008 --a------ C:\Windows\System32\win32k.sys2008-06-10 17:45 . 2008-06-10 17:45 223,232 --a------ C:\Windows\System32\WMASF.DLL2008-06-10 17:45 . 2008-06-10 17:45 9,728 --a------ C:\Windows\System32\LAPRXY.DLL2008-06-10 17:45 . 2008-06-10 17:45 2,048 --a------ C:\Windows\System32\asferror.dll2008-06-10 17:43 . 2008-06-10 17:43 296,448 --a------ C:\Windows\System32\gdi32.dll2008-06-10 17:42 . 2008-06-10 17:42 737,792 --a------ C:\Windows\System32\inetcomm.dll2008-06-10 17:42 . 2008-06-10 17:42 84,480 --a------ C:\Windows\System32\INETRES.dll2008-06-10 17:40 . 2008-06-10 17:40 11,776 --a------ C:\Windows\System32\sbunattend.exe2008-06-10 17:39 . 2008-06-10 17:39 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll2008-06-10 17:39 . 2008-06-10 17:39 1,686,528 --a------ C:\Windows\System32\gameux.dll2008-06-10 17:39 . 2008-06-10 17:39 83,968 --a------ C:\Windows\System32\dnsrslvr.dll2008-06-10 17:39 . 2008-06-10 17:39 24,576 --a------ C:\Windows\System32\dnscacheugc.exe2008-06-10 17:38 . 2008-06-10 17:38 788,992 --a------ C:\Windows\System32\rpcrt4.dll2008-06-10 17:38 . 2008-06-10 17:38 130,048 --a------ C:\Windows\System32\drivers\srv2.sys2008-06-10 17:38 . 2008-06-10 17:38 101,888 --a------ C:\Windows\System32\drivers\mrxsmb.sys2008-06-10 17:38 . 2008-06-10 17:38 84,992 --a------ C:\Windows\System32\drivers\srvnet.sys2008-06-10 17:38 . 2008-06-10 17:38 58,368 --a------ C:\Windows\System32\drivers\mrxsmb20.sys2008-06-10 17:35 . 2008-06-10 17:35 <DIR> d-------- C:\Program Files\MSXML 4.02008-06-10 17:34 . 2008-06-10 17:34 2,048 --a------ C:\Windows\System32\tzres.dll2008-06-10 01:43 . 2008-06-10 01:43 1,712,984 --a------ C:\Windows\System32\wuaueng.dll2008-06-10 01:43 . 2008-06-10 01:43 1,524,224 --a------ C:\Windows\System32\wucltux.dll2008-06-10 01:43 . 2008-06-10 01:43 549,720 --a------ C:\Windows\System32\wuapi.dll2008-06-10 01:43 . 2008-06-10 01:43 163,000 --a------ C:\Windows\System32\wuwebv.dll2008-06-10 01:43 . 2008-06-10 01:43 80,896 --a------ C:\Windows\System32\wudriver.dll2008-06-10 01:43 . 2008-06-10 01:43 53,080 --a------ C:\Windows\System32\wuauclt.exe2008-06-10 01:43 . 2008-06-10 01:43 43,352 --a------ C:\Windows\System32\wups2.dll2008-06-10 01:43 . 2008-06-10 01:43 33,624 --a------ C:\Windows\System32\wups.dll2008-06-10 01:43 . 2008-06-10 01:43 31,232 --a------ C:\Windows\System32\wuapp.exe2008-06-09 23:05 . 2008-06-09 23:57 <DIR> d-------- C:\Program Files\Windows Live2008-06-09 23:05 . 2008-06-09 23:57 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller2008-06-09 23:04 . 2008-06-09 23:04 0 --a------ C:\Windows\nsreg.dat2008-06-09 23:02 . 2008-06-09 23:56 <DIR> d-------- C:\Users\All Users\WLInstaller2008-06-09 22:55 . 2008-06-09 22:55 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment2008-06-09 22:48 . 2008-06-10 01:52 <DIR> d-------- C:\World of Warcraft2008-06-09 21:51 . 2008-06-09 21:51 <DIR> dr------- C:\Users\Syke360\Searches2008-06-09 21:51 . 2008-06-09 23:53 <DIR> dr------- C:\Users\Syke360\Contacts2008-06-09 21:51 . 2008-06-09 21:51 44 --a------ C:\Windows\system\hpsysdrv.dat2008-06-09 21:48 . 2008-06-09 21:48 <DIR> d-------- C:\Users\Syke360\AppData\Roaming\Hewlett-Packard2008-06-09 21:43 . 2006-11-02 06:09 1,419,232 --a------ C:\Windows\System32\drivers\wdfcoinstaller01005.dll2008-06-09 21:43 . 2007-06-18 16:12 16,768 --a------ C:\Windows\System32\drivers\HpqKbFiltr.sys2008-06-09 21:41 . 2008-06-09 21:41 <DIR> d-------- C:\Program Files\Broadcom2008-06-09 21:41 . 2008-06-09 21:40 3,231,744 --a------ C:\Windows\System32\bcmihvsrv.dll2008-06-09 21:41 . 2008-06-09 21:40 2,895,872 --a------ C:\Windows\System32\bcmihvui.dll2008-06-09 21:40 . 2008-06-09 21:40 <DIR> d-------- C:\Users\Syke360\AppData\Roaming\Hewlett Packard2008-06-09 21:40 . 2007-09-14 16:41 1,044,472 --a------ C:\Windows\System32\drivers\BCMWL6.SYS2008-06-09 21:40 . 2007-09-14 16:41 87,328 --a------ C:\Windows\System32\bcmwlcoi.dll2008-06-09 21:39 . 2008-06-09 21:39 <DIR> d-------- C:\Program Files\Macrovision Corp2008-06-09 21:39 . 2002-11-22 02:57 204,800 --a------ C:\Windows\System32\IVIresizeW7.dll2008-06-09 21:39 . 2002-11-22 02:57 200,704 --a------ C:\Windows\System32\IVIresizeA6.dll2008-06-09 21:39 . 2002-11-22 02:57 192,512 --a------ C:\Windows\System32\IVIresizeP6.dll2008-06-09 21:39 . 2002-11-22 02:57 192,512 --a------ C:\Windows\System32\IVIresizeM6.dll2008-06-09 21:39 . 2002-11-22 02:57 188,416 --a------ C:\Windows\System32\IVIresizePX.dll2008-06-09 21:39 . 2002-11-22 02:57 20,480 --a------ C:\Windows\System32\IVIresize.dll2008-06-09 21:37 . 2008-06-09 21:37 <DIR> d-------- C:\Program Files\Common Files\InterVideo2008-06-09 21:36 . 2008-06-09 21:36 <DIR> d-------- C:\Users\Syke360\AppData\Roaming\InstallShield2008-06-09 21:36 . 2008-06-09 21:38 <DIR> d-------- C:\Program Files\InterVideo2008-06-09 21:36 . 2008-06-09 21:36 0 -rahs---- C:\Windows\System32\drivers\103C_HP_bNB_6720s_Y5336AN_0U_QCNU8152F66_E452408-004_4A_I30D8_SHP_V83.0E_68MDU F.09_T080110_WV2-0_L409_M1015_J80_7Intel_86FA_91.73_#071211_N808610C4_(GB900EA#ABU)_XMOBILE_CN10_Z_2F.09_G80862A12;80862A13.MRK2008-06-09 21:34 . 2008-06-09 21:51 <DIR> dr------- C:\Users\Syke360\Videos2008-06-09 21:34 . 2008-06-09 21:51 <DIR> dr------- C:\Users\Syke360\Saved Games2008-06-09 21:34 . 2008-06-09 21:51 <DIR> dr------- C:\Users\Syke360\Pictures2008-06-09 21:34 . 2008-06-09 21:51 <DIR> dr------- C:\Users\Syke360\Music2008-06-09 21:34 . 2008-06-11 01:31 <DIR> dr------- C:\Users\Syke360\Links2008-06-09 21:34 . 2008-06-12 02:39 <DIR> dr------- C:\Users\Syke360\Downloads2008-06-09 21:34 . 2008-06-12 02:45 <DIR> dr------- C:\Users\Syke360\Documents2008-06-09 21:34 . 2008-06-09 21:40 <DIR> d--h----- C:\Users\Syke360\AppData2008-06-09 21:34 . 2008-06-15 03:09 <DIR> d-------- C:\Users\Syke3602008-06-09 21:21 . 2008-06-09 21:21 <DIR> dr------- C:\Windows\System32\config\systemprofile\Contacts.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-06-11 17:23 --------- d-----w C:\Program Files\Common Files\Symantec Shared2008-06-11 16:10 --------- d-----w C:\Program Files\Windows Mail2008-06-11 15:47 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll2008-06-11 15:46 56,320 ----a-w C:\Windows\System32\iesetup.dll2008-06-11 15:46 26,624 ----a-w C:\Windows\System32\ieUnatt.exe2008-06-11 15:35 --------- d-----w C:\Program Files\Norton Internet Security2008-06-11 01:03 805 ----a-w C:\Windows\system32\drivers\SYMEVENT.INF2008-06-11 01:03 123,952 ----a-w C:\Windows\system32\drivers\SYMEVENT.SYS2008-06-11 01:03 10,671 ----a-w C:\Windows\system32\drivers\SYMEVENT.CAT2008-06-11 01:03 --------- d-----w C:\Program Files\Symantec2008-06-10 17:22 --------- d-----w C:\Program Files\Windows Sidebar2008-06-10 17:01 --------- d-----w C:\Program Files\Microsoft SQL Server2008-06-10 16:39 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll2008-06-10 16:39 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll2008-06-10 16:39 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll2008-06-10 16:39 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll2008-06-10 16:39 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll2008-06-09 20:43 --------- d-----w C:\Program Files\Hewlett-Packard2008-06-09 20:38 --------- d--h--w C:\Program Files\InstallShield Installation Information2008-06-09 20:36 --------- d-----w C:\Program Files\Common Files\InstallShield2007-12-11 11:49 174 --sha-w C:\Program Files\desktop.ini.