Popups

C

camaro1185

New Member
I just got a new college issued laptop and it’s a piece of crap Dell Latitude. Here is the problem; I have gotten lots of popups, so I downloaded a couple of popup blockers, to see what the best one was. I found one that stopped the popups, but with it installed I wasn’t able to load a couple of websites such as gmail, yahoo, and some forums that I regularly go on. So I guessed it was the popup blockers so I uninstalled and deleted as far as I can tell everything that is associated with them. So after I did that everything was back to normal. During the night, the power went out, I restarted the computer and now I am back to not being able to load some pages. Any ideas on what I can check settings or anything.
 
C

camaro1185

New Member
Logfile of HijackThis v1.98.2
Scan saved at 9:21:44 PM, on 6/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\WINDOWS\system32\nipalsm.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\nipalsm.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
E:\Apps\Common Programs\Hijack This.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.vernier.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {074DCAE7-5496-46B5-BF19-46754B3CFC11} - (no file)
O2 - BHO: (no name) - {3a75bc81-18bb-417a-8007-a700c1933e84} - (no file)
O2 - BHO: (no name) - {530CE5DB-202C-4AE2-8CB7-C18F23306EAD} - C:\WINDOWS\system32\geBuUlLD.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {853B95C0-607B-4596-97B0-74C4E2C657EF} - C:\WINDOWS\system32\urqPHAtT.dll (file missing)
O2 - BHO: {94318282-b7d8-0678-6724-8dab40d93b79} - {97b39d04-bad8-4276-8760-8d7b28281349} - C:\WINDOWS\system32\yrvckije.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {CB2D0806-8D5A-4259-83B7-70FDBABD5D73} - (no file)
O2 - BHO: (no name) - {DD4A65C7-61D7-445F-BCF1-5065F765EAF9} - C:\WINDOWS\system32\hgGASMdB.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [d458cd1f] rundll32.exe "C:\WINDOWS\system32\fshwgjmw.dll",b
O4 - HKLM\..\Run: [BMd76bfe83] Rundll32.exe "C:\WINDOWS\system32\ioujeptc.dll",s
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5852F5ED-8BF4-11D4-A245-0080C6F74284} (isInstalled Class) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL...-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://antivirus.wit.edu/webinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wit.private
O17 - HKLM\Software\..\Telephony: DomainName = wit.private
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wit.private
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wit.private
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
 
G25r8cer

G25r8cer

Active Member
You forgot the bottom part. The byte size part.

Anyways if you dont mind there are a few things in there that are slowing your system down. Is it alright if we do that first? Then we can get to the pop-ups problem. The first thing is I see you have Viewpoint Manager installed. Dont worry it is installed with AIM and Viewpoint is not needed for AIM but, Viewpoint is a major system hog. To get rid of this go to add/remove programs and un-install Viewpoint manager. When you have done that post a FRESH hijackthis log.
 
C

camaro1185

New Member
Logfile of HijackThis v1.98.2
Scan saved at 11:53:15 PM, on 6/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\WINDOWS\system32\nipalsm.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\nipalsm.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
E:\Apps\Common Programs\Hijack This.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\rundll32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.vernier.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {074DCAE7-5496-46B5-BF19-46754B3CFC11} - (no file)
O2 - BHO: (no name) - {3a75bc81-18bb-417a-8007-a700c1933e84} - (no file)
O2 - BHO: (no name) - {530CE5DB-202C-4AE2-8CB7-C18F23306EAD} - C:\WINDOWS\system32\geBuUlLD.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {853B95C0-607B-4596-97B0-74C4E2C657EF} - C:\WINDOWS\system32\urqPHAtT.dll (file missing)
O2 - BHO: {94318282-b7d8-0678-6724-8dab40d93b79} - {97b39d04-bad8-4276-8760-8d7b28281349} - C:\WINDOWS\system32\yrvckije.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {CB2D0806-8D5A-4259-83B7-70FDBABD5D73} - (no file)
O2 - BHO: (no name) - {DD4A65C7-61D7-445F-BCF1-5065F765EAF9} - C:\WINDOWS\system32\hgGASMdB.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [d458cd1f] rundll32.exe "C:\WINDOWS\system32\fshwgjmw.dll",b
O4 - HKLM\..\Run: [BMd76bfe83] Rundll32.exe "C:\WINDOWS\system32\ioujeptc.dll",s
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5852F5ED-8BF4-11D4-A245-0080C6F74284} (isInstalled Class) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL...-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://antivirus.wit.edu/webinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wit.private
O17 - HKLM\Software\..\Telephony: DomainName = wit.private
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wit.private
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wit.private
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
 
G25r8cer

G25r8cer

Active Member
Ok to me your log looks clean but, you still didnt post the whole log. When you press save log and the notepad pops up go to Edit and click Select all and then go to Edit and press Copy. Then paste it here.

The next step is running combofix. Click on the link below to download and save it to your desktop. Then close all programs and double click "Combofix". A blue prompt (window) will appear. During Combofix's scanning it will change your clock and icons. DO NOT change them back. When Combofix is done it will automatically restart your pc. When you sign back on a Text file will appear. If it doesnt it is located in your root C drive. Copy ALL the text and paste it here along with a fresh Hijackthis log.

Download from any of the following places:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
 
ceewi1

ceewi1

VIP Member
He has posted the whole log, and the log shows a Vundo infection.

camaro1185, you are running a very old version of HijackThis.

Please delete this version from your PC and download the HijackThis installer from http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe.

Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.

Please use this version for posting further HijackThis logs.


Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log from the new version.
 
