slow, very slow to start up and won't open...
 
  Tweaks.com
 Home    Members    Calendar    Who's On    
Search
    Main Site
 


Home » Windows & System Security » HiJack This Logs » slow, very slow to start up and won't open......

27 posts, Page 1 of 3
123»»»

slow, very slow to start up and won't open......Expand / Collapse
Rate Topic
Display Mode
Topic Options
Author
Message
irebeer
Posted 5/12/2008 9:54 AM
Junior Member

Junior MemberJunior MemberJunior MemberJunior MemberJunior MemberJunior MemberJunior MemberJunior MemberJunior MemberJunior Member

Group: Forum Members
Last Login: 5/17/2008 9:48 PM
Posts: 204, Visits: 471
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51:25 AM, on 5/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\HelpCtr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O2 - BHO: (no name) - {2F02D978-0FF6-80F7-60BB-0426224AB7B3} - C:\Program Files\fqwypvme\wvfxmypw.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AOL Toolbar BHO - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [msctrl.exe] C:\Program Files\Microsoft Security Adviser\msctrl.exe
O4 - HKLM\..\Run: [msavsc.exe] C:\Program Files\Microsoft Security Adviser\msavsc.exe
O4 - HKLM\..\Run: [msscan.exe] C:\Program Files\Microsoft Security Adviser\msscan.exe
O4 - HKLM\..\Run: [msiemon.exe] C:\Program Files\Microsoft Security Adviser\msiemon.exe
O4 - HKLM\..\Run: [msfw.exe] C:\Program Files\Microsoft Security Adviser\msfw.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-3942531886-1256799619-874574627-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-3942531886-1256799619-874574627-500\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe (User '?')
O4 - HKUS\S-1-5-21-3942531886-1256799619-874574627-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - S-1-5-21-3942531886-1256799619-874574627-500 Startup: AutoPlay.exe (User '?')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Startup: AutoPlay.exe
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0a\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4744F88E-20A6-4B2F-9494-9D385F78C7A5}: NameServer = 85.255.114.104,85.255.112.157
O17 - HKLM\System\CCS\Services\Tcpip\..\{A897ABF5-A8FD-4A27-9311-48287DE45314}: NameServer = 85.255.114.104,85.255.112.157
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.104 85.255.112.157
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.104 85.255.112.157
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.104 85.255.112.157
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: FWService - eAcceleration Corp. - C:\Program Files\eAcceleration\Firewall\FWService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 6975 bytes

Post #239308
RichieUK
Posted 5/12/2008 2:44 PM


Senior Forum Moderator

Senior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum Moderator

Group: Moderators
Last Login: Today @ 7:46 AM
Posts: 27,525, Visits: 54,327
Please download FixWareout:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it.
Click Next,then Install,then make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load,this is normal.

When your system reboots,follow the prompts.
Afterwards, HijackThis will launch,if it doesn't,launch it manually.
Please click Scan, and checkmark the following items:

O17 - HKLM\System\CCS\Services\Tcpip\..\{4744F88E-20A6-4B2F-9494-9D385F78C7A5}: NameServer = 85.255.114.104,85.255.112.157
O17 - HKLM\System\CCS\Services\Tcpip\..\{A897ABF5-A8FD-4A27-9311-48287DE45314}: NameServer = 85.255.114.104,85.255.112.157
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.104 85.255.112.157
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.104 85.255.112.157
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.104 85.255.112.157

Click 'Fix Checked'.
Close HijackThis,and click OK to proceed.
At the end of the fix you may need to restart your computer again.

Finally, please post the contents of the logfile C:\fixwareout\report.txt into your next reply.

Please Note:
Only do the following if you have connection problems after performing the above steps:
Go to Start>Control Panel,and choose 'Network Connections'.
Then right click on your default connection,usually 'Local Area Connection' or 'Dial-up Connection' if you are using Dial-up,then left click on 'Properties'.
Double-click on the 'Internet Protocol (TCP/IP)' item and select the radio button that says: 'Obtain DNS servers Automatically'.
Click OK twice,restart your computer.



Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

* You might want to print/copy the following as you need to be in Safe Mode from here on.

* Please then reboot your computer into Safe Mode by doing the following:
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.


If you have previously downloaded ComboFix,please delete that version now.
Download Combofix by sUBs and save to your desktop.
Alternative Combofix download link HERE.
Note
It is important that it is saved directly to your desktop

Now close any open browsers.
Double click on Combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window or do anything else on your pc while it's running.
That may cause the program/system to freeze/hang.
Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.


