Ok.Lets download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please visit this webpage for downloading and instructions for running the tool:
Go here ======> A guide and tutorial on using ComboFix <====== Go here
Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use SP2
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should get a prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New HijackThis log.
Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Mal use can cause serious computer problems
NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.
=======================================
Please download SDFix from here and save it to your desktop
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Please copy and paste that log in your next reply.
![]() |
|
|||||||
| [Fixed] Hijackthis! Logs - Extreme virus problem posted in the Security & Safety forums; Ok.Lets download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please visit this webpage for ... |
|
|
|
#8 |
|
Senior Security Analyst
![]() Join Date: Jun 2006
Location: Victoria, Australia
Posts: 6,867 PC Experience: Elite PC Guru
|
__________________
My real name is Eddy
|
|
|
|
| Advertisement - Register to Remove | |
|
|
|
#9 |
|
Bronze Member
![]() Join Date: Jun 2008
Posts: 19 PC Experience: Experienced beginner
|
Thanks Pancake. this is my combofix log:
ComboFix 08-06-20.4 - Tendekai Kachere 2008-06-29 0:17:36.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.152 [GMT 1:00] Running from: C:\Documents and Settings\Tendekai Kachere\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Tendekai Kachere\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\BM33fc4321.xml C:\WINDOWS\cookies.ini C:\WINDOWS\pskt.ini C:\WINDOWS\system32\AutoRun.inf C:\WINDOWS\system32\bqfuxaly.ini C:\WINDOWS\system32\drivers\fad.sys C:\WINDOWS\system32\ffughhox.dll C:\WINDOWS\system32\fiqjfdoc.ini C:\WINDOWS\system32\ftltyyxs.ini C:\WINDOWS\system32\fyqohwxp.dll C:\WINDOWS\system32\geBTmNdd.dll C:\WINDOWS\system32\gkdplklx.ini C:\WINDOWS\system32\hjlipkun.ini C:\WINDOWS\system32\instsrv.exe C:\WINDOWS\system32\JQrXayxx.ini C:\WINDOWS\SYSTEM32\JQrXayxx.ini2 C:\WINDOWS\system32\kphesesd.dll C:\WINDOWS\system32\loimnwqh.dll C:\WINDOWS\system32\lqoobfen.ini C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\MSINET.oca C:\WINDOWS\system32\nfecorfi.ini C:\WINDOWS\system32\pac.txt C:\WINDOWS\system32\pqpenije.ini C:\WINDOWS\system32\tfnbsdut.dll C:\WINDOWS\system32\trymvdmp.dll C:\WINDOWS\system32\vuaayoxf.dll C:\WINDOWS\system32\wvUoPjgh.dll C:\WINDOWS\system32\xukqdghb.dll C:\WINDOWS\system32\xxyaXrQJ.dll C:\WINDOWS\system32\yayxxuUm.dll . ((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-28 ))))))))))))))))))))))))))))))) . 2008-06-28 00:15 . 2008-06-28 00:15 81,920 --a------ C:\WINDOWS\SYSTEM32\ifrocefn.dll 2008-06-28 00:14 . 2008-06-28 00:14 102,912 --a------ C:\WINDOWS\SYSTEM32\clwpxf.dll 2008-06-28 00:14 . 2008-06-28 00:14 102,912 --a------ C:\WINDOWS\SYSTEM32\agbgvppy.dll 2008-06-28 00:13 . 2008-06-28 00:13 90,112 --a------ C:\WINDOWS\SYSTEM32\qtmmthkw.dll 2008-06-27 10:33 . 2008-06-27 10:33 <DIR> d-------- C:\Deckard 2008-06-26 23:19 . 2008-06-26 23:19 105,984 --a------ C:\WINDOWS\SYSTEM32\cudcapen.dll 2008-06-26 23:16 . 2008-06-26 23:16 91,136 --a------ C:\WINDOWS\SYSTEM32\agbyiynh.dll 2008-06-26 12:31 . 2008-06-26 12:31 <DIR> d-------- C:\Documents and Settings\Tendekai Kachere\Application Data\iolo 2008-06-26 12:31 . 2008-06-26 12:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iolo 2008-06-26 01:14 . 2008-06-27 10:33 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-06-26 01:13 . 2008-06-26 19:50 <DIR> d-------- C:\Program Files\Spyware Doctor 2008-06-26 01:13 . 2008-06-26 01:13 <DIR> d-------- C:\Documents and Settings\Tendekai Kachere\Application Data\PC Tools 2008-06-26 01:13 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys 2008-06-26 01:13 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys 2008-06-26 01:13 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys 2008-06-26 01:13 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys 2008-06-25 22:23 . 2008-06-25 22:23 105,984 --a------ C:\WINDOWS\SYSTEM32\bqneilyk.dll 2008-06-25 22:21 . 2008-06-25 22:21 91,648 --a------ C:\WINDOWS\SYSTEM32\bqifnuaq.dll 2008-06-25 21:26 . 2008-06-25 21:26 105,984 --a------ C:\WINDOWS\SYSTEM32\vrmiinod.dll 2008-06-25 21:24 . 2008-06-25 21:25 91,648 --a------ C:\WINDOWS\SYSTEM32\lyaypcts.dll 2008-06-24 20:44 . 2008-06-24 20:44 99,328 --a------ C:\WINDOWS\SYSTEM32\nfygcyeh.dll 2008-06-24 20:44 . 