C

camaro1185

New Member
Thanks for all the help guys! here is the combofix file and the new Hijack this file:

combofix:

ComboFix 08-06-19.2 - varhuem 2008-06-20 7:07:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1185 [GMT -4:00]
Running from:
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\BMd76bfe83.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aylknvco.dll
C:\WINDOWS\system32\bhyjbnli.dll
C:\WINDOWS\system32\bkbvxcgh.dll
C:\WINDOWS\system32\buewmnky.dll
C:\WINDOWS\system32\bwtavvaw.ini
C:\WINDOWS\system32\djphvggt.ini
C:\WINDOWS\system32\dkipppvp.dll
C:\WINDOWS\system32\DLlUuBeg.ini
C:\WINDOWS\system32\DLlUuBeg.ini2
C:\WINDOWS\system32\eapoytgt.dll
C:\WINDOWS\system32\efmfifoj.dll
C:\WINDOWS\system32\eleeqslf.ini
C:\WINDOWS\system32\emccgrad.dll
C:\WINDOWS\system32\fknuxkvj.ini
C:\WINDOWS\system32\fkuiwjte.ini
C:\WINDOWS\system32\foelccet.exe
C:\WINDOWS\system32\fqvvtejf.dll
C:\WINDOWS\system32\fshwgjmw.dll
C:\WINDOWS\system32\fvavojtx.dll
C:\WINDOWS\system32\geBuUlLD.dll
C:\WINDOWS\system32\ghevlqfo.ini
C:\WINDOWS\system32\gsoyhdrl.ini
C:\WINDOWS\system32\gwmcekuh.ini
C:\WINDOWS\system32\gxieirih.dll
C:\WINDOWS\system32\hldppsti.dll
C:\WINDOWS\system32\hovcgsnu.exe
C:\WINDOWS\system32\hpqqpcch.dll
C:\WINDOWS\system32\hturdljm.dll
C:\WINDOWS\system32\hukecmwg.dll
C:\WINDOWS\system32\hxjdavhe.dll
C:\WINDOWS\system32\hxsxuwlt.dll
C:\WINDOWS\system32\imymxxdk.dll
C:\WINDOWS\system32\ioujeptc.dll
C:\WINDOWS\system32\jcvrcejk.dll
C:\WINDOWS\system32\jdpqpfhj.dll
C:\WINDOWS\system32\jevrxvuw.dll
C:\WINDOWS\system32\jgmgqxyo.exe
C:\WINDOWS\system32\jyknilve.dll
C:\WINDOWS\system32\kbsywbsu.dll
C:\WINDOWS\system32\kkbfueni.dll
C:\WINDOWS\system32\kqvfgrrc.dll
C:\WINDOWS\system32\laoicyaf.dll
C:\WINDOWS\system32\ldapvubl.ini
C:\WINDOWS\system32\lnlsltox.dll
C:\WINDOWS\system32\lsilapab.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mdngerwv.exe
C:\WINDOWS\system32\mppuypwg.ini
C:\WINDOWS\system32\mrpaugxr.ini
C:\WINDOWS\system32\myatvapw.dll
C:\WINDOWS\system32\nkedxhlx.dll
C:\WINDOWS\system32\ocgaxpqm.ini
C:\WINDOWS\system32\ocwjkshh.dll
C:\WINDOWS\system32\odwwrhuu.ini
C:\WINDOWS\system32\oqiitkvf.ini
C:\WINDOWS\system32\owqpempy.exe
C:\WINDOWS\system32\oxfibyqs.ini
C:\WINDOWS\system32\pgywdayp.exe
C:\WINDOWS\system32\qdmvntmh.dll
C:\WINDOWS\system32\qksdbcpi.dll
C:\WINDOWS\system32\qyrehyhg.ini
C:\WINDOWS\system32\rfbsoadc.dll
C:\WINDOWS\system32\rmbhmhpj.exe
C:\WINDOWS\system32\rslvlkgp.exe
C:\WINDOWS\system32\TtAHPqru.ini
C:\WINDOWS\system32\TtAHPqru.ini2
C:\WINDOWS\system32\uuhrwwdo.dll
C:\WINDOWS\system32\vahfwjxt.dll
C:\WINDOWS\system32\vdmhddqq.ini
C:\WINDOWS\system32\vmvowmaw.exe
C:\WINDOWS\system32\wdbltxau.dll
C:\WINDOWS\system32\WEfOqXyb.ini
C:\WINDOWS\system32\WEfOqXyb.ini2
C:\WINDOWS\system32\wjkfqkoc.dll
C:\WINDOWS\system32\wmjgwhsf.ini
C:\WINDOWS\system32\wuvxrvej.ini
C:\WINDOWS\system32\xlkhvhlq.dll
C:\WINDOWS\system32\yfwwrwiq.exe
C:\WINDOWS\system32\yjwwprht.dll
C:\WINDOWS\system32\yrvckije.dll
E:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://witwsus.wit.private
.
((((((((((((((((((((((((( Files Created from 2008-05-20 to 2008-06-20 )))))))))))))))))))))))))))))))
.