__________________________________________________


Proud Member of ASAP (Alliance of Security Analysis Professionals).
Proud Member of U-N-I-T-E (Unified Network of Instructors and Trusted Eliminators).
Malware Complaints

Firefox 3 Get Thunderbird!
Post #239319
irebeer
Posted 5/12/2008 7:12 PM
Junior Member

Junior MemberJunior MemberJunior MemberJunior MemberJunior MemberJunior MemberJunior MemberJunior MemberJunior MemberJunior Member

Group: Forum Members
Last Login: 5/17/2008 9:48 PM
Posts: 204, Visits: 471
Whew...takes a long time to go through all those scans, etc....

ere is C:\fixwareout\report.txt :

HUsername "Administrator" - 05/12/2008 18:49:14 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.
 
~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Other
C:\WINDOWS\Temp\kdnlt.ren 73784 06/13/2007

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"MoneyStartUp"="C:\\Program Files\\Microsoft Money\\System\\Money Startup.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

Here is sdfix report:


SDFix: Version 1.182
Run by Administrator on Mon 05/12/2008 at 07:19 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Resetting SecurityProviders Value
Resetting AppInit_DLLs value


Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat - Contains Links to Malware Sites! - Deleted
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat - Contains Links to Malware Sites! - Deleted
C:\SYSTEM~1\_RESTO~1\RP47\A0049161.DLL - Deleted
C:\SYSTEM~1\_RESTO~1\RP47\A0049162.DLL - Deleted
C:\SYSTEM~1\_RESTO~1\RP47\A0049163.DLL - Deleted
C:\SYSTEM~1\_RESTO~1\RP47\A0049164.DLL - Deleted
C:\SYSTEM~1\_RESTO~1\RP47\A0049165.DLL - Deleted
C:\SYSTEM~1\_RESTO~1\RP47\A0049166.DLL - Deleted
C:\SYSTEM~1\_RESTO~1\RP47\A0049167.DLL - Deleted
C:\SYSTEM~1\_RESTO~1\RP47\A0049168.DLL - Deleted
C:\SYSTEM~1\_RESTO~1\RP47\A0049169.DLL - Deleted
C:\SYSTEM~1\_RESTO~1\RP47\A0049170.DLL - Deleted
C:\SYSTEM~1\_RESTO~1\RP47\A0049171.DLL - Deleted
C:\SYSTEM~1\_RESTO~1\RP47\A0049172.DLL - Deleted
C:\SYSTEM~1\_RESTO~1\RP47\A0049173.DLL - Deleted
C:\SYSTEM~1\_RESTO~1\RP47\A0049174.DLL - Deleted
C:\Program Files\MediaVideoCodec\install.ico - Deleted
C:\Program Files\MediaVideoCodec\MediaVideoCodec.ocx - Deleted
C:\Program Files\MediaVideoCodec\Uninstall.exe - Deleted
C:\svchost.exe  - Deleted
C:\svchost2.exe  - Deleted
C:\WINDOWS\binret.exe  - Deleted
C:\WINDOWS\hjoqor.dll  - Deleted
C:\WINDOWS\sys.log  - Deleted
C:\WINDOWS\system32\drivers\atmapi.sys  - Deleted
C:\WINDOWS\system32\rc.dat  - Deleted
C:\WINDOWS\system32\rozmchild.dll  - Deleted
C:\WINDOWS\trayicons.exe  - Deleted
C:\WINDOWS\xcvwer.dll  - Deleted
C:\WINDOWS\system32\wowfx.dll  - Deleted

Folder C:\Program Files\MediaVideoCodec - Removed
Folder C:\Program Files\SystemDefender - Removed


Removing Temp Files

ADS Check :
 


                                 Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 19:27:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"="C:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe:*isabled:BackWeb-137903"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AMERIC~1.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Owner\\Application Data\\ppldr.exe"="C:\\Documents and Settings\\Owner\\Application Data\\ppldr.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Owner\\Application Data\\trant.exe"="C:\\Documents and Settings\\Owner\\Application Data\\trant.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Documents and Settings\\Owner\\Application Data\\pcpriv.exe"="C:\\Documents and Settings\\Owner\\Application Data\\pcpriv.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Owner\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\Owner\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Owner\\Application Data\\ppldr.exe"="C:\\Documents and Settings\\Owner\\Application Data\\ppldr.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Owner\\Application Data\\trant.exe"="C:\\Documents and Settings\\Owner\\Application Data\\trant.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Documents and Settings\\Owner\\Application Data\\pcpriv.exe"="C:\\Documents and Settings\\Owner\\Application Data\\pcpriv.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Owner\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\Owner\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 21 Jul 2001        94,784 ..SH. --- "C:\WINDOWS\twain.dll"
Mon 30 Aug 2004        54,384 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Mon 30 Aug 2004       156,784 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Mon 30 Aug 2004        31,344 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Thu  9 Aug 2001        64,512 A..H. --- "C:\WINDOWS\SYSTEM32\PackethSvc.exe"
Sun 16 Dec 2007             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Finished!