2008-06-24 20:44 81,408 --a------ C:\WINDOWS\SYSTEM32\xlklpdkg.dll 2008-06-24 20:42 . 2008-06-24 20:42 91,648 --a------ C:\WINDOWS\SYSTEM32\pskpwdup.dll 2008-06-24 12:51 . 2008-06-24 12:51 <DIR> d-------- C:\Program Files\Windows Defender 2008-06-23 20:32 . 2008-06-23 20:32 99,328 --a------ C:\WINDOWS\SYSTEM32\akalrtlr.dll 2008-06-23 20:29 . 2008-06-23 20:29 90,624 --a------ C:\WINDOWS\SYSTEM32\hcbavmtx.dll 2008-06-23 18:03 . 2008-06-23 18:03 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2 2008-06-23 00:01 . 2008-06-23 20:35 53,192 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\rp_skt32.sys 2008-06-22 23:58 . 2007-04-19 11:36 48,384 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\rp_pkt32.sys 2008-06-22 23:57 . 2008-06-22 23:57 <DIR> d-------- C:\Program Files\Raxco 2008-06-22 23:57 . 2008-06-22 23:57 <DIR> d-------- C:\Program Files\Common Files\Authentium 2008-06-22 23:57 . 2008-06-22 23:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Raxco 2008-06-22 23:56 . 2008-06-22 23:56 <DIR> d-------- C:\Program Files\Common Files\Scanner 2008-06-22 23:56 . 2008-06-22 23:56 <DIR> d-------- C:\Program Files\CA 2008-06-22 23:38 . 2008-06-22 23:55 <DIR> d-------- C:\Program Files\Virgin Broadband 2008-06-22 23:38 . 2008-06-23 00:02 <DIR> d-------- C:\Documents and Settings\Tendekai Kachere\Application Data\Virgin Broadband 2008-06-22 23:38 . 2008-06-22 23:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Virgin Broadband 2008-06-22 23:33 . 2008-06-22 23:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ZKS_COMPANY_NAME 2008-06-22 17:07 . 2008-06-22 17:07 99,328 --a------ C:\WINDOWS\SYSTEM32\eukgxsiw.dll 2008-06-22 17:04 . 2008-06-22 17:04 90,624 --a------ C:\WINDOWS\SYSTEM32\tmnqartl.dll 2008-06-21 16:34 . 2008-06-21 16:34 99,328 --a------ C:\WINDOWS\SYSTEM32\jgnmbcrg.dll 2008-06-21 16:32 . 2008-06-21 16:32 90,624 --a------ C:\WINDOWS\SYSTEM32\eogafiqq.dll 2008-06-20 23:55 . 2008-06-20 23:56 41,723 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe 2008-06-20 23:42 . 2008-06-20 23:42 <DIR> d-------- C:\WINDOWS\SYSTEM32\modtrux01 2008-06-20 23:42 . 2008-06-20 23:42 <DIR> d-------- C:\temp\syschk3 2008-06-19 21:29 . 2008-06-26 00:31 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-06-19 21:29 . 2008-06-19 21:29 1,409 --a------ C:\WINDOWS\QTFont.for 2008-05-31 16:07 . 2008-05-31 16:07 <DIR> d-------- C:\Documents and Settings\Tendekai Kachere\Application Data\ArcSoft . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2008-06-26 19:05 --------- d-----w C:\Program Files\Modem On Hold 2008-06-26 19:05 --------- d-----w C:\Program Files\Microsoft Works 2008-06-26 12:02 --------- d-----w C:\Program Files\DivX 2008-06-26 11:41 --------- d-----w C:\Program Files\Common Files\Real 2008-06-24 11:41 --------- d-----w C:\Documents and Settings\Tendekai Kachere\Application Data\MSN6 2008-06-22 22:49 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-06-22 17:22 --------- d-----w C:\Program Files\Yahoo! 2008-06-22 17:20 --------- d-----w C:\Program Files\Nokia 2008-06-22 12:25 --------- d-----w C:\Documents and Settings\Tendekai Kachere\Application Data\uTorrent 2008-06-18 21:56 --------- d-----w C:\Program Files\Sports Interactive 2008-06-13 15:06 --------- d-----w C:\Program Files\OFFICE11 2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys 2008-05-31 16:38 --------- d-----w C:\Documents and Settings\Tendekai Kachere\Application Data\HPAppData 2008-05-10 08:31 --------- d-----w C:\Program Files\Common Files\ArcSoft 2008-05-10 08:31 --------- d-----w C:\Program Files\ArcSoft 2008-05-10 07:50 --------- d-----w C:\Program Files\Philips 2008-05-10 07:50 --------- d-----w C:\Documents and Settings\Tendekai Kachere\Application Data\InstallShield 2008-05-09 06:53 --------- d-----w C:\Program Files\Common Files\Adobe 2008-05-09 06:52 --------- d-----w C:\Documents and Settings\Tendekai Kachere\Application Data\AdobeUM 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-05-07 17:01 --------- d-----w C:\Program Files\BearShare Applications 2008-01-15 21:52 140,800 --sh--w C:\Program Files\Common Files\Yazzle1281OinAdmin.