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]"cmds"="C:\Users\Syke360\AppData\Local\Temp\xxyyaBqo.dll" [2008-06-12 02:46 321536]"BM5b3374dc"="C:\Users\Syke360\AppData\Local\Temp\fgnfqeeh.dll" [2008-06-16 19:01 90112][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2007-09-24 15:44 141848]"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2007-09-24 15:44 154136]"Persistence"="C:\Windows\system32\igfxpers.exe" [2007-09-24 15:44 129560]"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-02-21 14:14 1183744]"PDF Complete"="C:\Program Files\PDF Complete\pdfsty.exe" [2007-05-08 17:38 331552]"PTHOSTTR"="C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.exe" [2007-01-10 00:52 145184]"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-07 19:14 833072]"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-05-11 22:21 472632]"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-11 01:12 317128]"HP Health Check Scheduler"="c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-06-05 18:12 71176]"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59 115816]"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 12:43 83608]"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-11-06 16:34 177456]"HP Software Update"="c:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 08:11 49152]"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]"ST Recovery Launcher"="%WINDIR%\SMINST\launcher.exe" [ ]C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2008-06-09 21:36:32 192512][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]DeviceNP.dll 2007-06-08 18:04 49152 C:\Windows\System32\DeviceNP.dll[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]@="Driver"[HKEY_LOCAL_MACHINE\software\microsoft\security center]"UacDisableNotify"=dword:00000001"InternetSettingsDisableNotify"=dword:00000001"AutoUpdateDisableNotify"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]"{DE3F1BC4-50BB-4C6F-93EB-A5783DF3426F}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook"{4FD25612-206A-40CC-9F88-D9EB657E7AE3}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)"{332F3A3F-9E90-4150-9CE8-AC9437953BD1}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (TCP-In)"{4B7AFAB4-C471-4429-9682-133BD01D0917}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (UDP-In)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]"EnableFirewall"= 0 (0x0)R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20080613.002\IDSvix86.sys [2008-06-03 17:55]R2 AEADIFilters;Andrea ADI Filters Service;C:\Windows\system32\AEADISRV.EXE [2007-02-06 07:44]R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;"C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe" [2008-01-11 17:50]R2 pdfcDispatcher;PDF Document Manager;C:\Program Files\PDF Complete\pdfsvc.exe [2007-05-08 17:38]R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-08-24 13:39]R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-01-09 15:32]S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60x.sys [2006-11-02 08:30]S3 DAMDrv;DAMDrv;C:\Windows\system32\DRIVERS\DAMDrv.sys [2007-06-08 17:49]S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;C:\Windows\system32\flcdlock.exe [2007-06-08 18:06]S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ []S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 08:36][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvcbthsvcs REG_MULTI_SZ BthServ[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ff20882-39bc-11dd-b2c7-0021000f229f}]\shell\AutoRun\command - H:\AutoRun.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ff20889-39bc-11dd-b2c7-0021000f229f}]\shell\AutoRun\command - H:\AutoRun.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2d11681-3738-11dd-ac61-001f29867928}]\shell\AutoRun\command - G:\AutoRun.exe*Newly Created Service* - AVGASCLN*Newly Created Service* - CATCHME*Newly Created Service* - COMHOST[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe".Contents of the 'Scheduled Tasks' folder"2008-06-11 15:36:20 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Syke360.job"- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeB/TASK:.**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-06-16 19:20:47Windows 6.0.6000 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------PROCESS: C:\Windows\Explorer.exe-> C:\Users\Syke360\AppData\Local\Temp\lbrmwlci.dll-> C:\Users\Syke360\AppData\Local\Temp\fgnfqeeh.dll-> C:\Users\Syke360\AppData\Local\Temp\xxyyaBqo.dll.Completion time: 2008-06-16 19:23:36ComboFix-quarantined-files.txt 2008-06-16 18:22:50Pre-Run: 26,940,825,600 bytes freePost-Run: 26,995,916,800 bytes free259 --- E O F --- 2008-06-14 22:32:16AND Heres the New HiJackThis LogLogfile of HijackThis v1.99.1Scan saved at 19:27:52, on 16/06/2008Platform: Unknown Windows (WinNT 6.00.1904)MSIE: Internet Explorer v7.00 (7.00.6000.16681)Running processes:C:\Windows\system32\Dwm.exeC:\Windows\system32\taskeng.exeC:\Program Files\Windows Defender\MSASCui.exeC:\Windows\System32\hkcmd.exeC:\Windows\System32\igfxpers.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\Program Files\PDF Complete\pdfsty.exeC:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exeC:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Java\jre1.6.0_01\bin\jusched.exeC:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exeC:\Program Files\Hp\HP Software Update\hpwuSchd2.exeC:\Windows\System32\rundll32.exeC:\Program Files\Hewlett-Packard\Shared\HpqToaster.exeC:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exeC:\Windows\system32\igfxsrvc.exeC:\Windows\Explorer.exeC:\Users\Syke360\Desktop\HijackThis.exeC:\Program Files\Mozilla Firefox\firefox.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...b&pf=laptopR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...b&pf=laptopR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...b&pf=laptopR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhostO4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exeO4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exeO4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe"O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /StartO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exeO4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exeO4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exeO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /StartO4 - HKLM\..