Scan your PC for Errors

Member Panel

Remember me ?

Forgot password?   

Join the PC Help Forum Team

Join PC Help Forum on Facebook

Join the PCHF Distributed Computing Teams

Try the NEW PC Help Forum Dark style

Link to PCHF from other parts of the Internet
PC Forum PC Help Forum » Security & Safety » [Fixed] Hijackthis! Logs » HJT Log, Antivirus xp 2008 problem

[Fixed] Hijackthis! Logs - HJT Log, Antivirus xp 2008 problem posted in the Security & Safety forums; Hi, I have recently been infected with Antivirus XP 2008. I've tried Malwarebyte's anti-malware, Spybot S&D 1.6, a Bitdefender scan, and more. Nothing has completely removed it. I hope someone ...

JOIN US NOW to remove these Ads

Post New Thread  Reply
Page 1 of 3 1 23 >
  #1  
Old 09-06-2008
Bronze Member
  
Join Date: Sep 2008
Posts: 8
PC Experience: Beginner
Ripogenous - See this Members User comments on their Profile page
Angry HJT Log, Antivirus xp 2008 problem
Hi, I have recently been infected with Antivirus XP 2008. I've tried Malwarebyte's anti-malware, Spybot S&D 1.6, a Bitdefender scan, and more. Nothing has completely removed it. I hope someone can help. Here is my HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30:19 PM, on 9/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy1.6\TeaTimer.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\TEMP\rny24.tmp
C:\WINDOWS\TEMP\.tt2A.tmp
C:\WINDOWS\TEMP\opq2F.tmp
C:\WINDOWS\system32\lsass.exe
C:\Documents and Settings\Jon Kelley\Desktop\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.6\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\s wg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\BIN\PPCOLink -STATION
O4 - HKLM\..\Run: [pgrkpsx] C:\WINDOWS\pgrkpsx.exe
O4 - HKLM\..\Run: [Artera] "C:\Program Files\Mainester\arteraui.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy1.6\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingC709] cmd /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7260] command /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6785] cmd /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1826] command /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2296] cmd /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7398] command /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy1.6\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunOnce: [SpybotDeletingB2360] command /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2332] cmd /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2862] command /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6030] cmd /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingB191] command /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7289] cmd /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk"
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1.6\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1.6\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: KODAK Gallery: Print, Store & Share Digital Photos—Order KODAK Prints, Photo Books, Photo Cards & Gifts
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O20 - Winlogon Notify: egwygdn - C:\WINDOWS\SYSTEM32\egwygdn32.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
  #2  
Old 09-06-2008
ih8bills's Avatar
Tech Team Leader
My PC
 
Join Date: Feb 2006
Location: coastal Rhode Island
Posts: 4,584
PC Experience: More Stubborn than any PC
ih8bills - See this Members User comments on their Profile pageih8bills - See this Members User comments on their Profile pageih8bills - See this Members User comments on their Profile pageih8bills - See this Members User comments on their Profile pageih8bills - See this Members User comments on their Profile pageih8bills - See this Members User comments on their Profile pageih8bills - See this Members User comments on their Profile pageih8bills - See this Members User comments on their Profile pageih8bills - See this Members User comments on their Profile pageih8bills - See this Members User comments on their Profile pageih8bills - See this Members User comments on their Profile page
Default Re: HJT Log, Antivirus xp 2008 problem
Hi... Welcome to PCHF.

Forum Rules require that HJT logs must be analyzed by experienced Security Team Analysts. This is for your protection... and to give you our best service.

Our Security Team is always very busy-- and as we live all over the Earth...
Time-Zones are also an important factor.

Your patience is greatly appreciated.

Thank You


__________________


Without music, life would be a mistake
Friedrich Nietzsche
  #3  
Old 09-07-2008
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 4,081
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile page
Default Re: HJT Log, Antivirus xp 2008 problem
Ok.Lets download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please visit this webpage for downloading and instructions for running the tool:

Go here ======> A guide and tutorial on using ComboFix <====== Go here

Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use SP2.Do not use for Vista.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should get a prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Mal use can cause serious computer problems

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.


__________________
  • An Australian Member of
  • and
My real name is Eddy
  #4  
Old 09-08-2008
Bronze Member
  
Join Date: Sep 2008
Posts: 8
PC Experience: Beginner
Ripogenous - See this Members User comments on their Profile page
Default Re: HJT Log, Antivirus xp 2008 problem
Thanks very much for the welcome and replies. I'm getting a lot of page cannot be displayed messages, so it took me a while to get everything done. Plus I had a problem getting logged back in, but finally I'm back!