2008-06-20 07:17 . 2008-06-20 07:17 <DIR> d-------- C:\WINDOWS\LastGood
2008-06-18 22:22 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-06-18 22:22 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-06-18 22:22 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-06-18 22:22 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-06-18 14:44 . 2008-06-18 14:44 <DIR> d-------- C:\Program Files\CCleaner
2008-06-18 12:39 . 2008-06-18 14:29 <DIR> d-------- C:\Incomplete
2008-06-18 12:38 . 2008-06-18 14:30 <DIR> d-------- C:\Documents and Settings\varhuem\Application Data\LimeWire
2008-06-18 12:37 . 2008-06-18 12:38 <DIR> d-------- C:\Program Files\LimeWire
2008-06-18 11:45 . 2008-06-18 11:45 <DIR> d-------- C:\Documents and Settings\varhuem\Application Data\STOPzilla!
2008-06-18 11:44 . 2008-06-18 20:52 <DIR> d-------- C:\Program Files\STOPzilla!
2008-06-18 11:42 . 2008-06-18 11:54 <DIR> d-------- C:\Program Files\Desktop Armor
2008-06-16 18:56 . 2008-06-16 18:57 99 --a------ C:\WINDOWS\WirelessFTP.INI
2008-06-15 12:13 . 2008-06-15 12:13 <DIR> d-------- C:\Program Files\AOD
2008-06-15 12:13 . 2008-06-15 12:13 <DIR> d-------- C:\Program Files\AIM
2008-06-15 12:13 . 2008-06-15 12:14 <DIR> d-------- C:\Documents and Settings\varhuem\Application Data\Aim
2008-06-15 12:13 . 2002-12-18 18:46 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-06-15 11:52 . 2008-06-18 20:43 2,397 --a------ C:\WINDOWS\mozver.dat
2008-06-15 11:40 . 2008-06-15 11:40 737 --a------ C:\WINDOWS\system32\nbuxtonv.dll
2008-06-12 19:20 . 2008-06-12 19:20 743 --a------ C:\WINDOWS\system32\mtejfprj.dll
2008-06-12 19:20 . 2008-06-12 19:20 741 --a------ C:\WINDOWS\system32\ayhxxrbt.dll
2008-06-12 19:20 . 2008-06-12 19:20 737 --a------ C:\WINDOWS\system32\tplngtmn.dll
2008-06-09 15:03 . 2008-06-09 15:03 0 --a------ C:\WINDOWS\MS.INI
2008-06-08 16:26 . 2008-06-08 16:26 <DIR> d-------- C:\Documents and Settings\varhuem\Application Data\CiscoCAA
2008-06-08 16:25 . 2008-06-08 16:25 <DIR> d-------- C:\savinstall
2008-06-08 16:25 . 2008-06-08 16:25 <DIR> d-------- C:\Program Files\Cisco Systems
2008-06-08 16:17 . 2008-06-08 16:17 743 --a------ C:\WINDOWS\system32\qwhffqyr.dll
2008-06-08 16:17 . 2008-06-08 16:17 693 --a------ C:\WINDOWS\system32\wgtpaita.exe
2008-06-08 16:14 . 2008-06-08 16:14 741 --a------ C:\WINDOWS\system32\wqmjebst.dll
2008-06-08 16:12 . 2008-06-08 16:12 737 --a------ C:\WINDOWS\system32\dojttunq.dll
2008-06-05 15:32 . 2008-06-05 15:32 693 --a------ C:\WINDOWS\system32\tjrwkjvw.exe
2008-06-05 15:29 . 2008-06-05 15:29 743 --a------ C:\WINDOWS\system32\smswifys.dll
2008-06-05 15:29 . 2008-06-05 15:29 741 --a------ C:\WINDOWS\system32\qhtpgyck.dll
2008-06-05 15:28 . 2008-06-05 15:28 737 --a------ C:\WINDOWS\system32\yxgabave.dll
2008-06-03 18:50 . 2008-06-03 18:50 743 --a------ C:\WINDOWS\system32\fxjgdkok.dll
2008-06-03 18:47 . 2008-06-03 18:47 693 --a------ C:\WINDOWS\system32\vmmyibyr.exe
2008-06-03 18:44 . 2008-06-03 18:44 741 --a------ C:\WINDOWS\system32\lddwskjf.dll
2008-06-03 18:44 . 2008-06-03 18:44 737 --a------ C:\WINDOWS\system32\qqerciqr.dll
2008-06-02 14:58 . 2008-06-02 15:11 27 --a------ C:\WINDOWS\settings.ini
2008-05-29 15:28 . 2008-05-29 15:28 <DIR> d-------- C:\Documents and Settings\varhuem\Application Data\DivX
2008-05-29 15:27 . 2008-05-29 15:27 <DIR> d-------- C:\Program Files\DivX
2008-05-29 15:27 . 2007-07-09 15:07 118,520 --a------ C:\WINDOWS\system32\pxinsi64.exe
2008-05-29 15:27 . 2007-07-09 15:07 116,472 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2008-05-29 15:23 . 2008-05-29 15:23 <DIR> d-------- C:\Program Files\AC3Filter
2008-05-27 19:57 . 2008-05-27 19:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-22 13:34 . 2008-05-22 13:34 <DIR> d-------- C:\Program Files\Google
2008-05-22 13:34 . 2008-06-19 07:47 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-21 21:54 . 2008-06-18 13:37 <DIR> d-------- C:\Documents and Settings\varhuem\Application Data\uTorrent
2008-05-21 21:53 . 2008-06-15 12:31 <DIR> d-------- C:\Program Files\uTorrent
2008-05-21 16:18 . 2008-06-19 20:27 476 --a------ C:\WINDOWS\hpbafd.ini
2008-05-21 14:17 . 1998-06-18 00:00 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2008-05-21 14:16 . 2008-06-16 14:26 <DIR> d-------- C:\Program Files\matlib
2008-05-21 14:15 . 2008-05-21 14:17 <DIR> d-------- C:\MATLIB
2008-05-21 14:15 . 2008-05-21 14:15 78 --a------ C:\WINDOWS\mes.ini
2008-05-21 14:07 . 1996-12-09 13:51 703,984 --a------ C:\WINDOWS\system32\Ss32x25.ocx
2008-05-21 14:07 . 1998-06-24 00:00 260,920 --a------ C:\WINDOWS\system32\MSDATGRD.OCX
2008-05-21 14:07 . 1995-12-04 14:09 210,944 --a------ C:\WINDOWS\system32\MSVCRT10.DLL
2008-05-21 14:07 . 1998-06-18 00:00 146,944 --a------ C:\WINDOWS\system32\VB6EXT.OLB
2008-05-21 14:01 . 2008-05-21 14:08 <DIR> d-------- C:\Program Files\CAMWorks2008-07
2008-05-21 13:56 . 2008-05-21 13:58 <DIR> d-------- C:\Program Files\CAMWorksFlexLM
2008-05-21 12:38 . 2008-05-21 12:40 <DIR> d-------- C:\Program Files\Winamp
2008-05-21 12:38 . 2008-05-21 12:40 <DIR> d-------- C:\Documents and Settings\varhuem\Application Data\Winamp
2008-05-21 09:52 . 2008-05-21 09:52 0 --a------ C:\WINDOWS\system32\history.aaw
2008-05-21 09:51 . 2008-06-15 15:06 153 --a------ C:\WINDOWS\wininit.ini
2008-05-21 09:25 . 2008-05-21 09:25 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-21 09:25 . 2008-05-21 09:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-21 09:24 . 2008-05-21 09:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-21 09:23 . 2008-06-16 14:39 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-21 09:23 . 2008-06-16 14:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-20 15:39 . 2008-05-21 13:48 7,680 --ahs---- C:\WINDOWS\Thumbs.db