\Run: [HP Software Update] c:\Program Files\Hp\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hideO4 - HKLM\..\RunOnce: [sT Recovery Launcher] %WINDIR%\SMINST\launcher.exeO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Syke360\AppData\Local\Temp\xxyyaBqo.dll,cO4 - HKCU\..\Run: [bM5b3374dc] Rundll32.exe "C:\Users\Syke360\AppData\Local\Temp\fgnfqeeh.dll",sO4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Syke360\AppData\Local\Temp\geBtSIyW.dll,#1O4 - HKCU\..\Run: [58004740] rundll32.exe "C:\Users\Syke360\AppData\Local\Temp\vwfwcbot.dll",bO4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dllO10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dllO11 - Options group: [iNTERNATIONAL] International*O13 - Gopher Prefix: O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLLO18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dllO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLLO18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLLO23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXEO23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exeO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exeO23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exeO23 - Service: HP ProtectTools Device Locking / Auditing (FLCDLOCK) - Hewlett-Packard Ltd - C:\Windows\system32\flcdlock.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exeO23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exeO23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exeO23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exeO23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exeO23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exeO23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exeO23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing) Link to post Share on other sites
rmurphy Posted June 16, 2008 Report Share Posted June 16, 2008 Please rename HiJackThis before completing the following directions.1. Please open Notepad Click Start , then RunType notepad .exe in the Run Box.2. Now copy/paste the entire content of the codebox below into the Notepad window:File::C:\Users\Syke360\AppData\Local\Temp\lbrmwlci.dllC:\Users\Syke360\AppData\Local\Temp\fgnfqeeh.dllC:\Users\Syke360\AppData\Local\Temp\xxyyaBqo.dll3. Save the above as CFScript.txt4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:Combofix.txt A new HijackThis log.-Ryan Link to post Share on other sites
Syke360 Posted June 17, 2008 Author Report Share Posted June 17, 2008 Heres the New ComboFix LogComboFix 08-06-15.4 - Syke360 2008-06-17 16:11:38.2 - NTFSx86Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.222 [GMT 1:00]Running from: C:\Users\Syke360\Desktop\ComboFix.exeCommand switches used :: C:\Users\Syke360\Desktop\CFScript.txt * Created a new restore pointFILE ::C:\Users\Syke360\AppData\Local\Temp\fgnfqeeh.dllC:\Users\Syke360\AppData\Local\Temp\lbrmwlci.dllC:\Users\Syke360\AppData\Local\Temp\xxyyaBqo.dll.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\Users\Syke360\AppData\Local\Temp\fgnfqeeh.dllC:\Users\Syke360\AppData\Local\Temp\lbrmwlci.dllC:\Users\Syke360\AppData\Local\Temp\xxyyaBqo.dll.((((((((((((((((((((((((( Files Created from 2008-05-17 to 2008-06-17 ))))))))))))))))))))))))))))))).2008-06-15 17:06 . 2008-06-15 17:06 <DIR> d-------- C:\Users\Syke360\AppData\Roaming\Grisoft2008-06-15 17:06 . 2008-06-15 17:06 <DIR> d-------- C:\Users\All Users\Grisoft2008-06-15 17:06 . 2007-05-30 13:10 10,872 --a------ C:\Windows\System32\drivers\AvgAsCln.sys2008-06-14 23:58 . 2008-06-15 01:26 <DIR> d-------- C:\VundoFix Backups2008-06-12 19:01 . 2008-06-12 19:01 <DIR> d-------- C:\Users\All Users\LightScribe2008-06-12 18:47 . 2008-06-12 18:50 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy2008-06-12 18:47 . 2008-06-12 18:47 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy2008-06-12 18:29 . 2008-06-12 18:29 <DIR> d-------- C:\Users\All Users\FLEXnet2008-06-12 18:16 . 2008-06-12 18:16 <DIR> d-------- C:\Program Files\Bonjour2008-06-12 02:50 . 2008-06-12 02:50 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared2008-06-12 02:47 . 2008-06-12 18:16 <DIR> d-------- C:\Program Files\Common Files\Adobe2008-06-11 21:03 . 2008-06-12 18:31 <DIR> d-------- C:\Users\Syke360\AppData\Roaming\uTorrent2008-06-11 21:03 . 2008-06-11 21:03 <DIR> d-------- C:\Program Files\uTorrent2008-06-11 16:50 . 2008-06-11 16:50 113,664 --a------ C:\Windows\System32\drivers\rmcast.sys2008-06-11 16:50 . 2008-06-11 16:50 14,848 --a------ C:\Windows\System32\wshrm.dll2008-06-11 16:49 . 2008-06-11 16:49 1,327,104 --a------ C:\Windows\System32\quartz.dll2008-06-11 16:47 . 2008-06-11 16:47 826,368 --a------ C:\Windows\System32\wininet.dll2008-06-11 02:10 . 2008-06-11 02:10 16 --a------ C:\Windows\System32\coh.cache2008-06-11 01:46 . 2007-03-05 08:53 92,032 --a------ C:\Windows\System32\drivers\ewusbmdm.sys2008-06-11 01:46 . 2007-03-05 08:52 23,424 --a------ C:\Windows\System32\drivers\ewdcsc.sys2008-06-11 01:44 . 2008-06-11 01:44 <DIR> d-------- C:\Program Files\T-Mobile2008-06-11 01:39 . 2008-06-11 01:39 <DIR> d-------- C:\Program Files\7-Zip2008-06-11 01:31 . 2008-06-11 01:31 <DIR> d-------- C:\Users\Syke360\AppData\Roaming\Roxio2008-06-10 18:09 . 2008-06-10 18:09 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys2008-06-10 18:09 . 2008-06-10 18:09 41,984 --a------ C:\Windows\System32\drivers\monitor.sys2008-06-10 18:06 . 2008-06-10 18:06 8,147,968 --a------ C:\Windows\System32\wmploc.DLL2008-06-10 18:06 . 2008-06-10 18:06 356,864 --a------ C:\Windows\System32\MediaMetadataHandler.dll2008-06-10 18:06 . 2008-06-10 18:06 7,680 --a------ C:\Windows\System32\spwmp.dll2008-06-10 18:06 . 2008-06-10 18:06 4,096 --a------ C:\Windows\System32\msdxm.ocx2008-06-10 18:06 . 2008-06-10 18:06 4,096 --a------ C:\Windows\System32\dxmasf.dll2008-06-10 17:58 . 2008-06-10 17:58 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.22008-06-10 17:58 . 2008-06-10 17:58 3,504,696 --a------ C:\Windows\System32\ntkrnlpa.exe2008-06-10 17:58 . 2008-06-10 17:58 3,470,392 --a------ C:\Windows\System32\ntoskrnl.exe2008-06-10 17:58 . 2008-06-10 17:58 211,000 --a------ C:\Windows\System32\drivers\volsnap.sys2008-06-10 17:58 . 2008-06-10 17:58 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys2008-06-10 17:58 . 2008-06-10 17:58 109,624 --a------ C:\Windows\System32\drivers\ataport.sys2008-06-10 17:58 . 2008-06-10 17:58 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys2008-06-10 17:58 . 2008-06-10 17:58 21,560 --a------ C:\Windows\System32\drivers\atapi.sys2008-06-10 17:58 . 2008-06-10 17:58 15,928 --a------ C:\Windows\System32\drivers\pciide.sys2008-06-10 17:55 . 