Free PC Performance Scan

Member Panel

Remember me ?

Forgot password?   

Join the PC Help Forum Team

Join PC Help Forum on Facebook

Join the PCHF Distributed Computing Teams

Try the NEW PC Help Forum Dark style

Link to PCHF from other parts of the Internet
PC Forum PC Help Forum » Operating Systems » Windows XP/2000 » [Resolved] Another One - Help Please

Windows XP/2000 - Another One - Help Please posted in the Operating Systems forums; If you use a flash/thumb drive insert it before doing this fix. Please copy this page to *Notepad* and save to your desktop for reference as you will not have ...

JOIN US NOW to remove these Ads

Post New Thread  Reply
Page 2 of 3 < 1 2 3 >
  #8  
Old 07-18-2008
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 4,063
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: Another One - Help Please
If you use a flash/thumb drive insert it before doing this fix.


Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:




File::
G:\ek.com

Folder::
C:\pjk

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{88f2e43e-2ccb-11dc-a387-001060a1af25}]


Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Refering to the picture above, drag CFScript.txt into ComboFix.exe


When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your computer*


__________________
  • An Australian Member of
  • and
My real name is Eddy
  #9  
Old 07-19-2008
elpmek's Avatar
Tech Support Team
  
Join Date: Feb 2006
Location: Gloucestershire
Posts: 973
PC Experience: Experienced
elpmek - See this Members User comments on their Profile page elpmek - See this Members User comments on their Profile page elpmek - See this Members User comments on their Profile page elpmek - See this Members User comments on their Profile page elpmek - See this Members User comments on their Profile page elpmek - See this Members User comments on their Profile page elpmek - See this Members User comments on their Profile page elpmek - See this Members User comments on their Profile page elpmek - See this Members User comments on their Profile page elpmek - See this Members User comments on their Profile page elpmek - See this Members User comments on their Profile page
Default Re: Another One - Help Please
After last lot could only boot into "Safe Mode wih Networking" as getting BSOD

Ran Combo - after it said it had finished had to reboot by turning power off. This is first boot since then & into full mode ok - HJT log attached

Also the thumb drive is E: so no G: involved

more thanks


ComboFix 08-07-15.4 - Tegwen H 2008-07-19 11:08:01.7 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.717 [GMT 1:00]
Running from: C:\Documents and Settings\Tegwen H\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tegwen H\Desktop\CFScript.txt

FILE ::
G:\ek.com
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\pjk
C:\pjk\OTMoveIt2.exe

.
((((((((((((((((((((((((( Files Created from 2008-06-19 to 2008-07-19 )))))))))))))))))))))))))))))))
.

2008-07-18 14:29 . 2008-07-18 14:29 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-07-16 21:23 . 2008-07-18 16:39 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-16 21:23 . 2008-07-16 21:23 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-16 21:23 . 2008-07-16 21:23 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-16 21:23 . 2008-07-16 21:23 12,936 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-07-16 21:23 . 2008-07-16 21:23 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-16 21:13 . 2008-07-16 21:13 <DIR> d-------- C:\Program Files\COMODO
2008-07-16 21:13 . 2008-07-16 21:13 <DIR> d-------- C:\Documents and Settings\Tegwen H\Application Data\Comodo
2008-07-16 21:13 . 2008-07-16 21:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-07-16 21:13 . 2008-07-16 21:13 143,104 --a------ C:\WINDOWS\system32\guard32.dll
2008-07-16 21:13 . 2008-07-16 21:13 87,056 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
2008-07-16 21:13 . 2008-07-16 21:13 24,208 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-07-16 21:03 . 2008-07-16 21:03 12,598 --a------ C:\WINDOWS\system32\wpa.bak
2008-07-16 20:42 . 2008-07-19 11:02 937,574,400 --a------ C:\WINDOWS\MEMORY.DMP
2008-07-16 20:17 . 2008-04-14 05:41 1,888,992 --a------ C:\WINDOWS\system32\OLD3AE.tmp
2008-07-16 20:14 . 2008-07-16 20:48 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-07-16 20:14 . 2008-07-16 20:48 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-07-16 20:14 . 2008-07-16 20:48 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-07-16 20:14 . 2008-07-16 20:48 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-07-16 20:14 . 2008-07-16 20:48 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-07-16 19:57 . 2004-08-04 13:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2008-07-16 19:57 . 2004-08-04 13:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2008-07-16 19:09 . 2008-04-14 05:42 1,306,624 --a------ C:\WINDOWS\system32\msxml6.dll
2008-07-16 19:09 . 2008-04-13 22:57 79,872 --a------ C:\WINDOWS\system32\msxml6r.dll
2008-07-16 19:06 . 2008-07-16 19:09 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-16 18:57 . 2008-07-16 18:57 <DIR> d-------- C:\WINDOWS\EHome
2008-07-16 16:50 . 2008-07-16 16:50 <DIR> d-------- C:\Program Files\Belarc
2008-07-16 16:50 . 2005-04-07 16:18 3,840 --a------ C:\WINDOWS\system32\drivers\BANTExt.sys
2008-07-16 15:58 . 2008-07-16 19:20 51,228 --a------ C:\WINDOWS\setupapi.old
2008-07-16 15:45 . 2008-07-16 15:45 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-16 14:39 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-07-16 14:39 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-07-16 14:39 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-07-16 14:39 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-16 14:26 . 2008-07-16 14:26 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-16 11:05 . 2008-07-16 11:05 <DIR> d-------- C:\Program Files\AVG
2008-07-15 20:46 . 2008-07-15 20:46 <DIR> d-------- C:\Program Files\Sophos