Here are the results of the scans you requested:

Combofix:

ComboFix 08-09-05.04 - Jon Kelley 2008-09-07 20:38:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.640 [GMT -4:00]
Running from: C:\Documents and Settings\Jon Kelley\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jon Kelley\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\blphc3crj0et0j.scr
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\drivers\Tbh17.sys
C:\WINDOWS\system32\lphc3crj0et0j.exe
C:\WINDOWS\system32\phc3crj0et0j.bmp
C:\WINDOWS\twain_16.dll
C:\WINDOWS\wiaservb.log
C:\WINDOWS\system32\userinit.exe . . . is infected!!
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_SYSREST.SYS
-------\Legacy_TBH17
-------\Legacy_TCPSR
-------\Service_Tbh17
-------\Service_tcpsr

((((((((((((((((((((((((( Files Created from 2008-08-08 to 2008-09-08 )))))))))))))))))))))))))))))))
.
2008-09-07 20:43 . 2008-09-07 20:43 625,208 --a------ C:\WINDOWS\SYSTEM32\phc3crj0et0j.bmp
2008-09-07 20:43 . 2008-09-07 20:43 203,776 --a------ C:\WINDOWS\SYSTEM32\lphc3crj0et0j.exe
2008-09-07 18:34 . 2008-09-07 20:04 0 --a------ C:\WINDOWS\SYSTEM32\lich.dat
2008-09-07 17:59 . 2008-09-07 17:59 21,504 --a------ C:\WINDOWS\SYSTEM32\egwygdn.dll
2008-09-05 11:16 . 2008-09-05 11:22 <DIR> d-------- C:\Program Files\RegCure
2008-09-05 10:49 . 2008-09-05 10:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-05 10:48 . 2008-09-05 10:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-04 23:17 . 2008-09-04 23:17 389 --a------ C:\WINDOWS\wininit.ini
2008-09-04 20:17 . 2008-09-04 20:17 <DIR> d-------- C:\Documents and Settings\Administrator.D3F6SL51\Application Data\Malwarebytes
2008-09-04 20:16 . 2004-08-31 07:31 <DIR> d-------- C:\Documents and Settings\Administrator.D3F6SL51\Application Data\Symantec
2008-09-04 20:16 . 2004-08-31 07:28 <DIR> d-------- C:\Documents and Settings\Administrator.D3F6SL51\Application Data\Sonic
2008-09-04 20:16 . 2004-08-31 07:30 <DIR> d-------- C:\Documents and Settings\Administrator.D3F6SL51\Application Data\Jasc Software Inc
2008-09-04 20:16 . 2008-09-07 11:52 <DIR> d-------- C:\Documents and Settings\Administrator.D3F6SL51
2008-09-04 18:55 . 2008-09-07 11:58 <DIR> d-------- C:\~BCWipe.stu
2008-09-04 18:18 . 2008-09-04 18:51 106,496 --a------ C:\WINDOWS\SYSTEM32\28.tmp
2008-09-04 18:18 . 2008-09-04 18:48 106,496 --a------ C:\WINDOWS\SYSTEM32\27.tmp
2008-09-04 17:51 . 2008-09-04 17:54 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy1.6
2008-09-04 17:47 . 2008-09-04 17:47 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-09-04 17:45 . 2008-09-07 18:33 21,504 --a------ C:\WINDOWS\SYSTEM32\egwygdn32.dll
2008-09-04 16:00 . 2008-09-04 17:04 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-09-04 13:06 . 2008-09-04 19:27 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-01 11:43 . 2008-09-01 11:43 <DIR> d-------- C:\Documents and Settings\Jon Kelley\Application Data\Malwarebytes
2008-09-01 11:43 . 2008-09-01 11:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-01 11:43 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-09-01 11:43 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-08-18 17:04 . 2008-08-18 17:26 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot_bak
2008-08-13 23:00 . 2008-05-01 10:30 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-09-08 00:44 118,784 ----a-w C:\WINDOWS\SYSTEM32\blphc3crj0et0j.scr
2008-09-07 21:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-04 21:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-04 17:05 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-25 00:43 --------- d-----w C:\Program Files\Google
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\SYSTEM32\es.dll
2008-07-07 20:32 253,952 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\SYSTEM32\mscms.dll
2008-06-24 16:23 74,240 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mscms.dll
2008-06-24 14:57 3,592,192 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2005-10-16 02:41 848 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.EXE" [2004-10-13 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-09-22 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Bart Station"="C:\Program Files\ISP50\BIN\PPCOLink -STATION" [X]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [X]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-01-23 126976]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"MediaFace Integration"="C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe" [2003-08-18 53248]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"mmtask"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-12-14 26112]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]
"lphc3crj0et0j"="C:\WINDOWS\system32\lphc3crj0et0j .exe" [2008-09-07 203776]
"inrhc7crj0et0j"="C:\WINDOWS\temp\.ttF.tmp.exe " [2008-09-07 1613884]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-09-29 126136]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2005-09-29 122880]
[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)
"NoDispScrSavPage"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\egwygdn]
2008-09-07 18:33 21504 C:\WINDOWS\SYSTEM32\egwygdn32.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy1.6\TeaTimer.exe
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-11 124832]
R3 MPNatDrv;Artera NAT Driver;C:\WINDOWS\system32\DRIVERS\mpnat2k.sys [2005-01-11 200736]
S4 BCSWAP;BCSWAP;C:\WINDOWS\system32\drivers\BCSWAP.s ys [2004-11-15 88080]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{b2c47c0e-9643-11dc-bc88-000f1f7b1dc7}]
\Shell\AutoRun\command - F:\PortableVault.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-MsnMsgr - C:\Program Files\MSN Messenger\MsnMsgr.Exe
HKLM-Run-PCMService - C:\Program Files\Dell\Media Experience\PCMService.exe
HKLM-Run-pgrkpsx - C:\WINDOWS\pgrkpsx.exe
HKLM-Run-Artera - C:\Program Files\Mainester\arteraui.exe
HKLM-Run-Pure Networks Port Magic - C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
HKLM-Run-MsgCenterExe - C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.micros oft:en-US&ie=utf8&oe=utf8
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: &AOL Toolbar search - C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
.
************************************************** ************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-07 20:43:29
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...