2008-06-10 17:55 806,400 --a------ C:\Windows\System32\drivers\tcpip.sys2008-06-10 17:55 . 2008-06-10 17:55 217,144 --a------ C:\Windows\System32\drivers\netio.sys2008-06-10 17:55 . 2008-06-10 17:55 167,424 --a------ C:\Windows\System32\tcpipcfg.dll2008-06-10 17:55 . 2008-06-10 17:55 24,064 --a------ C:\Windows\System32\netcfg.exe2008-06-10 17:55 . 2008-06-10 17:55 22,016 --a------ C:\Windows\System32\netiougc.exe2008-06-10 17:51 . 2008-06-10 17:51 1,585,664 --a------ C:\Windows\System32\setupapi.dll2008-06-10 17:46 . 2008-06-10 17:46 2,027,008 --a------ C:\Windows\System32\win32k.sys2008-06-10 17:45 . 2008-06-10 17:45 223,232 --a------ C:\Windows\System32\WMASF.DLL2008-06-10 17:45 . 2008-06-10 17:45 9,728 --a------ C:\Windows\System32\LAPRXY.DLL2008-06-10 17:45 . 2008-06-10 17:45 2,048 --a------ C:\Windows\System32\asferror.dll2008-06-10 17:43 . 2008-06-10 17:43 296,448 --a------ C:\Windows\System32\gdi32.dll2008-06-10 17:42 . 2008-06-10 17:42 737,792 --a------ C:\Windows\System32\inetcomm.dll2008-06-10 17:42 . 2008-06-10 17:42 84,480 --a------ C:\Windows\System32\INETRES.dll2008-06-10 17:40 . 2008-06-10 17:40 11,776 --a------ C:\Windows\System32\sbunattend.exe2008-06-10 17:39 . 2008-06-10 17:39 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll2008-06-10 17:39 . 2008-06-10 17:39 1,686,528 --a------ C:\Windows\System32\gameux.dll2008-06-10 17:39 . 2008-06-10 17:39 83,968 --a------ C:\Windows\System32\dnsrslvr.dll2008-06-10 17:39 . 2008-06-10 17:39 24,576 --a------ C:\Windows\System32\dnscacheugc.exe2008-06-10 17:38 . 2008-06-10 17:38 788,992 --a------ C:\Windows\System32\rpcrt4.dll2008-06-10 17:38 . 2008-06-10 17:38 130,048 --a------ C:\Windows\System32\drivers\srv2.sys2008-06-10 17:38 . 2008-06-10 17:38 101,888 --a------ C:\Windows\System32\drivers\mrxsmb.sys2008-06-10 17:38 . 2008-06-10 17:38 84,992 --a------ C:\Windows\System32\drivers\srvnet.sys2008-06-10 17:38 . 2008-06-10 17:38 58,368 --a------ C:\Windows\System32\drivers\mrxsmb20.sys2008-06-10 17:35 . 2008-06-10 17:35 <DIR> d-------- C:\Program Files\MSXML 4.02008-06-10 17:34 . 2008-06-10 17:34 2,048 --a------ C:\Windows\System32\tzres.dll2008-06-10 01:43 . 2008-06-10 01:43 1,712,984 --a------ C:\Windows\System32\wuaueng.dll2008-06-10 01:43 . 2008-06-10 01:43 1,524,224 --a------ C:\Windows\System32\wucltux.dll2008-06-10 01:43 . 2008-06-10 01:43 549,720 --a------ C:\Windows\System32\wuapi.dll2008-06-10 01:43 . 2008-06-10 01:43 163,000 --a------ C:\Windows\System32\wuwebv.dll2008-06-10 01:43 . 2008-06-10 01:43 80,896 --a------ C:\Windows\System32\wudriver.dll2008-06-10 01:43 . 2008-06-10 01:43 53,080 --a------ C:\Windows\System32\wuauclt.exe2008-06-10 01:43 . 2008-06-10 01:43 43,352 --a------ C:\Windows\System32\wups2.dll2008-06-10 01:43 . 2008-06-10 01:43 33,624 --a------ C:\Windows\System32\wups.dll2008-06-10 01:43 . 2008-06-10 01:43 31,232 --a------ C:\Windows\System32\wuapp.exe2008-06-09 23:05 . 2008-06-09 23:57 <DIR> d-------- C:\Program Files\Windows Live2008-06-09 23:05 . 2008-06-09 23:57 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller2008-06-09 23:04 . 2008-06-09 23:04 0 --a------ C:\Windows\nsreg.dat2008-06-09 23:02 . 2008-06-09 23:56 <DIR> d-------- C:\Users\All Users\WLInstaller2008-06-09 22:55 . 2008-06-09 22:55 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment2008-06-09 22:48 . 2008-06-10 01:52 <DIR> d-------- C:\World of Warcraft2008-06-09 21:51 . 2008-06-09 21:51 <DIR> dr------- C:\Users\Syke360\Searches2008-06-09 21:51 . 2008-06-16 20:43 <DIR> dr------- C:\Users\Syke360\Contacts2008-06-09 21:51 . 2008-06-09 21:51 44 --a------ C:\Windows\system\hpsysdrv.dat2008-06-09 21:48 . 2008-06-09 21:48 <DIR> d-------- C:\Users\Syke360\AppData\Roaming\Hewlett-Packard2008-06-09 21:43 . 2006-11-02 06:09 1,419,232 --a------ C:\Windows\System32\drivers\wdfcoinstaller01005.dll2008-06-09 21:43 . 2007-06-18 16:12 16,768 --a------ C:\Windows\System32\drivers\HpqKbFiltr.sys2008-06-09 21:41 . 2008-06-09 21:41 <DIR> d-------- C:\Program Files\Broadcom2008-06-09 21:41 . 2008-06-09 21:40 3,231,744 --a------ C:\Windows\System32\bcmihvsrv.dll2008-06-09 21:41 . 2008-06-09 21:40 2,895,872 --a------ C:\Windows\System32\bcmihvui.dll2008-06-09 21:40 . 2008-06-09 21:40 <DIR> d-------- C:\Users\Syke360\AppData\Roaming\Hewlett Packard2008-06-09 21:40 . 2007-09-14 16:41 1,044,472 --a------ C:\Windows\System32\drivers\BCMWL6.SYS2008-06-09 21:40 . 2007-09-14 16:41 87,328 --a------ C:\Windows\System32\bcmwlcoi.dll2008-06-09 21:39 . 2008-06-09 21:39 <DIR> d-------- C:\Program Files\Macrovision Corp2008-06-09 21:39 . 2002-11-22 02:57 204,800 --a------ C:\Windows\System32\IVIresizeW7.dll2008-06-09 21:39 . 2002-11-22 02:57 200,704 --a------ C:\Windows\System32\IVIresizeA6.dll2008-06-09 21:39 . 2002-11-22 02:57 192,512 --a------ C:\Windows\System32\IVIresizeP6.dll2008-06-09 21:39 . 2002-11-22 02:57 192,512 --a------ C:\Windows\System32\IVIresizeM6.dll2008-06-09 21:39 . 2002-11-22 02:57 188,416 --a------ C:\Windows\System32\IVIresizePX.dll2008-06-09 21:39 . 2002-11-22 02:57 20,480 --a------ C:\Windows\System32\IVIresize.dll2008-06-09 21:37 . 2008-06-09 21:37 <DIR> d-------- C:\Program Files\Common Files\InterVideo2008-06-09 21:36 . 2008-06-09 21:36 <DIR> d-------- C:\Users\Syke360\AppData\Roaming\InstallShield2008-06-09 21:36 . 2008-06-09 21:38 <DIR> d-------- C:\Program Files\InterVideo2008-06-09 21:36 . 2008-06-09 21:36 0 -rahs---- C:\Windows\System32\drivers\103C_HP_bNB_6720s_Y5336AN_0U_QCNU8152F66_E452408-004_4A_I30D8_SHP_V83.0E_68MDU F.09_T080110_WV2-0_L409_M1015_J80_7Intel_86FA_91.73_#071211_N808610C4_(GB900EA#ABU)_XMOBILE_CN10_Z_2F.09_G80862A12;80862A13.MRK2008-06-09 21:34 . 2008-06-09 21:51 <DIR> dr------- C:\Users\Syke360\Videos2008-06-09 21:34 . 2008-06-09 21:51 <DIR> dr------- C:\Users\Syke360\Saved Games2008-06-09 21:34 . 2008-06-09 21:51 <DIR> dr------- C:\Users\Syke360\Pictures2008-06-09 21:34 . 2008-06-09 21:51 <DIR> dr------- C:\Users\Syke360\Music2008-06-09 21:34 . 2008-06-11 01:31 <DIR> dr------- C:\Users\Syke360\Links2008-06-09 21:34 . 2008-06-12 02:39 <DIR> dr------- C:\Users\Syke360\Downloads2008-06-09 21:34 . 2008-06-12 02:45 <DIR> dr------- C:\Users\Syke360\Documents2008-06-09 21:34 . 2008-06-09 21:40 <DIR> d--h----- C:\Users\Syke360\AppData2008-06-09 21:34 . 2008-06-15 03:09 <DIR> d-------- C:\Users\Syke3602008-06-09 21:21 . 2008-06-09 21:21 <DIR> dr------- C:\Windows\System32\config\systemprofile\Contacts.