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-20 11:15 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-06-20 03:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-18 02:08 --------- d-----w C:\Documents and Settings\varhuem\Application Data\U3
2008-06-16 22:28 --------- d-----w C:\Program Files\SolidWorks
2008-06-16 22:27 --------- d-----w C:\Documents and Settings\Default User\Application Data\SolidWorks
2008-06-02 18:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-21 18:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-19 18:04 --------- d-----w C:\Program Files\LMC
2008-05-19 18:04 --------- d-----w C:\Program Files\Common Files\LMC
2008-05-16 23:36 --------- d-----w C:\Program Files\Avanquest update
2008-05-16 23:35 --------- d-----w C:\Program Files\Motorola Phone Tools
2008-05-16 23:34 --------- d-----w C:\Program Files\Common Files\Motorola Shared
2008-05-16 23:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-05-16 19:12 --------- d-----w C:\Program Files\Motorola USB Drivers
2008-05-15 19:48 --------- d-----w C:\Program Files\Investintech.com Inc
2008-05-15 00:12 --------- d-----w C:\Documents and Settings\varhuem\Application Data\vlc
2008-05-15 00:11 --------- d-----w C:\Program Files\VideoLAN
2008-05-15 00:11 --------- d-----w C:\Program Files\AIM6
2008-05-15 00:11 --------- d-----w C:\Documents and Settings\varhuem\Application Data\acccore
2008-05-15 00:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-05-15 00:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-05-15 00:10 --------- d-----w C:\Program Files\Common Files\AOL
2008-05-06 13:29 --------- d-----w C:\Program Files\Common Files\Bcgsoft
2008-05-06 12:16 --------- d-----w C:\Program Files\Microsoft Works
2008-05-02 14:04 --------- d-----w C:\Documents and Settings\varhuem\Application Data\SolidWorks
2008-05-01 18:32 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-05-01 18:32 --------- d-----w C:\Program Files\Common Files\L&H
2008-05-01 18:19 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-05-01 18:17 --------- d-----w C:\Documents and Settings\setup.WIT-B94B9000F37\Application Data\Autodesk
2008-05-01 18:16 --------- d-----w C:\Program Files\Autodesk
2008-04-30 15:48 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-04-30 15:48 --------- d-----w C:\Program Files\Common Files\Merge Modules
2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-22 19:31 --------- d-----w C:\Program Files\Java
2008-04-22 19:30 --------- d-----w C:\Program Files\Common Files\Java
2008-04-22 19:15 --------- d-----w C:\Program Files\QuickTime
2008-04-22 19:15 --------- d-----w C:\Documents and Settings\varhuem\Application Data\Apple Computer
2008-04-22 19:15 --------- d-----w C:\Documents and Settings\setup.WIT-B94B9000F37\Application Data\Apple Computer
2008-04-22 19:15 --------- d-----w C:\Documents and Settings\Default User\Application Data\Apple Computer
2008-04-22 19:15 --------- d-----w C:\Documents and Settings\admin\Application Data\Apple Computer
2008-04-22 19:14 --------- d-----w C:\Program Files\Apple Software Update
2008-04-22 19:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-22 19:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-04-17 07:19 737,280 ----a-w C:\WINDOWS\iun6002.exe
2004-03-15 21:51 114,688 ----a-w C:\Program Files\internet explorer\plugins\LV71ActiveXControl.dll
2003-05-01 13:36 114,688 ----a-w C:\Program Files\internet explorer\plugins\LV7ActiveXControl.dll
2006-01-23 14:32 131,072 ----a-w C:\Program Files\internet explorer\plugins\LV80ActiveXControl.dll
2007-02-08 14:48 133,920 ----a-w C:\Program Files\internet explorer\plugins\LV82ActiveXControl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{853B95C0-607B-4596-97B0-74C4E2C657EF}]
C:\WINDOWS\system32\urqPHAtT.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DD4A65C7-61D7-445F-BCF1-5065F765EAF9}]
2008-05-16 19:34 32475 --a------ C:\WINDOWS\system32\hgGASMdB.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-23 12:53 68856]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-03-25 16:21 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVHotkey"="nvHotkey.dll" [2007-04-28 19:05 67584 C:\WINDOWS\system32\nvhotkey.dll]
"NvMediaCenter"="NvMCTray.dll" [2007-04-28 19:05 81920 C:\WINDOWS\system32\nvmctray.dll]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-03 20:56 143360]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-28 19:05 8429568]