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360] "PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 17:21 1449984] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59 155648] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59 126976] "PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 20:15 290816] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 11:43 53248] "IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12 221184] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 01:04 122933] "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-09-02 02:45 98304] "ntl Netguard"="C:\Program Files\ntl\ntl Netguard\RPS.exe" [ ] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46 57344] "USB Storage Toolbox"="C:\Program Files\USB Disk Win98 Driver\Res.EXE" [2005-09-14 21:44 65536] "NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2006-11-28 02:12 2658304] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 22:34 49152] "Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-08-07 18:49 2061552] "PCguard"="C:\Program Files\Virgin Broadband\PCguard\Rps.exe" [2007-09-05 14:10 310000] "-FreedomNeedsReboot"="C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe" [2007-09-05 14:10 13552] "30cf70bd"="C:\WINDOWS\system32\ifrocefn.dll" [2008-06-28 00:15 81920] "BM33fc4321"="C:\WINDOWS\system32\qtmmthkw.dll " [2008-06-28 00:13 90112] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:56 15360] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2004-08-04 08:56 53760 C:\WINDOWS\SYSTEM32\narrator.exe] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696] HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 22:26:24 210520] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56 65588] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\Internet Explorer\\iexplore.exe"= "C:\\Documents and Settings\\Tendekai Kachere\\My Documents\\Tendekai\\LimeWire\\LimeWire.exe"= "C:\\WINDOWS\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Documents and Settings\\Tendekai Kachere\\My Documents\\Tendekai\\uTorrent.exe"= "C:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"= "C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= S3 bDMusicb;bDMusicb;C:\DOCUME~1\TENDEK~1\LOCALS~1\Te mp\bDMusicb.sys [] S3 Radialpoint Security Services;Virgin Broadband PCguard;C:\WINDOWS\system32\dllhost.exe [2004-08-04 08:56] S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\SE2Ebus.sys [2006-11-10 18:23] S3 SE2Emdfl;Sony Ericsson Device 046 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\SE2Emdfl.sys [2006-11-10 19:23] S3 SE2Emdm;Sony Ericsson Device 046 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\SE2Emdm.sys [2006-11-10 19:23] S3 SE2Emgmt;Sony Ericsson Device 046 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\SE2Emgmt.sys [2006-11-10 19:23] S3 se2End5;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (NDIS);C:\WINDOWS\system32\DRIVERS\se2End5.sys [2006-11-10 19:23] S3 SE2Eobex;Sony Ericsson Device 046 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\SE2Eobex.sys [2006-11-10 19:23] S3 se2Eunic;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (WDM);C:\WINDOWS\system32\DRIVERS\se2Eunic.sys [2006-11-10 19:24] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{97497e48-f395-11dc-b187-000f1f556a00}] \Shell\AutoRun\command - ie.exe \Shell\explore\Command - ie.exe \Shell\open\Command - ie.exe . Contents of the 'Scheduled Tasks' folder "2008-06-28 23:31:27 C:\WINDOWS\Tasks\MP Scheduled Scan.job" - C:\Program Files\Windows Defender\MpCmdRun.exe "2008-06-28 22:11:06 C:\WINDOWS\Tasks\WebReg Deskjet F2100 series.job" - C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe . ************************************************** ************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-29 00:29:12 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************** ************************ . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\explorer.exe -> C:\WINDOWS\system32\ifrocefn.dll -> C:\WINDOWS\system32\qtmmthkw.dll . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Windows Defender\MsMpEng.exe C:\Program Files\Virgin Broadband\PCguard\Fws.exe C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe C:\Program Files\Raxco\PerfectDisk\PDAgent.exe C:\WINDOWS\SYSTEM32\rundll32.exe C:\WINDOWS\SYSTEM32\rundll32.exe C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe C:\Program Files\Virgin Broadband\PCguard\rpsupdaterr.exe C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe C:\WINDOWS\SYSTEM32\msiexec.exe . ************************************************** ************************ . Completion time: 2008-06-29 0:40:25 - machine was rebooted ComboFix-quarantined-files.txt 2008-06-28 23:40:04 Pre-Run: 59,861,270,528 bytes free Post-Run: 59,824,402,432 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOW S [operating systems] multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Micro soft Windows XP Home Edition" /fastdetect /NoExecute=OptIn C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons 229 --- E O F --- 2008-06-24 23:27:53 i'm about to do the new hijackthis one. |