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-06-11 17:23 --------- d-----w C:\Program Files\Common Files\Symantec Shared2008-06-11 16:10 --------- d-----w C:\Program Files\Windows Mail2008-06-11 15:47 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll2008-06-11 15:46 56,320 ----a-w C:\Windows\System32\iesetup.dll2008-06-11 15:46 26,624 ----a-w C:\Windows\System32\ieUnatt.exe2008-06-11 15:35 --------- d-----w C:\Program Files\Norton Internet Security2008-06-11 01:03 805 ----a-w C:\Windows\system32\drivers\SYMEVENT.INF2008-06-11 01:03 123,952 ----a-w C:\Windows\system32\drivers\SYMEVENT.SYS2008-06-11 01:03 10,671 ----a-w C:\Windows\system32\drivers\SYMEVENT.CAT2008-06-11 01:03 --------- d-----w C:\Program Files\Symantec2008-06-10 17:22 --------- d-----w C:\Program Files\Windows Sidebar2008-06-10 17:01 --------- d-----w C:\Program Files\Microsoft SQL Server2008-06-10 16:39 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll2008-06-10 16:39 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll2008-06-10 16:39 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll2008-06-10 16:39 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll2008-06-10 16:39 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll2008-06-09 20:43 --------- d-----w C:\Program Files\Hewlett-Packard2008-06-09 20:38 --------- d--h--w C:\Program Files\InstallShield Installation Information2008-06-09 20:36 --------- d-----w C:\Program Files\Common Files\InstallShield2007-12-11 11:49 174 --sha-w C:\Program Files\desktop.ini.((((((((((((((((((((((((((((( snapshot@2008-06-16_19.22.25.55 ))))))))))))))))))))))))))))))))))))))))).- 2008-06-16 17:57:52 67,584 --s-a-w C:\Windows\bootstat.dat+ 2008-06-17 15:23:29 67,584 --s-a-w C:\Windows\bootstat.dat- 2008-06-16 17:57:53 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat+ 2008-06-17 15:23:32 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat- 2008-06-16 17:57:53 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat+ 2008-06-17 15:23:32 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat- 2008-06-16 18:01:12 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT+ 2008-06-17 15:24:47 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT+ 2008-06-17 15:24:47 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1- 2008-06-16 18:01:06 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT+ 2008-06-17 15:24:47 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT+ 2008-06-17 15:24:47 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1- 2008-06-16 18:13:33 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat+ 2008-06-17 15:16:50 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat- 2008-06-16 18:13:33 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat+ 2008-06-17 15:16:50 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat- 2008-06-16 18:13:33 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat+ 2008-06-17 15:16:50 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat- 2008-06-16 18:00:54 4,132 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3045987615-564324704-3291876626-1006_UserData.bin+ 2008-06-17 15:03:31 4,188 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3045987615-564324704-3291876626-1006_UserData.bin- 2008-06-16 18:00:53 72,060 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin+ 2008-06-17 15:03:30 72,712 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin- 2008-06-16 18:00:34 35,016 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin+ 2008-06-17 15:03:28 35,136 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2007-09-24 15:44 141848]"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2007-09-24 15:44 154136]"Persistence"="C:\Windows\system32\igfxpers.exe" [2007-09-24 15:44 129560]"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-02-21 14:14 1183744]"PDF Complete"="C:\Program Files\PDF Complete\pdfsty.exe" [2007-05-08 17:38 331552]"PTHOSTTR"="C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.exe" [2007-01-10 00:52 145184]"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-07 19:14 833072]"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-05-11 22:21 472632]"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-11 01:12 317128]"HP Health Check Scheduler"="c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-06-05 18:12 71176]"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59 115816]"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 12:43 83608]"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-11-06 16:34 177456]"HP Software Update"="c:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 08:11 49152]"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]"ST Recovery Launcher"="%WINDIR%\SMINST\launcher.exe" [ ]C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2008-06-09 21:36:32 192512][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]DeviceNP.dll 2007-06-08 18:04 49152 C:\Windows\System32\DeviceNP.dll[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]@="Driver"[HKEY_LOCAL_MACHINE\software\microsoft\security center]"UacDisableNotify"=dword:00000001"InternetSettingsDisableNotify"=dword:00000001"AutoUpdateDisableNotify"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]"{DE3F1BC4-50BB-4C6F-93EB-A5783DF3426F}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook"{4FD25612-206A-40CC-9F88-D9EB657E7AE3}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)"{332F3A3F-9E90-4150-9CE8-AC9437953BD1}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (TCP-In)"{4B7AFAB4-C471-4429-9682-133BD01D0917}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (UDP-In)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]"EnableFirewall"= 0 (0x0)[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvcbthsvcs REG_MULTI_SZ BthServ[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ff20882-39bc-11dd-b2c7-0021000f229f}]\shell\AutoRun\command - H:\AutoRun.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ff20889-39bc-11dd-b2c7-0021000f229f}]\shell\AutoRun\command - H:\AutoRun.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2d11681-3738-11dd-ac61-001f29867928}]\shell\AutoRun\command - G:\AutoRun.exe*Newly Created Service* - COMHOST[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe".Contents of the 'Scheduled Tasks' folder"2008-06-16 19:00:21 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Syke360.job"- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe.**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-06-17 16:24:59Windows 6.0.6000 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... **************************************************************************.------------------------ Other Running Processes ------------------------.C:\Windows\System32\audiodg.