and combofix report:

ComboFix 08-05-11.1 - Administrator 2008-05-12 19:40:33.1 - NTFSx86 NETWORK
Running from: C:\Documents and Settings\Administrator\Desktop\spyware stuff\ComboFix.exe

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\ShoppingReport
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
C:\Documents and Settings\Owner\Start Menu\XP Antivirus 2008
C:\Documents and Settings\Owner\Start Menu\XP Antivirus 2008\Uninstall XP Antivirus 2008.lnk
C:\Documents and Settings\Owner\Start Menu\XP Antivirus 2008\XP Antivirus 2008.lnk
C:\Program Files\ShoppingReport
C:\Program Files\ShoppingReport\Uninst.exe
C:\Program Files\XP Antivirus
C:\Program Files\XP Antivirus\xpantivirus.exe
C:\Program Files\XP Antivirus\xpantivirus.exe.tmp
C:\WINDOWS\system32\config\systemprofile\Application Data\ShoppingReport
C:\WINDOWS\system32\config\systemprofile\Application Data\ShoppingReport\cs\Config.xml
C:\WINDOWS\system32\config\systemprofile\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\WINDOWS\system32\config\systemprofile\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\WINDOWS\system32\config\systemprofile\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\WINDOWS\system32\config\systemprofile\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
C:\WINDOWS\system32\nvrsma.dll
C:\WINDOWS\windisk.dll

.
(((((((((((((((((((((((((   Files Created from 2008-04-12 to 2008-05-12  )))))))))))))))))))))))))))))))
.

2008-05-12 19:07 . 2008-05-12 19:08 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-12 19:06 . 2008-05-12 19:36 <DIR> d----c--- C:\SDFix
2008-05-12 17:52 . 2008-05-12 18:53 <DIR> d----c--- C:\fixwareout
2008-05-12 14:44 . 2008-05-12 14:44 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-12 14:44 . 2008-05-12 14:45 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-12 10:22 . 2008-05-12 10:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-11 22:19 . 2008-05-11 22:22 <DIR> d-------- C:\Program Files\Wise Registry Cleaner 3
2008-05-11 21:33 . 2008-05-11 21:33 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\AVGTOOLBAR
2008-05-11 21:31 . 2008-05-12 11:08 <DIR> d-------- C:\Program Files\AVG
2008-05-11 20:37 . 2008-05-11 20:37 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-11 20:37 . 2008-05-11 22:02 <DIR> d-a--c--- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-11 20:35 . 2008-05-11 21:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-11 20:29 . 2007-11-20 14:57 <DIR> d----c--- C:\Documents and Settings\Administrator\WINDOWS
2008-05-11 20:29 . 2007-11-20 14:56 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-05-11 20:29 . 2008-05-11 20:29 <DIR> d----c--- C:\Documents and Settings\Administrator
2008-05-11 20:29 . 2008-05-12 19:42 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-12 19:24 --------- dc----w C:\Documents and Settings\All Users\Application Data\AOL
2008-05-12 18:52 --------- d-----w C:\Program Files\fqwypvme
2001-07-22 02:45 94,784 --sh--w C:\WINDOWS\twain.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-12-14 16:27 171448]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
AutoPlay.exe [2001-08-27 16:52:06 36864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= vdrcodec.dll
"VIDC.DVSD"= miroDV2avi.DLL
"VIDC.PIM1"= pclepim1.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ    scecli scecli

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=


.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 19:43:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\HPZipm12.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\WINDOWS\SYSTEM32\cscript.exe
.
**************************************************************************
.
Completion time: 2008-05-12 19:49:22 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt  2008-05-12 23:49:18

Pre-Run: 68,808,192,000 bytes free
Post-Run: 68,262,584,320 bytes free

107 --- E O F --- 2007-12-17 12:07:39

Lastly, I tried to do the hijack this but it keeps getting hung up and doesn't finish.  I was able, (I think) delete the 017 lines though...

I have been booting in safe mode as it doesn't open to the user selection page as yet and I am using another computer to post results of your directions...the sick one isn't ready for internet yet..i need to load that

What would you like next, please.  And ty for all so far...

Post #239349
RichieUK
Posted 5/13/2008 2:34 AM


Senior Forum Moderator

Senior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum Moderator

Group: Moderators
Last Login: Today @ 7:46 AM
Posts: 27,525, Visits: 54,327
Find and delete:
C:\Program Files\fqwypvme

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
* Close all other windows before proceeding.
* Double-click on dss.exe and follow the prompts.
* When it has finished, DSS will open two Notepads: main.txt and extra.txt
* Use Save As to save both Notepad files to your Desktop and post them in your next reply.