C:\Documents and Settings\admin\Start Menu\Programs\Startup\
Shortcut to bg.lnk - C:\Documents and Settings\Administrator\BGinfo\bg.bat [2008-04-17 10:19:11 34]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Shortcut to bg.lnk - C:\Documents and Settings\Administrator\BGinfo\bg.bat [2008-04-17 10:19:11 34]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{DD4A65C7-61D7-445F-BCF1-5065F765EAF9}"= C:\WINDOWS\system32\hgGASMdB.dll [2008-05-16 19:34 32475]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgGASMdB]
hgGASMdB.dll 2008-05-16 19:34 32475 C:\WINDOWS\system32\hgGASMdB.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\yayyAsQk

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2746289630-3061505222-2800193894-17919\Scripts\Logon\0\0]
"Script"=\\wit.private\SysVol\wit.private\scripts\students.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=C:\WINDOWS\pss\Bluetooth Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
--a------ 2007-03-20 16:40 1884160 C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIMWDInstallFilename]
--------- 2004-01-12 16:29 102400 C:\PROGRA~1\AIM\AIMWDI~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2007-07-02 13:29 159744 C:\Program Files\DellTPad\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMd76bfe83]
C:\WINDOWS\system32\hturdljm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
--a------ 2007-10-09 19:17 2183168 C:\WINDOWS\system32\WLTRAY.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2006-03-07 13:02 53408 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\d458cd1f]
C:\WINDOWS\system32\flsqeele.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
C:\Program Files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-04-28 19:05 8429568 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-04-28 19:05 81920 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-04-28 19:05 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpStopperProfessional]
C:\Program Files\Panicware\Pop-Up Stopper Professional\PopUpStopperProfessional.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2007-02-19 14:26 303104 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
--a------ 2004-08-03 20:56 143360 C:\WINDOWS\system32\mobsync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
--a------ 2006-03-17 06:34 124656 C:\PROGRA~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 NIPALK;NIPALK;C:\WINDOWS\system32\drivers\nipalk.sys [2007-02-15 22:59]
R0 nipbcfk;National Instruments Class Upper Filter Driver;C:\WINDOWS\system32\drivers\nipbcfk.sys [2007-02-15 17:23]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;"C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe" -service []
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2007-02-21 10:00]
R2 mxssvr;NI Configuration Manager;"C:\Program Files\National Instruments\MAX\nimxs.exe" [2007-03-20 16:19]
R2 NextMove;NextMove;C:\WINDOWS\system32\drivers\NEXTMOVE.SYS [1999-08-27 09:40]
R2 ni488enumsvc;NI-488.2 Enumeration Service;C:\WINDOWS\system32\nipalsm.exe [2007-02-16 10:21]
R2 niarbk;niarbk;C:\WINDOWS\system32\drivers\niarbk.dll [2007-02-02 09:36]
R2 nibffrk;nibffrk;C:\WINDOWS\system32\drivers\nibffrk.dll [2007-02-02 09:37]
R2 Nidaq32k;Nidaq32k;C:\WINDOWS\system32\drivers\Nidaq32k.sys [2007-02-02 10:55]
R2 nidevldu;NI Device Loader;C:\WINDOWS\system32\nipalsm.exe [2007-02-16 10:21]
R2 nidmmk;NI DMM and Data Logger Kernel Driver;C:\WINDOWS\system32\drivers\nidmmk.dll [2007-02-02 10:57]
R2 nimdsk;nimdsk;C:\WINDOWS\system32\drivers\nimdsk.dll [2007-02-02 09:37]
R2 nipxirmk;nipxirmk;C:\WINDOWS\system32\drivers\nipxirmkl.sys [2007-02-22 11:18]
R2 nistck;nistck;C:\WINDOWS\system32\drivers\nistck.dll [2007-02-02 09:38]
R2 NITaggerService;National Instruments Variable Engine;"C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe" [2007-02-06 22:47]
R2 NiViPxiK;NI-VISA PXI Driver;C:\WINDOWS\system32\drivers\NiViPxiKl.sys [2007-02-23 10:25]
R2 Remote Solver for COSMOSFloWorks 2007;Remote Solver for COSMOSFloWorks 2007;"C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe" [2007-02-27 17:27]
R3 nidimk;nidimk;C:\WINDOWS\system32\drivers\nidimkl.sys [2007-02-21 22:20]