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\Windows\System32\wlanext.exeC:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exeC:\Windows\System32\AEADISRV.EXEC:\Windows\System32\agrsmsvc.exeC:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\PDF Complete\pdfsvc.exeC:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exeC:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exeC:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeC:\Program Files\Spybot - Search & Destroy\SDWinSec.exeC:\Windows\SMINST\Scheduler.exeC:\Windows\System32\igfxsrvc.exeC:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Service.exeC:\Program Files\Hewlett-Packard\Shared\HpqToaster.exeC:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEC:\Program Files\Symantec\LiveUpdate\AUPDATE.EXEC:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exeC:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exeC:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exeC:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exeC:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exeC:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe.**************************************************************************.Completion time: 2008-06-17 16:30:43 - machine was rebootedComboFix-quarantined-files.txt 2008-06-17 15:29:25ComboFix2.txt 2008-06-16 18:23:37Pre-Run: 27,339,612,160 bytes freePost-Run: 27,868,495,872 bytes free303 --- E O F --- 2008-06-14 22:32:16and Hijack Log Logfile of HijackThis v1.99.1Scan saved at 17:54:03, on 17/06/2008Platform: Unknown Windows (WinNT 6.00.1904)MSIE: Internet Explorer v7.00 (7.00.6000.16681)Running processes:C:\Windows\system32\Dwm.exeC:\Windows\system32\taskeng.exeC:\Windows\System32\hkcmd.exeC:\Windows\System32\igfxpers.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\Program Files\PDF Complete\pdfsty.exeC:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exeC:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Java\jre1.6.0_01\bin\jusched.exeC:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exeC:\Program Files\Hp\HP Software Update\hpwuSchd2.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Windows\system32\igfxsrvc.exeC:\Program Files\Hewlett-Packard\Shared\HpqToaster.exeC:\Windows\Explorer.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Syke360\Desktop\renameme.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...b&pf=laptopR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...b&pf=laptopR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...b&pf=laptopR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exeO4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exeO4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe"O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /StartO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exeO4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exeO4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exeO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /StartO4 - HKLM\..\Run: [HP Software Update] c:\Program Files\Hp\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKLM\..\RunOnce: [sT Recovery Launcher] %WINDIR%\SMINST\launcher.exeO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dllO10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dllO11 - Options group: [iNTERNATIONAL] International*O13 - Gopher Prefix: O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLLO18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dllO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLLO18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLLO20 - Winlogon Notify: DeviceNP - C:\Windows\SYSTEM32\DeviceNP.dllO20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxdev.dllO23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXEO23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exeO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exeO23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exeO23 - Service: HP ProtectTools Device Locking / Auditing (FLCDLOCK) - Hewlett-Packard Ltd - C:\Windows\system32\flcdlock.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exeO23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exeO23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exeO23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exeO23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exeO23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exeO23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exeO23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing) Link to post Share on other sites
rmurphy Posted June 17, 2008 Report Share Posted June 17, 2008 Please download Malwarebytes' Anti-Malware from Here or HereDouble Click mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Full Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.-Ryan Link to post Share on other sites
Syke360 Posted June 18, 2008 Author Report Share Posted June 18, 2008 Here you go Malwarebytes' Anti-Malware 1.17Database version: 86503:20:25 18/06/2008mbam-log-6-18-2008 (03-20-25).txtScan type: Full Scan (C:\|)Objects scanned: 186351Time elapsed: 45 minute(s), 0 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 3Registry Data Items Infected: 0Folders Infected: 0Files Infected: 2Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\58004740 (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM5b3374dc (Trojan.Agent) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\QooBox\Quarantine\C\Users\Syke360\AppData\Local\Temp\lbrmwlci.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.C:\QooBox\Quarantine\C\Users\Syke360\AppData\Local\Temp\xxyyaBqo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. Link to post Share on other sites
rmurphy Posted June 18, 2008 Report Share Posted June 18, 2008 How's the computer running?-Ryan Link to post Share on other sites
Syke360 Posted June 18, 2008 Author Report Share Posted June 18, 2008 Its running okStill getting some wierd errors upon start upRUNDLL error Cannot start module. jdsebeyfd.dll missingNot exactly like that but i get 3 of them, all with different DLL files missing. None of the files make sense they all have strange and random filenamesApart from that its running much betterThe MSServer Reg Request has stoppedThanks much for your Help.Easy to fix with your step by step instructions. Link to post Share on other sites
rmurphy Posted June 19, 2008 Report Share Posted June 19, 2008 Please post a new log from the renamed hijackthis.-Ryan Link to post Share on other sites