|
|
|
|
|
#10 |
|
Bronze Member
![]() Join Date: Jun 2008
Posts: 19 PC Experience: Experienced beginner
|
The new HiJackThis log is as follows:
Deckard's System Scanner v20071014.68 Run by Tendekai Kachere on 2008-06-29 00:59:28 Computer is in Normal Mode. -------------------------------------------------------------------------------- Total Physical Memory: 510 MiB (512 MiB recommended). -- HijackThis (run as Tendekai Kachere.exe) ------------------------------------ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 01:00:16, on 29/06/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Virgin Broadband\PCguard\Fws.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Raxco\PerfectDisk\PDAgent.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\USB Disk Win98 Driver\Res.EXE C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\explorer.exe C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\System32\dllhost.exe C:\WINDOWS\system32\dllhost.exe C:\Documents and Settings\Tendekai Kachere\Desktop\dss.exe C:\DOCUME~1\TENDEK~1\Desktop\Tendekai Kachere.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Dell UK Portal R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ntl Netguard] "C:\Program Files\ntl\ntl Netguard\RPS.exe" O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USB Disk Win98 Driver\Res.EXE O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe" O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe" O4 - HKLM\..\Run: [30cf70bd] rundll32.exe "C:\WINDOWS\system32\ifrocefn.dll",b O4 - HKLM\..\Run: [BM33fc4321] Rundll32.exe "C:\WINDOWS\system32\qtmmthkw.dll",s O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.tesco.net O15 - Trusted Zone: *.amaena.com O15 - Trusted Zone: *.avsystemcare.com O15 - Trusted Zone: *.gomyhit.com O15 - Trusted Zone: *.imageservr.com O15 - Trusted Zone: *.imagesrvr.com O15 - Trusted Zone: *.nick.com O15 - Trusted Zone: http://register-tesco.qa.business.ntl.com O15 - Trusted Zone: *.onerateld.com O15 - Trusted Zone: *.safetydownload.com O15 - Trusted Zone: *.storageguardsoft.com O15 - Trusted Zone: http://memberservices.tesco.net O15 - Trusted Zone: *.trustedantivirus.com O15 - Trusted Zone: *.virusschlacht.com O15 - Trusted Zone: *.amaena.com (HKLM) O15 - Trusted Zone: *.avsystemcare.com (HKLM) O15 - Trusted Zone: *.gomyhit.com (HKLM) O15 - Trusted Zone: *.imageservr.com (HKLM) O15 - Trusted Zone: *.imagesrvr.com (HKLM) O15 - Trusted Zone: *.onerateld.com (HKLM) O15 - Trusted Zone: *.safetydownload.com (HKLM) O15 - Trusted Zone: *.storageguardsoft.com (HKLM) O15 - Trusted Zone: *.trustedantivirus.com (HKLM) O15 - Trusted Zone: *.virusschlacht.com (HKLM) O16 - DPF: NTLSignup - https://tesco.autoregister.net/tesco/NTLSignup.cab O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/inflaterball...GameLoader.dll O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} - http://www.miniclip.com/supergerball...GameLoader.dll O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.49/output/100039/u...s/dbaccess.exe O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by110fd.bay110.hotmail.msn.co...s/MsnPUpld.cab O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1143397592921 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab55579.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba250.exe O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe -- End of file - 11198 bytes -- Files created between 2008-05-29 and 2008-06-29 ----------------------------- 2008-06-29 00:17:19 0 d-------- C:\cmdcons 2008-06-29 00:14:58 68096 --a------ C:\WINDOWS\zip.exe 2008-06-29 00:14:58 49152 --a------ C:\WINDOWS\VFind.exe 2008-06-29 00:14:58 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists> 2008-06-29 00:14:58 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller> 2008-06-29 00:14:58 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor> 2008-06-29 00:14:58 98816 --a------ C:\WINDOWS\sed.exe 2008-06-29 00:14:58 80412 --a------ C:\WINDOWS\grep.exe 2008-06-29 00:14:58 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; > 2008-06-28 00:15:53 81920 --a------ C:\WINDOWS\system32\ifrocefn.dll 2008-06-28 00:14:35 102912 --a------ C:\WINDOWS\system32\clwpxf.dll 2008-06-28 00:14:32 102912 --a------ C:\WINDOWS\system32\agbgvppy.dll 2008-06-28 00:13:50 90112 --a------ C:\WINDOWS\system32\qtmmthkw.dll 2008-06-26 23:19:43 105984 --a------ C:\WINDOWS\system32\cudcapen.dll 2008-06-26 23:16:45 91136 --a------ C:\WINDOWS\system32\agbyiynh.dll 2008-06-26 12:31:46 0 d-------- C:\Documents and