R3 nimdbgk;nimdbgk;C:\WINDOWS\system32\drivers\nimdbgkl.sys [2007-02-21 21:46]
R3 nimru2k;nimru2k;C:\WINDOWS\system32\drivers\nimru2kl.sys [2007-02-21 22:39]
R3 nimstsk;nimstsk;C:\WINDOWS\system32\drivers\nimstskl.sys [2007-02-25 20:12]
R3 nimxdfk;nimxdfk;C:\WINDOWS\system32\drivers\nimxdfkl.sys [2007-02-21 22:10]
R3 niorbk;niorbk;C:\WINDOWS\system32\drivers\niorbkl.sys [2007-02-21 21:39]
S3 lvalarmk;lvalarmk;C:\WINDOWS\system32\drivers\lvalarmk.sys [2007-01-11 10:18]
S3 ni1006k;NI PXI-1006 Chassis Pilot;C:\WINDOWS\system32\drivers\ni1006k.sys [2007-02-22 11:40]
S3 ni1045k;NI PXI-1045 Chassis Pilot;C:\WINDOWS\system32\drivers\ni1045kl.sys [2007-02-22 11:43]
S3 ni488lock;NI-488.2 Locking Service;C:\WINDOWS\system32\drivers\ni488lock.sys [2007-02-26 12:40]
S3 nicdrk;nicdrk;C:\WINDOWS\system32\drivers\nicdrkl.sys [2007-02-22 18:18]
S3 nidmxfk;nidmxfk;C:\WINDOWS\system32\drivers\nidmxfkl.sys [2007-02-25 20:12]
S3 nidsark;nidsark;C:\WINDOWS\system32\drivers\nidsarkl.sys [2007-02-23 17:43]
S3 nidwgk;nidwgk;C:\WINDOWS\system32\drivers\nidwgkl.sys [2007-02-23 22:32]
S3 niemrk;niemrk;C:\WINDOWS\system32\drivers\niemrkl.sys [2007-02-25 19:13]
S3 niesrk;niesrk;C:\WINDOWS\system32\drivers\niesrkl.sys [2007-02-25 19:13]
S3 nifslk;nifslk;C:\WINDOWS\system32\drivers\nifslkl.sys [2007-02-22 13:21]
S3 nigplk;nigplk;C:\WINDOWS\system32\drivers\nigplkl.sys [2007-02-23 16:20]
S3 nihsdrk;nihsdrk;C:\WINDOWS\system32\drivers\nihsdrkl.sys [2007-02-24 01:10]
S3 nimsdrk;nimsdrk;C:\WINDOWS\system32\drivers\nimsdrkl.sys [2007-02-25 20:10]
S3 nimslk;nimslk;C:\WINDOWS\system32\drivers\nimslk.dll [2006-12-18 12:55]
S3 nimsrlk;nimsrlk;C:\WINDOWS\system32\drivers\nimsrlk.dll [2006-12-18 12:55]
S3 nimxpk;nimxpk;C:\WINDOWS\system32\drivers\nimxpkl.sys [2007-02-22 13:26]
S3 ninshsdk;ninshsdk;C:\WINDOWS\system32\drivers\ninshsdkl.sys [2007-02-23 17:25]
S3 nipalfwedl;nipalfwedl;C:\WINDOWS\system32\drivers\nipalfwedl.sys [2007-02-15 23:00]
S3 nipalusbedl;nipalusbedl;C:\WINDOWS\system32\drivers\nipalusbedl.sys [2007-02-15 23:00]
S3 nipsdk;nipsdk;C:\WINDOWS\system32\drivers\nipsdkl.sys [2007-02-23 22:19]
S3 nipxigpk;NI PXI Generic Chassis Pilot;C:\WINDOWS\system32\drivers\nipxigpk.sys [2007-02-22 11:45]
S3 nirfsa2k;nirfsa2k;C:\WINDOWS\system32\drivers\nirfsa2kl.sys [2007-02-24 04:19]
S3 niscdk;niscdk;C:\WINDOWS\system32\drivers\niscdkl.sys [2007-02-26 16:31]
S3 nisdigk;nisdigk;C:\WINDOWS\system32\drivers\nisdigkl.sys [2007-02-25 19:11]
S3 nisftk;nisftk;C:\WINDOWS\system32\drivers\nisftkl.sys [2007-02-24 00:17]
S3 nisldk;nisldk;C:\WINDOWS\system32\drivers\nisldkl.sys [2007-02-23 22:05]
S3 nismbusk;nismbusk;C:\WINDOWS\system32\drivers\nismbusk.sys [2007-02-22 11:34]
S3 nispdk;nispdk;C:\WINDOWS\system32\drivers\nispdkl.sys [2007-02-26 16:31]
S3 nisrcdk;nisrcdk;C:\WINDOWS\system32\drivers\nisrcdkl.sys [2007-02-23 22:28]
S3 nissrk;nissrk;C:\WINDOWS\system32\drivers\nissrkl.sys [2007-02-25 19:13]
S3 nistc2k;nistc2k;C:\WINDOWS\system32\drivers\nistc2kl.sys [2007-02-22 20:17]
S3 nistcrk;nistcrk;C:\WINDOWS\system32\drivers\nistcrkl.sys [2007-02-23 03:14]
S3 niswdk;niswdk;C:\WINDOWS\system32\drivers\niswdkl.sys [2007-02-23 20:44]
S3 nitiork;nitiork;C:\WINDOWS\system32\drivers\nitiorkl.sys [2007-02-23 15:54]
S3 nitnr2k;nitnr2k;C:\WINDOWS\system32\drivers\nitnr2kl.sys [2007-02-24 00:09]
S3 NiViFWK;NI-VISA FireWire Driver;C:\WINDOWS\system32\drivers\NiViFWKl.sys [2007-02-22 10:42]
S3 NiViPciK;NI-VISA PCI Driver;C:\WINDOWS\system32\drivers\NiViPciKl.sys [2007-02-23 10:25]
S3 niwfrk;niwfrk;C:\WINDOWS\system32\drivers\niwfrkl.sys [2007-02-25 19:13]
S3 nixsrk;nixsrk;C:\WINDOWS\system32\drivers\nixsrkl.sys [2007-02-25 19:13]
S3 usb6xxxk;usb6xxxk;C:\WINDOWS\system32\drivers\usb6xxxk.sys [2007-02-25 19:11]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a034b3c6-2665-11dd-b323-001644bc7fc4}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-06-18 01:43:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-19 16:05:00 C:\WINDOWS\Tasks\OGADaily.job"
- C:\WINDOWS\system32\OGAVerify.exe
"2008-06-20 11:31:59 C:\WINDOWS\Tasks\OGALogon.job"
- C:\WINDOWS\system32\OGAVerify.exe
.
 