C:\DOCUME~1\JONKEL~1\LOCALS~1\Temp\tzk6.tmp 732 bytes
C:\WINDOWS\system32\phc3crj0et0j.bmp 625208 bytes
C:\WINDOWS\system32\blphc3crj0et0j.scr 118784 bytes executable
C:\WINDOWS\system32\lphc3crj0et0j.exe 203776 bytes executable
scan completed successfully
hidden files: 4
************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\egwygdn32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\LEXPPS.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\WINDOWS\temp\yydB.tmp
C:\WINDOWS\temp\.ttF.tmp
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\SYSTEM32\verclsid.exe
.
************************************************** ************************
.
Completion time: 2008-09-07 20:50:57 - machine was rebooted [Jon Kelley]
ComboFix-quarantined-files.txt 2008-09-08 00:50:51
ComboFix2.txt 2008-04-09 15:16:52
Pre-Run: 18,851,471,360 bytes free
Post-Run: 18,804,183,040 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOW S
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Micro soft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
192 --- E O F --- 2008-08-14 03:46:16
  #5  
Old 09-08-2008
Bronze Member
  
Join Date: Sep 2008
Posts: 8
PC Experience: Beginner
Ripogenous - See this Members User comments on their Profile page
Default Re: HJT Log, Antivirus xp 2008 problem
And the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:00:52 PM, on 9/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\TEMP\yydB.tmp
C:\WINDOWS\temp\.ttF.tmp
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Jon Kelley\Desktop\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\s wg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\BIN\PPCOLink -STATION
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [lphc3crj0et0j] C:\WINDOWS\system32\lphc3crj0et0j.exe
O4 - HKLM\..\Run: [inrhc7crj0et0j] C:\WINDOWS\temp\.ttF.tmp.exe /CR=E08AC8ADEEC613C39E30C48EA611036B2E249A75C683E6E 4DD03481D3FE3FC711F60B3CDA2C6CA776C1704501DE86E974 B730435E17CC737BDE8683ED040F6D0507659143A06F6C5A61 4DB0FEFC89E6A65DBF1A13A0CEF
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: KODAK Gallery: Print, Store & Share Digital Photos—Order KODAK Prints, Photo Books, Photo Cards & Gifts
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O20 - Winlogon Notify: egwygdn - C:\WINDOWS\SYSTEM32\egwygdn32.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
  #6  
Old 09-08-2008
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 4,081
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile pagePancake - See this Members User comments on their Profile page
Default Re: HJT Log, Antivirus xp 2008 problem
This should get it all fixed..

Have "HijackThis" fix the following item/s in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and close"HijackThis".Please close any open programs before doing this fix.

O4 - HKLM\..\Run: [lphc3crj0et0j] C:\WINDOWS\system32\lphc3crj0et0j.exe
O4 - HKLM\..\Run: [inrhc7crj0et0j] C:\WINDOWS\temp\.ttF.tmp.exe /CR=E08AC8ADEEC613C39E30C48EA611036B2E249A75C683E6E 4DD03481D3FE3FC711F60B3CDA2C6CA776C1704501DE86E974 B730435E17CC737BDE8683ED040F6D0507659143A06F6C5A61 4DB0FEFC89E6A65DBF1A13A0CEF
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O20 - Winlogon Notify: egwygdn - C:\WINDOWS\SYSTEM32\egwygdn32.dll

Reboot................................