Settings\Tendekai Kachere\Application Data\iolo 2008-06-26 12:31:46 0 d-------- C:\Documents and Settings\All Users\Application Data\iolo 2008-06-26 01:14:04 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-06-26 01:13:09 0 d-------- C:\Program Files\Spyware Doctor 2008-06-26 01:13:09 0 d-------- C:\Documents and Settings\Tendekai Kachere\Application Data\PC Tools 2008-06-25 22:23:53 105984 --a------ C:\WINDOWS\system32\bqneilyk.dll 2008-06-25 22:21:46 91648 --a------ C:\WINDOWS\system32\bqifnuaq.dll 2008-06-25 21:26:58 105984 --a------ C:\WINDOWS\system32\vrmiinod.dll 2008-06-25 21:24:59 91648 --a------ C:\WINDOWS\system32\lyaypcts.dll 2008-06-24 20:44:26 99328 --a------ C:\WINDOWS\system32\nfygcyeh.dll 2008-06-24 20:44:21 81408 --a------ C:\WINDOWS\system32\xlklpdkg.dll 2008-06-24 20:42:13 91648 --a------ C:\WINDOWS\system32\pskpwdup.dll 2008-06-24 12:51:06 0 d-------- C:\Program Files\Windows Defender 2008-06-23 20:33:06 0 dr------- C:\Documents and Settings\LocalService\My Documents 2008-06-23 20:32:07 99328 --a------ C:\WINDOWS\system32\akalrtlr.dll 2008-06-23 20:29:54 90624 --a------ C:\WINDOWS\system32\hcbavmtx.dll 2008-06-23 18:03:56 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2 2008-06-22 23:57:48 0 d-------- C:\Program Files\Common Files\Authentium 2008-06-22 23:57:08 0 d-------- C:\Program Files\Raxco 2008-06-22 23:57:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Raxco 2008-06-22 23:56:37 0 d-------- C:\Program Files\CA 2008-06-22 23:56:24 0 d-------- C:\Program Files\Common Files\Scanner 2008-06-22 23:38:40 0 d-------- C:\Documents and Settings\Tendekai Kachere\Application Data\Virgin Broadband 2008-06-22 23:38:28 0 d-------- C:\Program Files\Virgin Broadband 2008-06-22 23:38:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Virgin Broadband 2008-06-22 23:33:56 0 d-------- C:\Documents and Settings\All Users\Application Data\ZKS_COMPANY_NAME 2008-06-22 17:07:00 99328 --a------ C:\WINDOWS\system32\eukgxsiw.dll 2008-06-22 17:04:46 90624 --a------ C:\WINDOWS\system32\tmnqartl.dll 2008-06-21 16:34:56 99328 --a------ C:\WINDOWS\system32\jgnmbcrg.dll 2008-06-21 16:32:43 90624 --a------ C:\WINDOWS\system32\eogafiqq.dll 2008-06-20 23:55:44 41723 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe 2008-06-20 23:42:15 0 d-------- C:\WINDOWS\system32\modtrux01 2008-05-31 16:07:08 0 d-------- C:\Documents and Settings\Tendekai Kachere\Application Data\ArcSoft -- Find3M Report --------------------------------------------------------------- 2008-06-28 23:11:08 141260 --a------ C:\WINDOWS\hpoins14.dat 2008-06-26 20:05:11 0 d-------- C:\Program Files\Movie Maker 2008-06-26 20:05:04 0 d-------- C:\Program Files\Modem On Hold 2008-06-26 20:05:03 0 d-------- C:\Program Files\Microsoft Works 2008-06-26 20:04:57 0 d-------- C:\Program Files\Messenger 2008-06-26 13:02:36 0 d-------- C:\Program Files\DivX 2008-06-26 12:41:18 0 d-------- C:\Program Files\Common Files\Real 2008-06-24 20:14:44 0 d-------- C:\Documents and Settings\Tendekai Kachere\Application Data\Adobe 2008-06-24 12:41:17 0 d-------- C:\Documents and Settings\Tendekai Kachere\Application Data\MSN6 2008-06-22 23:57:48 0 d-------- C:\Program Files\Common Files 2008-06-22 23:49:22 0 d--h----- C:\Program Files\InstallShield Installation Information 2008-06-22 18:22:43 0 d-------- C:\Program Files\Yahoo! 2008-06-22 18:20:03 0 d-------- C:\Program Files\Nokia 2008-06-22 13:25:50 0 d-------- C:\Documents and Settings\Tendekai Kachere\Application Data\uTorrent 2008-06-18 22:56:26 0 d-------- C:\Program Files\Sports Interactive 2008-06-13 16:06:14 0 d-------- C:\Program Files\OFFICE11 2008-05-31 17:38:56 0 d-------- C:\Documents and Settings\Tendekai Kachere\Application Data\HPAppData 2008-05-10 09:31:49 0 d-------- C:\Program Files\Common Files\ArcSoft 2008-05-10 09:31:48 0 d-------- C:\Program Files\ArcSoft 2008-05-10 08:50:58 0 d-------- C:\Program Files\Philips 2008-05-10 08:50:34 0 d-------- C:\Documents and Settings\Tendekai Kachere\Application Data\InstallShield 2008-05-09 07:53:58 0 d-------- C:\Program Files\Common Files\Adobe 2008-05-09 07:52:25 0 d-------- C:\Documents and Settings\Tendekai Kachere\Application Data\AdobeUM 2008-05-07 18:01:09 0 d-------- C:\Program Files\BearShare Applications -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}] 02/03/2007 17:52 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [19/10/2005 08:59] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [19/10/2005 08:59] "PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [11/04/2004 20:15] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [11/04/2004 