ceewi1

ceewi1

VIP Member
  • Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: 
    File::
C:\WINDOWS\system32\nbuxtonv.dll
C:\WINDOWS\system32\mtejfprj.dll
C:\WINDOWS\system32\ayhxxrbt.dll
C:\WINDOWS\system32\tplngtmn.dll
C:\WINDOWS\system32\qwhffqyr.dll
C:\WINDOWS\system32\wgtpaita.exe
C:\WINDOWS\system32\wqmjebst.dll
C:\WINDOWS\system32\dojttunq.dll
C:\WINDOWS\system32\tjrwkjvw.exe
C:\WINDOWS\system32\smswifys.dll
C:\WINDOWS\system32\qhtpgyck.dll
C:\WINDOWS\system32\yxgabave.dll
C:\WINDOWS\system32\fxjgdkok.dll
C:\WINDOWS\system32\vmmyibyr.exe
C:\WINDOWS\system32\lddwskjf.dll
C:\WINDOWS\system32\qqerciqr.dll
C:\WINDOWS\system32\hgGASMdB.dll
C:\WINDOWS\system32\ihpinktu.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{853B95C0-607B-4596-97B0-74C4E2C657EF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DD4A65C7-61D7-445F-BCF1-5065F765EAF9}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{DD4A65C7-61D7-445F-BCF1-5065F765EAF9}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgGASMdB]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMd76bfe83]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\d458cd1f]
  • Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop.


    CFScript.gif



  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply, along with a new HijackThis log. How is your system running now?
CAUTION:
Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do NOT adjust your time format while ComboFix is running.
 
C

camaro1185

New Member
Hijack this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:41, on 2008-06-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\WINDOWS\system32\nipalsm.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.vernier.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BMd76bfe83] Rundll32.exe "C:\WINDOWS\system32\vrfqmbdx.dll",s
O4 - HKLM\..\Run: [d458cd1f] rundll32.exe "C:\WINDOWS\system32\ihpinktu.dll",b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5852F5ED-8BF4-11D4-A245-0080C6F74284} (isInstalled Class) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL...-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://antivirus.wit.edu/webinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wit.private
O17 - HKLM\Software\..\Telephony: DomainName = wit.private
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wit.private
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wit.private
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: NI-488.2 Enumeration Service (ni488enumsvc) - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NI Device Loader (nidevldu) - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI PXI Resource Manager (nipxirmu) - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: Remote Solver for COSMOSFloWorks 2007 - Unknown owner - C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 11475 bytes
 
C

camaro1185

New Member
here is the log for the hijack this and the combo fix.