=========================================

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:




File::
C:\WINDOWS\SYSTEM32\phc3crj0et0j.bmp
C:\WINDOWS\SYSTEM32\lphc3crj0et0j.exe
C:\WINDOWS\SYSTEM32\egwygdn.dll
C:\WINDOWS\SYSTEM32\lich.dat
C:\WINDOWS\SYSTEM32\28.tmp
C:\WINDOWS\SYSTEM32\27.tmp
C:\WINDOWS\SYSTEM32\blphc3crj0et0j.scr
C:\WINDOWS\temp\.ttF.tmp.exe
C:\WINDOWS\temp\yydB.tmp

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"lphc3crj0et0j"=-
"inrhc7crj0et0j"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\egwygdn]

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Refering to the picture above, drag CFScript.txt into ComboFix.exe


When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your computer*


__________________
  • An Australian Member of
  • and
My real name is Eddy
  #7  
Old 09-08-2008
Bronze Member
  
Join Date: Sep 2008
Posts: 8
PC Experience: Beginner
Ripogenous - See this Members User comments on their Profile page
Default Re: HJT Log, Antivirus xp 2008 problem
Here are the new logs:

ComboFix 08-09-05.04 - Jon Kelley 2008-09-08 1:15:15.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.714 [GMT -4:00]
Running from: C:\Documents and Settings\Jon Kelley\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jon Kelley\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\SYSTEM32\27.tmp
C:\WINDOWS\SYSTEM32\28.tmp
C:\WINDOWS\SYSTEM32\blphc3crj0et0j.scr
C:\WINDOWS\SYSTEM32\egwygdn.dll
C:\WINDOWS\SYSTEM32\lich.dat
C:\WINDOWS\SYSTEM32\lphc3crj0et0j.exe
C:\WINDOWS\SYSTEM32\phc3crj0et0j.bmp
.
((((((((((((((((((((((((( Files Created from 2008-08-08 to 2008-09-08 )))))))))))))))))))))))))))))))
.
2008-09-05 11:16 . 2008-09-05 11:22 <DIR> d-------- C:\Program Files\RegCure
2008-09-05 10:49 . 2008-09-05 10:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-05 10:48 . 2008-09-05 10:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-04 23:17 . 2008-09-04 23:17 389 --a------ C:\WINDOWS\wininit.ini
2008-09-04 20:17 . 2008-09-04 20:17 <DIR> d-------- C:\Documents and Settings\Administrator.D3F6SL51\Application Data\Malwarebytes
2008-09-04 20:16 . 2004-08-31 07:31 <DIR> d-------- C:\Documents and Settings\Administrator.D3F6SL51\Application Data\Symantec
2008-09-04 20:16 . 2004-08-31 07:28 <DIR> d-------- C:\Documents and Settings\Administrator.D3F6SL51\Application Data\Sonic
2008-09-04 20:16 . 2004-08-31 07:30 <DIR> d-------- C:\Documents and Settings\Administrator.D3F6SL51\Application Data\Jasc Software Inc
2008-09-04 20:16 . 2008-09-07 11:52 <DIR> d-------- C:\Documents and Settings\Administrator.D3F6SL51
2008-09-04 18:55 . 2008-09-07 11:58 <DIR> d-------- C:\~BCWipe.stu
2008-09-04 17:51 . 2008-09-04 17:54 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy1.6
2008-09-04 17:47 . 2008-09-04 17:47 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-09-04 17:45 . 2008-09-07 18:33 21,504 --a------ C:\WINDOWS\SYSTEM32\egwygdn32.dll
2008-09-04 16:00 . 2008-09-04 17:04 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-09-04 13:06 . 2008-09-04 19:27 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-01 11:43 . 2008-09-01 11:43 <DIR> d-------- C:\Documents and Settings\Jon Kelley\Application Data\Malwarebytes
2008-09-01 11:43 . 2008-09-01 11:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-01 11:43 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-09-01 11:43 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-08-18 17:04 . 2008-08-18 17:26 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot_bak
2008-08-13 23:00 . 2008-05-01 10:30 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-09-07 21:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-04 21:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-04 17:05 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-25 00:43 --------- d-----w C:\Program Files\Google
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\SYSTEM32\es.dll
2008-07-07 20:32 253,952 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\SYSTEM32\mscms.dll
2008-06-24 16:23 74,240 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mscms.dll
2008-06-24 14:57 3,592,192 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2005-10-16 02:41 848 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.EXE" [2004-10-13 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-09-22 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
&quo