11:43] "IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [03/09/2003 20:12] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [15/03/2004 01:04] "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [19/08/2003 01:01] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/09/2004 02:45] "ntl Netguard"="C:\Program Files\ntl\ntl Netguard\RPS.exe" [] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [07/06/2005 00:46] "USB Storage Toolbox"="C:\Program Files\USB Disk Win98 Driver\Res.EXE" [14/09/2005 21:44] "NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [28/11/2006 02:12] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [11/03/2007 22:34] "Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [07/08/2007 18:49] "PCguard"="C:\Program Files\Virgin Broadband\PCguard\Rps.exe" [05/09/2007 14:10] "-FreedomNeedsReboot"="C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe" [05/09/2007 14:10] "30cf70bd"="C:\WINDOWS\system32\ifrocefn.dll" [28/06/2008 00:15] "BM33fc4321"="C:\WINDOWS\system32\qtmmthkw.dll " [28/06/2008 00:13] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 08:56] "PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [27/06/2006 17:21] [HKEY_USERS\.default\software\microsoft\windows\cur rentversion\runonce] "RunNarrator"=Narrator.exe C:\Documents and Settings\Tendekai Kachere\Start Menu\Programs\Startup\ DESKTOP.INI [03/09/2002 09:00:00] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/04/2008 03:38:16] DESKTOP.INI [03/09/2002 09:00:00] HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [11/03/2007 22:26:24] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [17/02/1999 21:05:56] [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system] "DisableRegistryTools"=0 (0x0) "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=0 (0x0) "HideStartupScripts"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system] "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=0 (0x0) "HideStartupScripts"=0 (0x0) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\sdauxservice" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\sdcoreservice" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt hpqcxs08 hpqddsvc [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{97497e48-f395-11dc-b187-000f1f556a00}] AutoRun\command- ie.exe explore\Command- ie.exe open\Command- ie.exe -- End of Deckard's System Scanner: finished at 2008-06-29 01:00:58 ------------ Now to the next thing. Hope I get this right. Thanks for the help so far by the way. |
|
|
|
|
|
#11 |
|
Senior Security Analyst
![]() Join Date: Jun 2006
Location: Victoria, Australia
Posts: 6,867 PC Experience: Elite PC Guru
|
To help clean out Trusted Zones,download and run DELDOMAINS then double click to open the DelDomains.inf .To execute the file: right-click and Select 'Install' from the Menu.
=========================================== Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT. O4 - HKLM\..\Run: [30cf70bd] rundll32.exe "C:\WINDOWS\system32\ifrocefn.dll",b O4 - HKLM\..\Run: [BM33fc4321] Rundll32.exe "C:\WINDOWS\system32\qtmmthkw.dll",s O15 - Trusted Zone: *.amaena.com O15 - Trusted Zone: *.avsystemcare.com O15 - Trusted Zone: *.gomyhit.com O15 - Trusted Zone: *.imageservr.com O15 - Trusted Zone: *.imagesrvr.com O15 - Trusted Zone: *.nick.com O15 - Trusted Zone: http://register-tesco.qa.business.ntl.com O15 - Trusted Zone: *.onerateld.com O15 - Trusted Zone: *.safetydownload.com O15 - Trusted Zone: *.storageguardsoft.com O15 - Trusted Zone: http://memberservices.tesco.net O15 - Trusted Zone: *.trustedantivirus.com O15 - Trusted Zone: *.virusschlacht.com O15 - Trusted Zone: *.amaena.com (HKLM) O15 - Trusted Zone: *.avsystemcare.com (HKLM) O15 - Trusted Zone: *.gomyhit.com (HKLM) O15 - Trusted Zone: *.imageservr.com (HKLM) O15 - Trusted Zone: *.imagesrvr.com (HKLM) O15 - Trusted Zone: *.onerateld.com (HKLM) O15 - Trusted Zone: *.safetydownload.com (HKLM) O15 - Trusted Zone: *.storageguardsoft.com (HKLM) O15 - Trusted Zone: *.trustedantivirus.com (HKLM) O15 - Trusted Zone: *.virusschlacht.com (HKLM) Reboot........................... =================================== Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It's IMPORTANT to carry out the instructions in the sequence listed below. 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Open *notepad* and copy/paste the text in the quotebox below into it:
Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you. Post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis. Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file.