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-07-16 20:51 2,428 ----a-w C:\Documents and Settings\Tegwen H\Application Data\wklnhst.dat
2008-07-16 20:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-07-16 19:47 1,663 ----a-w C:\WINDOWS\inf\COMC9.tmp
2008-07-16 17:48 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-07-16 15:30 --------- d-----w C:\Program Files\Google
2008-06-28 14:38 --------- d-----w C:\Documents and Settings\Tegwen H\Application Data\AdobeUM
2008-06-15 15:12 --------- d-----w C:\Documents and Settings\Tegwen H\Application Data\Skype
2008-06-11 17:02 --------- d-----w C:\Documents and Settings\Tegwen H\Application Data\skypePM
2007-12-25 21:08 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((( snapshot_2008-07-17_ 9.30.45.75 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-16 20:37:13 237,568 ----a-w C:\WINDOWS\system32\VSS\Documents and Settings\LocalService\NTUSER.DAT
+ 2008-07-18 09:35:33 237,568 ----a-w C:\WINDOWS\system32\VSS\Documents and Settings\LocalService\NTUSER.DAT
- 2008-07-16 20:37:13 237,568 ----a-w C:\WINDOWS\system32\VSS\Documents and Settings\NetworkService\NTUSER.DAT
+ 2008-07-18 09:35:33 237,568 ----a-w C:\WINDOWS\system32\VSS\Documents and Settings\NetworkService\NTUSER.DAT
- 2008-07-16 20:36:43 4,194,304 ---ha-w C:\WINDOWS\system32\VSS\Documents and Settings\Tegwen H\NTUSER.DAT
+ 2008-07-18 13:54:14 4,456,448 ---ha-w C:\WINDOWS\system32\VSS\Documents and Settings\Tegwen H\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-07 09:48 761946]
"DMXLauncher"="C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe" [2006-11-06 02:07 102400]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\I SUSPM.exe" [2006-08-25 12:11 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-08-25 12:11 81920]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 02:10 409600]
"VX1000"="C:\WINDOWS\vVX1000.exe" [2006-06-30 00:42 707376]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2006-06-30 00:54 269104]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 16:49 49152]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-07-16 21:13 1655552]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-16 21:23 1232152]
"VTTimer"="VTTimer.exe" [2006-09-21 09:36 53248 C:\WINDOWS\system32\VTTimer.exe]
"S3Trayp"="S3trayp.exe" [2006-10-09 22:14 176128 C:\WINDOWS\system32\S3Trayp.exe]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 18:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 10:21 16270848 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe]
"Protect"="SHVRTF.EXE" [2005-02-04 11:58 1011712 C:\WINDOWS\system32\SHVRTF.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 20:28:24 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 20:50:52 53248]

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\ avgrkx86.sys [2008-07-16 21:23]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-07-16 21:13]
S1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-16 21:23]
S1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-07-16 21:13]
S2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-16 21:23]
S2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-16 21:23]
S2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-16 21:23]
S2 MSCamSvc;MSCamSvc;C:\Program Files\Microsoft LifeCam\MSCamSvc.exe [2006-06-30 00:54]
S3 S3GIGP;S3GIGP;C:\WINDOWS\system32\DRIVERS\S3gIGPm. sys [2006-11-15 02:38]
S3 SIS163u;SiS163 USB Wireless LAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\sis163u.sys [2006-05-29 19:04]
S3 VX1000;VX-1000;C:\WINDOWS\system32\DRIVERS\VX1000.sys [2006-06-30 00:42]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{88f2e43e-2ccb-11dc-a387-001060a1af25}]
\Shell\AutoRun\command - G:\ek.com
\Shell\explore\Command - G:\ek.com
\Shell\open\Command - G:\ek.com