__________________________________________________


Proud Member of ASAP (Alliance of Security Analysis Professionals).
Proud Member of U-N-I-T-E (Unified Network of Instructors and Trusted Eliminators).
Malware Complaints

Firefox 3 Get Thunderbird!
Post #239357
irebeer
Posted 5/13/2008 9:46 AM
Junior Member

Junior MemberJunior MemberJunior MemberJunior MemberJunior MemberJunior MemberJunior MemberJunior MemberJunior MemberJunior Member

Group: Forum Members
Last Login: 5/17/2008 9:48 PM
Posts: 204, Visits: 471
ok, I found the file to delete and did so...then I downloaded the scan prog and did a scan.  I did it in safe mode.  Here is result;

Main txt....

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-05-13 10:19:47
Computer is in Safe Mode with Networking.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Unable to create WMI object; The operation completed successfully.


Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Administrator.exe) ---------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-13 10:28:04
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16574)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\explorer.exe
F:\dss.exe
C:\Program Files\Trend Micro\HijackThis\Administrator.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AOL Toolbar BHO - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar2.dll
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: AutoPlay.exe
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0a\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = ?
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - CmdMapping - (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\SYSTEM32\msvidctl.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
O23 - Service: FWService - eAcceleration Corp. - C:\Program Files\eAcceleration\Firewall\FWService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\SYSTEM32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\HPZipm12.exe


--
End of file - 4892 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080512-183744-878 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.104 85.255.112.157

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

2 aawservice (Ad-Aware 2007 Service) - c:\program files\lavasoft\ad-aware 2007\aawservice.exe
2 FWService - c:\program files\eacceleration\firewall\fwservice.exe


-- Device Manager: Disabled ----------------------------------------------------

Unable to create WMI object.

-- Files created between 2008-04-13 and 2008-05-13 -----------------------------

2008-05-12 21:21:01         0 d---s--c- C:\Documents and Settings\Guest\Cookies
2008-05-12 21:21:01         0 dr-h---c- C:\Documents and Settings\Guest\Application Data
2008-05-12 21:21:01         0 d---s--c- C:\Documents and Settings\Guest\Application Data\Microsoft
2008-05-12 21:21:01         0 d------c- C:\Documents and Settings\Guest\Application Data\InterTrust
2008-05-12 21:21:01         0 d------c- C:\Documents and Settings\Guest\Application Data\Identities
2008-05-12 21:21:01         0 d------c- C:\Documents and Settings\Guest\Application Data\Adobe
2008-05-12 21:21:00         0 d------c- C:\Documents and Settings\Guest\WINDOWS
2008-05-12 21:21:00         0 d--h---c- C:\Documents and Settings\Guest\Templates
2008-05-12 21:21:00         0 dr-----c- C:\Documents and Settings\Guest\Start Menu
2008-05-12 21:21:00         0 dr-h---c- C:\Documents and Settings\Guest\SendTo
2008-05-12 21:21:00         0 dr-h---c- C:\Documents and Settings\Guest\Recent
2008-05-12 21:21:00         0 d--h---c- C:\Documents and Settings\Guest\PrintHood
2008-05-12 21:21:00         0 d--h---c- C:\Documents and Settings\Guest\NetHood
2008-05-12 21:21:00         0 dr-----c- C:\Documents and Settings\Guest\My Documents
2008-05-12 21:21:00         0 d--h---c- C:\Documents and Settings\Guest\Local Settings
2008-05-12 21:21:00         0 dr-----c- C:\Documents and Settings\Guest\Favorites
2008-05-12 21:21:00         0 d------c- C:\Documents and Settings\Guest\Desktop
2008-05-12 21:20:59    786432 --ah----- C:\Documents and Settings\Guest\NTUSER.DAT
2008-05-12 19:38:09     68096 --a------ C:\WINDOWS\zip.exe
2008-05-12 19:38:09     49152 --a------ C:\WINDOWS\VFind.exe
2008-05-12 19:38:09    212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-12 19:38:09    136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-12 19:38:09    161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-12 19:38:09     98816 --a------ C:\WINDOWS\sed.exe
2008-05-12 19:38:09     80412 --a------ C:\WINDOWS\grep.exe
2008-05-12 19:38:09     73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-12 19:07:58         0 d-------- C:\WINDOWS\ERUNT
2008-05-12 14:44:54         0 d-------- C:\Program Files\Lavasoft
2008-05-12 14:44:54         0 d------c- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-12 10:22:32         0 d-------- C:\Program Files\Trend Micro
2008-05-11 22:19:57         0 d-------- C:\Program Files\Wise Registry Cleaner 3
2008-05-11 21:33:55         0 d------c- C:\Documents and Settings\Administrator\Application Data\AVGTOOLBAR
2008-05-11 21:31:04         0 d-------- C:\Program Files\AVG
2008-05-11 20:37:22         0 d-a-