__________________
My real name is Eddy
|
|
|
|
|
|
#12 |
|
Bronze Member
![]() Join Date: Jun 2008
Posts: 19 PC Experience: Experienced beginner
|
I've managed to run SDFix and the report is as follows:
SDFix: Version 1.198 Run by Tendekai Kachere on 29/06/2008 at 01:20 Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : Trojan Files Found: C:\Program Files\Common Files\Yazzle1281OinAdmin.exe - Deleted C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe - Deleted Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-29 01:27:35 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list] "C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:* isabled:Internet Explorer""C:\\Documents and Settings\\Tendekai Kachere\\My Documents\\Tendekai\\LimeWire\\LimeWire.exe"="C:\\ Documents and Settings\\Tendekai Kachere\\My Documents\\Tendekai\\LimeWire\\LimeWire.exe:* isa bled:LimeWire""C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\ \system32\\sessmgr.exe:* isabled:@xpsp2res.dll,-22019""C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:* isabled:Windows Messenger""C:\\Documents and Settings\\Tendekai Kachere\\My Documents\\Tendekai\\uTorrent.exe"="C:\\Documents and Settings\\Tendekai Kachere\\My Documents\\Tendekai\\uTorrent.exe:* isabled:ęTorr ent""C:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"="C:\\Progr am Files\\BearShare Applications\\BearShare\\BearShare.exe:* isabled: BearShare""C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"="C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe:* isabled:@xpsp3res.dll ,-20000""C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:* isabled:Windows Live Messenger 8.1""C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:* isabled:Windows Live Messenger 8.1 (Phone)"[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1" "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)" Remaining Files : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Sat 16 Jul 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Wed 21 Sep 2005 782 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv17.bak" Mon 26 Mar 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp" Mon 12 Feb 2007 161,792 ...H. --- "C:\Documents and Settings\Tendekai Kachere\My Documents\RICS\~WRL1835.tmp" Wed 22 Mar 2006 19,968 ...H. --- "C:\Documents and Settings\Tendekai Kachere\My Documents\Tendekai\~WRL2724.tmp" Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd026484 9c01086f3c6b505dc02dbd44\BIT3FF.tmp" Fri 7 Mar 2008 116,736 A..H. --- "C:\Documents and Settings\Tendekai Kachere\My Documents\Tendekai\BTEC (Word)\~WRL0003.tmp" Wed 30 Jan 2008 311,808 A..H. --- "C:\Documents and Settings\Tendekai Kachere\My Documents\Tendekai\BTEC (Word)\~WRL0005.tmp" Thu 31 Jan 2008 312,832 A..H. --- "C:\Documents and Settings\Tendekai Kachere\My Documents\Tendekai\BTEC (Word)\~WRL0006.tmp" Thu 31 Jan 2008 313,856 A..H. --- "C:\Documents and Settings\Tendekai Kachere\My Documents\Tendekai\BTEC (Word)\~WRL0137.tmp" Fri 7 Mar 2008 117,760 A..H. --- "C:\Documents and Settings\Tendekai Kachere\My Documents\Tendekai\BTEC (Word)\~WRL0644.tmp" Thu 31 Jan 2008 313,856 A..H. --- "C:\Documents and Settings\Tendekai Kachere\My Documents\Tendekai\BTEC (Word)\~WRL0899.tmp" Thu 31 Jan 2008 314,368 A..H. --- "C:\Documents and Settings\Tendekai Kachere\My Documents\Tendekai\BTEC (Word)\~WRL1005.tmp" Thu 31 Jan 2008 313,856 A..H. --- "C:\Documents and Settings\Tendekai Kachere\My Documents\Tendekai\BTEC (Word)\~WRL1062.tmp" Fri 7 Mar 2008 117,760 A..H. --- "C:\Documents and Settings\Tendekai Kachere\My Documents\Tendekai\BTEC (Word)\~WRL2016.tmp" Fri 7 Mar 2008 116,736 A..H. --- "C:\Documents and Settings\Tendekai Kachere\My Documents\Tendekai\BTEC (Word)\~WRL2046.tmp" Fri 7 Mar 2008 117,760 A..H. --- "C:\Documents and Settings\Tendekai Kachere\My Documents\Tendekai\BTEC (Word)\~WRL2917.tmp" Thu 31 Jan 2008 310,784 A..H. --- "C:\Documents and Settings\Tendekai Kachere\My Documents\Tendekai\BTEC (Word)\~WRL3184.tmp" Fri 7 Mar 2008 116,736 A..H. --- "C:\Documents and Settings\Tendekai Kachere\My Documents\Tendekai\BTEC (Word)\~WRL3907.tmp" Wed 13 Feb 2008 50,176 A..H. --- "C:\Documents and Settings\Tendekai Kachere\My