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{c86bef4c-d244-11db-a072-806d6172696f}]
\Shell\AutoRun\command - D:\PcAngel.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-07-18 17:09:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-19 11:09:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-07-19 11:10:53
ComboFix-quarantined-files.txt 2008-07-19 10:10:44
ComboFix2.txt 2008-07-18 09:23:58
ComboFix3.txt 2008-07-17 09:24:27
ComboFix4.txt 2008-07-17 08:42:49
ComboFix5.txt 2008-07-19 10:07:46

Pre-Run: 106,839,134,208 bytes free
Post-Run: 106,835,623,936 bytes free

153 --- E O F --- 2008-07-18 17:10:15


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:58:45, on 19/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Microsoft LifeCam\MSCamSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3trayp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\SHVRTF.EXE
C:\WINDOWS\vVX1000.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
E:\8 may\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ww.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Protect] SHVRTF.EXE
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 7631 bytes
Attached Files
File Type: txt ComboFix.txt (10.4 KB, 1 views)
File Type: log hijackthis.log (7.5 KB, 1 views)


Last edited by Pancake; 07-19-2008 at 11:56 PM. Reason: copy and pasted.............................................
  #10  
Old 07-20-2008
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 4,063
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: Another One - Help Please
Copy the text the in the code box to notepad. Save it as fixreg.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.


REGEDIT4
[-HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{88f2e43e-2ccb-11dc-a387-001060a1af25}]


After reboot post a new HJT log.

====================================

I dont see anymore malware so that all done.


This will clear away any of the files and folders that were created by ComboFix.

Go to :
Start > Run then copy and paste the following highlighted text below and click OK.


ComboFix /u


__________________
  • An Australian Member of
  • and
My real name is Eddy
  #11  
Old 07-20-2008
elpmek's Avatar
Tech Support Team
  
Join Date: Feb 2006
Location: Gloucestershire
Posts: 973
PC Experience: Experienced
elpmek - See this Members User comments on their Profile page elpmek - See this Members User comments on their Profile page elpmek - See this Members User comments on their Profile page elpmek - See this Members User comments on their Profile page elpmek - See this Members User comments on their Profile page elpmek - See this Members User comments on their Profile page elpmek - See this Members User comments on their Profile page elpmek - See this Members User comments on their Profile page elpmek - See this Members User comments on their Profile page elpmek - See this Members User comments on their Profile page elpmek - See this Members User comments on their Profile page
Default Re: Another One - Help Please
Okay - did all that rebooted - BSOD

Rebooted & HJT log attached

Thanks - did whatever it was/is have a specific name??
Attached Files
File Type: log hijackthis.log (7.5 KB, 2 views)


  #12  
Old 07-20-2008
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 4,063
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: Another One - Help Please
I dont see any more malware.Its all been removed.I will now move you to another forum to see if they can help with your BSOD.


__________________
  • An Australian Member of
  • and
My real name is Eddy
  #13  
Old 07-21-2008
Tech Support Team
  
Join Date: Jan 2008
Posts: 1,376
PC Experience: Very Experienced
DIIRE - See this Members User comments on their Profile page DIIRE - See this Members User comments on their Profile page DIIRE - See this Members User comments on their Profile page DIIRE - See this Members User comments on their Profile page DIIRE - See this Members User comments on their Profile page DIIRE - See this Members User comments on their Profile page DIIRE - See this Members User comments on their Profile page DIIRE - See this Members User comments on their Profile page DIIRE - See this Members User comments on their Profile page DIIRE - See this Members User comments on their Profile page DIIRE - See this Members User comments on their Profile page
Default Re: Another One - Help Please
Hi elpmek,

Can you please follow the instructions in the following link and attach a couple of minidump files in your next post.

http://www.pchelpforum.com/windows-x...eath-here.html
  #14  
Old 07-21-2008
elpmek's Avatar
Tech Support Team
  
Join Date: Feb 2006
Location: Gloucestershire
Posts: 973
PC Experience: Experienced
elpmek - See this Members User comments on their Profile page elpmek - See this Members User comments on their Profile page elpmek - See this Members User comments on their Profile page elpmek - See this Members User comments on their Profile page elpmek - See this Members User comments on their Profile page elpmek - See this Members User comments on their Profile page elpmek - See this Members User comments on their Profile page elpmek - See this Members User comments on their Profile page elpmek - See this Members User comments on their Profile page elpmek - See this Members User comments on their Profile page elpmek - See this Members User comments on their Profile page
Default Re: Another One - Help Please
After last post rebooted did a sfc /scannow then rebooted to find no mouse or touchpad.

Opened in safe mode got to device manager using keyboard to see all USB devices with yellow "!". Deleted all devices.

Rebooted to find message saying due to hardware changes Windows needs to be reactivated said no and then BSOD. Couldn't get to safe mode as said needed to be activated.

Tried System Repair - no joy.

Now going for format disk & full reinstall