Syke360 Posted June 19, 2008 Author Report Share Posted June 19, 2008 Logfile of HijackThis v1.99.1Scan saved at 05:45:36, on 19/06/2008Platform: Unknown Windows (WinNT 6.00.1905 SP1)MSIE: Internet Explorer v7.00 (7.00.6001.18000)Running processes:C:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\system32\taskeng.exeC:\Windows\System32\hkcmd.exeC:\Windows\System32\igfxpers.exeC:\Program Files\PDF Complete\pdfsty.exeC:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exeC:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Java\jre1.6.0_01\bin\jusched.exeC:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exeC:\Program Files\Hp\HP Software Update\hpwuSchd2.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\Program Files\Windows Media Player\wmpnscfg.exeC:\Program Files\Hewlett-Packard\Shared\HpqToaster.exeC:\Windows\system32\igfxsrvc.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Syke360\Desktop\renameme.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...b&pf=laptopR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...b&pf=laptopR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...b&pf=laptopR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exeO4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe"O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /StartO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exeO4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exeO4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exeO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /StartO4 - HKLM\..\Run: [HP Software Update] c:\Program Files\Hp\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exeO4 - HKLM\..\RunOnce: [sT Recovery Launcher] %WINDIR%\SMINST\launcher.exeO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Syke360\AppData\Local\Temp\geBtSIyW.dll,#1O4 - HKCU\..\Run: [58004740] rundll32.exe "C:\Users\Syke360\AppData\Local\Temp\vwfwcbot.dll",bO4 - HKCU\..\Run: [bM5b3374dc] Rundll32.exe "C:\Users\Syke360\AppData\Local\Temp\fgnfqeeh.dll",sO4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exeO4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dllO10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dllO11 - Options group: [iNTERNATIONAL] International*O13 - Gopher Prefix: O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLLO18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dllO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLLO18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLLO20 - Winlogon Notify: DeviceNP - C:\Windows\SYSTEM32\DeviceNP.dllO20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxdev.dllO23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXEO23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exeO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exeO23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exeO23 - Service: HP ProtectTools Device Locking / Auditing (FLCDLOCK) - Hewlett-Packard Ltd - C:\Windows\system32\flcdlock.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exeO23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exeO23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exeO23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exeO23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exeO23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exeO23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exeO23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)The Ones in BOLD are the ones that i get error messages up upon startup Link to post Share on other sites
rmurphy Posted June 19, 2008 Report Share Posted June 19, 2008 Open HiJack This and scan. When it finishes, put an X in the box next to these following item(s)O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Syke360\AppData\Local\Temp\geBtSIyW.dll,#1O4 - HKCU\..\Run: [58004740] rundll32.exe "C:\Users\Syke360\AppData\Local\Temp\vwfwcbot.dll",bO4 - HKCU\..\Run: [bM5b3374dc] Rundll32.exe "C:\Users\Syke360\AppData\Local\Temp\fgnfqeeh.dll",sClose all open windows except for HiJack This and click fix checked.Reboot your computer.Please rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. -Ryan Link to post Share on other sites
Syke360 Posted June 20, 2008 Author Report Share Posted June 20, 2008 I Did as you asked but shortly after my Spybot pops up asking for MSserver to edit registry.I deny and i scanned again and the three files are back again.heres the log, the 3 culprits have been added again but are a little further down the listLogfile of HijackThis v1.99.1Scan saved at 04:18:23, on 20/06/2008Platform: Unknown Windows (WinNT 6.00.1905 SP1)MSIE: Internet Explorer v7.00 (7.00.6001.18000)Running processes:C:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\system32\taskeng.exeC:\Windows\System32\hkcmd.exeC:\Windows\System32\igfxpers.exeC:\Program Files\PDF Complete\pdfsty.exeC:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exeC:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Java\jre1.6.0_01\bin\jusched.exeC:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exeC:\Program Files\Hp\HP Software Update\hpwuSchd2.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Program Files\Windows Media Player\wmpnscfg.exeC:\Program Files\Hewlett-Packard\Shared\HpqToaster.exeC:\Windows\system32\igfxsrvc.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Syke360\Desktop\renameme.exeC:\Program Files\Norton Internet Security\Norton AntiVirus\NAVW32.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...b&pf=laptopR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...b&pf=laptopR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...b&pf=laptopR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exeO4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe"O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /StartO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exeO4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exeO4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exeO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /StartO4 - HKLM\..\Run: [HP Software Update] c:\Program Files\Hp\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exeO4 - HKLM\..\RunOnce: [sT Recovery Launcher] %WINDIR%\SMINST\launcher.exeO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exeO4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Syke360\AppData\Local\Temp\geBtSIyW.dll,#1O4 - HKCU\..\Run: [58004740] rundll32.exe "C:\Users\Syke360\AppData\Local\Temp\vwfwcbot.dll",bO4 - HKCU\..\Run: [bM5b3374dc] Rundll32.exe "C:\Users\Syke360\AppData\Local\Temp\fgnfqeeh.dll",sO4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dllO10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dllO11 - Options group: [iNTERNATIONAL] International*O13 - Gopher Prefix: O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLLO18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dllO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLLO18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLLO20 - Winlogon Notify: DeviceNP - C:\Windows\SYSTEM32\DeviceNP.dllO20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxdev.dllO23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXEO23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exeO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exeO23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exeO23 - Service: HP ProtectTools Device Locking / Auditing (FLCDLOCK) - Hewlett-Packard Ltd - C:\Windows\system32\flcdlock.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exeO23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exeO23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exeO23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exeO23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exeO23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exeO23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exeO23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing) Link to post Share on other sites