Documents\Tendekai\English\~WRL0004.tmp" Mon 25 Feb 2008 35,328 A..H. --- "C:\Documents and Settings\Tendekai Kachere\My Documents\Tendekai\English\~WRL1640.tmp" Thu 17 Jan 2008 45,568 A..H. --- "C:\Documents and Settings\Tendekai Kachere\My Documents\Tendekai\English\~WRL2607.tmp" Fri 22 Feb 2008 27,136 A..H. --- "C:\Documents and Settings\Tendekai Kachere\My Documents\Tendekai\Global Citizenship\~WRL0004.tmp" Wed 20 Feb 2008 23,040 A..H. --- "C:\Documents and Settings\Tendekai Kachere\My Documents\Tendekai\Global Citizenship\~WRL0005.tmp" Thu 21 Feb 2008 24,064 A..H. --- "C:\Documents and Settings\Tendekai Kachere\My Documents\Tendekai\Global Citizenship\~WRL2169.tmp" Thu 21 Feb 2008 23,040 A..H. --- "C:\Documents and Settings\Tendekai Kachere\My Documents\Tendekai\Global Citizenship\~WRL3714.tmp" Thu 21 Feb 2008 19,968 A..H. --- "C:\Documents and Settings\Tendekai Kachere\My Documents\Tendekai\Global Citizenship\~WRL4002.tmp" Tue 26 Feb 2008 277,504 A..H. --- "C:\Documents and Settings\Tendekai Kachere\My Documents\Tendekai\History\~WRL0003.tmp" Tue 26 Feb 2008 277,504 A..H. --- "C:\Documents and Settings\Tendekai Kachere\My Documents\Tendekai\History\~WRL0467.tmp" Thu 3 Jan 2008 269,824 A..H. --- "C:\Documents and Settings\Tendekai Kachere\My Documents\Tendekai\History\~WRL0897.tmp" Wed 6 Feb 2008 280,064 A..H. --- "C:\Documents and Settings\Tendekai Kachere\My Documents\Tendekai\History\~WRL3235.tmp" Mon 18 Sep 2006 0 A.SH. --- "C:\Deckard\System Scanner\20080629005921\backup\WINDOWS\temp\czhoufd g.TMP" Mon 9 Oct 2006 0 A.SH. --- "C:\Deckard\System Scanner\20080629005921\backup\WINDOWS\temp\mn22q5o n.TMP" Wed 13 Feb 2008 50,176 A..H. --- "C:\Documents and Settings\Tendekai Kachere\My Documents\Tendekai\Word stuff\English\~WRL0004.tmp" Thu 17 Jan 2008 45,568 A..H. --- "C:\Documents and Settings\Tendekai Kachere\My Documents\Tendekai\Word stuff\English\~WRL2607.tmp" Thu 21 Feb 2008 23,040 A..H. --- "C:\Documents and Settings\Tendekai Kachere\My Documents\Tendekai\Word stuff\Global Citizenship\~WRL0005.tmp" Thu 21 Feb 2008 24,064 A..H. --- "C:\Documents and Settings\Tendekai Kachere\My Documents\Tendekai\Word stuff\Global Citizenship\~WRL2169.tmp" Thu 21 Feb 2008 23,040 A..H. --- "C:\Documents and Settings\Tendekai Kachere\My Documents\Tendekai\Word stuff\Global Citizenship\~WRL3714.tmp" Thu 21 Feb 2008 19,968 A..H. --- "C:\Documents and Settings\Tendekai Kachere\My Documents\Tendekai\Word stuff\Global Citizenship\~WRL4002.tmp" Wed 19 Mar 2008 2,310,656 A..H. --- "C:\Documents and Settings\Tendekai Kachere\My Documents\Tendekai\GCSE I.T\GCSE I.T\Unit 3\Task A\~WRL1945.tmp" Wed 19 Mar 2008 95,744 A..H. --- "C:\Documents and Settings\Tendekai Kachere\My Documents\Tendekai\GCSE I.T\GCSE I.T\Unit 3\Task E\~WRL0234.tmp" Thu 17 Apr 2008 58,880 A..H. --- "C:\Documents and Settings\Tendekai Kachere\My Documents\Tendekai\GCSE I.T\GCSE I.T\Unit 3\Task F\~WRL2274.tmp" Finished! Once again, I appreciate the help so far. I hope this will help solve the entire problem |
|
|
|
|
|
#13 |
|
Senior Security Analyst
![]() Join Date: Jun 2006
Location: Victoria, Australia
Posts: 6,867 PC Experience: Elite PC Guru
|
I will wait for the new Combofix log..
__________________
My real name is Eddy
|
|
|
|
|
|
#14 |
|
Bronze Member
![]() Join Date: Jun 2008
Posts: 19 PC Experience: Experienced beginner
|
Sorry for the bother but how do you make HiJackThis fix items? What are the steps? I do not know how to get the file so that I can check the appropriate boxes.
|
|
|
|
![]() |
| Bookmarks |
| Tags |
| extreme, fixed, Fixed:, problem, virus |
Similar discussions...
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Resolved: Extreme lag in-game | Bikkit | Windows Vista & 7 | 10 | 01-04-2009 12:41 AM |
| Fixed: In need of extreme help | PARJOH13 | Windows XP/2000 | 4 | 10-11-2008 11:51 AM |
| ASUS Maximus Extreme | Joe | Motherboards | 1 | 02-16-2008 07:26 PM |
| What processor can I use?(with pf5 extreme) | GhastMaster | Unfinished Threads | 3 | 03-07-2007 09:48 PM |
| Pending: extreme Problems | EmattE | Spyware / AdWare | 9 | 03-30-2006 10:26 PM |
| Thread Tools | |
| Display Modes | |
|
|














isabled:Internet Explorer"














Linear Mode