rmurphy Posted June 20, 2008 Report Share Posted June 20, 2008 1. Please open Notepad Click Start , then RunType notepad .exe in the Run Box.2. Now copy/paste the entire content of the codebox below into the Notepad window:File::C:\Users\Syke360\AppData\Local\Temp\geBtSIyW.dllC:\Users\Syke360\AppData\Local\Temp\vwfwcbot.dllC:\Users\Syke360\AppData\Local\Temp\fgnfqeeh.dllC:\Windows\System32\coh.cacheRegistry::[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]"MSServer"=-"58004740"=-"BM5b3374dc"=-3. Save the above as CFScript.txt4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:Combofix.txt A new HijackThis log.-Ryan Link to post Share on other sites
Syke360 Posted June 21, 2008 Author Report Share Posted June 21, 2008 Link to post Share on other sites
Syke360 Posted June 21, 2008 Author Report Share Posted June 21, 2008 Ah Ha , found my problemWhen i checked those 3 files previously and Selected Fix in Hijack this. My TeaTimer(Spybot) automatically denied Reg Changes. So the Entries still existed.I disabled Teatimer and scanned and fixed the problem,Heres the Hijack LogLogfile of HijackThis v1.99.1Scan saved at 01:30:24, on 21/06/2008Platform: Unknown Windows (WinNT 6.00.1905 SP1)MSIE: Internet Explorer v7.00 (7.00.6001.18000)Running processes:C:\Windows\system32\Dwm.exeC:\Windows\system32\taskeng.exeC:\Windows\SMINST\scheduler.exeC:\Windows\System32\hkcmd.exeC:\Windows\System32\igfxpers.exeC:\Program Files\PDF Complete\pdfsty.exeC:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exeC:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Java\jre1.6.0_01\bin\jusched.exeC:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exeC:\Program Files\Hp\HP Software Update\hpwuSchd2.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\Program Files\Windows Media Player\wmpnscfg.exeC:\Program Files\Hewlett-Packard\Shared\HpqToaster.exeC:\Windows\system32\igfxsrvc.exeC:\Windows\SMINST\scheduler.exeC:\Windows\explorer.exeC:\Windows\system32\notepad.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\system32\NOTEPAD.EXEC:\Users\Syke360\Desktop\renameme.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...b&pf=laptopR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...b&pf=laptopR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exeO4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe"O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /StartO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exeO4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exeO4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exeO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /StartO4 - HKLM\..\Run: [HP Software Update] c:\Program Files\Hp\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exeO4 - HKLM\..\RunOnce: [sT Recovery Launcher] %WINDIR%\SMINST\launcher.exeO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exeO4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dllO10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dllO11 - Options group: [iNTERNATIONAL] International*O13 - Gopher Prefix: O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLLO18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dllO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLLO18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLLO20 - Winlogon Notify: DeviceNP - C:\Windows\SYSTEM32\DeviceNP.dllO20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxdev.dllO23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXEO23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exeO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exeO23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exeO23 - Service: HP ProtectTools Device Locking / Auditing (FLCDLOCK) - Hewlett-Packard Ltd - C:\Windows\system32\flcdlock.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exeO23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exeO23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exeO23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exeO23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exeO23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exeO23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exeO23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing) Link to post Share on other sites
rmurphy Posted June 21, 2008 Report Share Posted June 21, 2008 == Clear Temporary Files ==Please download ATF Cleaner by Atribune.This program is for XP and Windows 2000 onlyClose all Internet Explorer, Firefox, and Opera windows before continuing.Double-click ATF-Cleaner.exe to run the program.Under Main choose: Select AllClick the Empty Selected button.If you use Firefox browserClick Firefox at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browserClick Opera at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.For Technical Support, double-click the e-mail address located at the bottom of each menu.== Clear System Restore==Let's make a new restore point and clear the others:Go - Start>Programmes>Accessories>System Tools>System Restore>Create a New Restore point. Go - Start>Programmes>Accessories>System Tools>Disc Cleanup>"More Options" Tab>Remove All But Most Recent Point. Please do this for each hard drive that you have connected to the computerPlease reboot your computer before continuing.== Kaspersky Web Scanner ==Please do an online scan with Kaspersky WebScannerYou will need to use Internet Explorer to do thisClick on AcceptYou will be promted to install an ActiveX component from Kaspersky, Click Yes.The program will launch and then begin downloading the latest definition files:Once the files have been downloaded click on NEXTNow click on Scan SettingsIn the scan settings make that the following are selected:Scan using the following Anti-Virus database:Extended (if available otherwise Standard)Scan Options:Scan ArchivesScan Mail Bases[*]Click OK[*]Now under select a target to scan:Select My Computer[*]This will program will start and scan your system.[*]The scan will take a while so be patient and let it run.[*]Once the scan is complete it will display if your system has been infected.Now click on the Save as Text button:[*]Save the file to your desktop.[*]Copy and paste that information in your next post.== Request Logs ==Please post the log from the Kaspersky scan, along with a new HiJack This log, and let me know how the computer is running.-Ryan Link to post Share on other sites
Recommended Posts