ComboFix 08-06-19.2 - varhuem 2008-06-20 8:08:39.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1391 [GMT -4:00]
Running from: C:\MATT C Drive\ComboFix.exe
Command switches used :: C:\MATT C Drive\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\ayhxxrbt.dll
C:\WINDOWS\system32\dojttunq.dll
C:\WINDOWS\system32\fxjgdkok.dll
C:\WINDOWS\system32\hgGASMdB.dll
C:\WINDOWS\system32\lddwskjf.dll
C:\WINDOWS\system32\mtejfprj.dll
C:\WINDOWS\system32\nbuxtonv.dll
C:\WINDOWS\system32\qhtpgyck.dll
C:\WINDOWS\system32\qqerciqr.dll
C:\WINDOWS\system32\qwhffqyr.dll
C:\WINDOWS\system32\smswifys.dll
C:\WINDOWS\system32\tjrwkjvw.exe
C:\WINDOWS\system32\tplngtmn.dll
C:\WINDOWS\system32\vmmyibyr.exe
C:\WINDOWS\system32\wgtpaita.exe
C:\WINDOWS\system32\wqmjebst.dll
C:\WINDOWS\system32\yxgabave.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMd76bfe83.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ayhxxrbt.dll
C:\WINDOWS\system32\dojttunq.dll
C:\WINDOWS\system32\fxjgdkok.dll
C:\WINDOWS\system32\hgGASMdB.dll
C:\WINDOWS\system32\kQsAyyay.ini
C:\WINDOWS\system32\kQsAyyay.ini2
C:\WINDOWS\system32\lddwskjf.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mtejfprj.dll
C:\WINDOWS\system32\nbuxtonv.dll
C:\WINDOWS\system32\qhtpgyck.dll
C:\WINDOWS\system32\qqerciqr.dll
C:\WINDOWS\system32\qwhffqyr.dll
C:\WINDOWS\system32\smswifys.dll
C:\WINDOWS\system32\tjrwkjvw.exe
C:\WINDOWS\system32\tplngtmn.dll
C:\WINDOWS\system32\utkniphi.ini
C:\WINDOWS\system32\vmmyibyr.exe
C:\WINDOWS\system32\wgtpaita.exe
C:\WINDOWS\system32\wqjvlods.dll
C:\WINDOWS\system32\wqmjebst.dll
C:\WINDOWS\system32\yayyAsQk.dll
C:\WINDOWS\system32\yxgabave.dll
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\BMd76bfe83.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aylknvco.dll
C:\WINDOWS\system32\bhyjbnli.dll
C:\WINDOWS\system32\bkbvxcgh.dll
C:\WINDOWS\system32\buewmnky.dll
C:\WINDOWS\system32\bwtavvaw.ini
C:\WINDOWS\system32\djphvggt.ini
C:\WINDOWS\system32\dkipppvp.dll
C:\WINDOWS\system32\DLlUuBeg.ini
C:\WINDOWS\system32\DLlUuBeg.ini2
C:\WINDOWS\system32\eapoytgt.dll
C:\WINDOWS\system32\efmfifoj.dll
C:\WINDOWS\system32\eleeqslf.ini
C:\WINDOWS\system32\emccgrad.dll
C:\WINDOWS\system32\fknuxkvj.ini
C:\WINDOWS\system32\fkuiwjte.ini
C:\WINDOWS\system32\foelccet.exe
C:\WINDOWS\system32\fqvvtejf.dll
C:\WINDOWS\system32\fshwgjmw.dll
C:\WINDOWS\system32\fvavojtx.dll
C:\WINDOWS\system32\geBuUlLD.dll
C:\WINDOWS\system32\ghevlqfo.ini
C:\WINDOWS\system32\gsoyhdrl.ini
C:\WINDOWS\system32\gwmcekuh.ini
C:\WINDOWS\system32\gxieirih.dll
C:\WINDOWS\system32\hldppsti.dll
C:\WINDOWS\system32\hovcgsnu.exe
C:\WINDOWS\system32\hpqqpcch.dll
C:\WINDOWS\system32\hturdljm.dll
C:\WINDOWS\system32\hukecmwg.dll
C:\WINDOWS\system32\hxjdavhe.dll
C:\WINDOWS\system32\hxsxuwlt.dll
C:\WINDOWS\system32\imymxxdk.dll
C:\WINDOWS\system32\ioujeptc.dll
C:\WINDOWS\system32\jcvrcejk.dll
C:\WINDOWS\system32\jdpqpfhj.dll
C:\WINDOWS\system32\jevrxvuw.dll
C:\WINDOWS\system32\jgmgqxyo.exe
C:\WINDOWS\system32\jyknilve.dll
C:\WINDOWS\system32\kbsywbsu.dll
C:\WINDOWS\system32\kkbfueni.dll
C:\WINDOWS\system32\kqvfgrrc.dll
C:\WINDOWS\system32\laoicyaf.dll
C:\WINDOWS\system32\ldapvubl.ini
C:\WINDOWS\system32\lnlsltox.dll
C:\WINDOWS\system32\lsilapab.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mdngerwv.exe
C:\WINDOWS\system32\mppuypwg.ini
C:\WINDOWS\system32\mrpaugxr.ini
C:\WINDOWS\system32\myatvapw.dll
C:\WINDOWS\system32\nkedxhlx.dll
C:\WINDOWS\system32\ocgaxpqm.ini
C:\WINDOWS\system32\ocwjkshh.dll
C:\WINDOWS\system32\odwwrhuu.ini
C:\WINDOWS\system32\oqiitkvf.ini
C:\WINDOWS\system32\owqpempy.exe
C:\WINDOWS\system32\oxfibyqs.ini
C:\WINDOWS\system32\pgywdayp.exe
C:\WINDOWS\system32\qdmvntmh.dll
C:\WINDOWS\system32\qksdbcpi.dll
C:\WINDOWS\system32\qyrehyhg.ini
C:\WINDOWS\system32\rfbsoadc.dll
C:\WINDOWS\system32\rmbhmhpj.exe
C:\WINDOWS\system32\rslvlkgp.exe
C:\WINDOWS\system32\TtAHPqru.ini
C:\WINDOWS\system32\TtAHPqru.ini2
C:\WINDOWS\system32\uuhrwwdo.dll
C:\WINDOWS\system32\vahfwjxt.dll
C:\WINDOWS\system32\vdmhddqq.ini
C:\WINDOWS\system32\vmvowmaw.exe
C:\WINDOWS\system32\wdbltxau.dll
C:\WINDOWS\system32\WEfOqXyb.ini
C:\WINDOWS\system32\WEfOqXyb.ini2
C:\WINDOWS\system32\wjkfqkoc.dll
C:\WINDOWS\system32\wmjgwhsf.ini
C:\WINDOWS\system32\wuvxrvej.ini
C:\WINDOWS\system32\xlkhvhlq.dll
C:\WINDOWS\system32\yfwwrwiq.exe
C:\WINDOWS\system32\yjwwprht.dll
C:\WINDOWS\system32\yrvckije.dll
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-05-20 to 2008-06-20 )))))))))))))))))))))))))))))))
.

2008-06-20 07:41 . 2008-06-20 07:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-20 07:40 . 2008-06-20 07:40 79,360 --a------ C:\WINDOWS\system32\ihpinktu.dll
2008-06-20 07:38 . 2008-06-20 07:38 90,112 --a------ C:\WINDOWS\system32\vrfqmbdx.dll
2008-06-18 22:22 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-06-18 22:22 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-06-18 22:22 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-06-18 22:22 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-06-18 14:44 . 2008-06-18 14:44 <DIR> d-------- C:\Program Files\CCleaner
2008-06-18 12:39 . 2008-06-18 14:29 <DIR> d-------- C:\Incomplete
2008-06-18 12:38 . 2008-06-18 14:30 <DIR> d-------- C:\Documents and Settings\varhuem\Application Data\LimeWire
2008-06-18 12:37 . 2008-06-18 12:38 <DIR> d-------- C:\Program Files\LimeWire
2008-06-18 11:45 . 2008-06-18 11:45 <DIR> d-------- C:\Documents and Settings\varhuem\Application Data\STOPzilla!
2008-06-18 11:44 . 2008-06-18 20:52 <DIR> d-------- C:\Program Files\STOPzilla!
2008-06-18 11:42 . 2008-06-18 11:54 <DIR> d-------- C:\Program Files\Desktop Armor
2008-06-16 18:56 . 2008-06-16 18:57 99 --a------ C:\WINDOWS\WirelessFTP.INI
2008-06-15 12:13 . 2008-06-15 12:13 <DIR> d-------- C:\Program Files\AOD
2008-06-15 12:13 . 2008-06-15 12:13 <DIR> d-------- C:\Program Files\AIM
2008-06-15 12:13 . 2008-06-15 12:14 <DIR> d-------- C:\Documents and Settings\varhuem\Application Data\Aim
2008-06-15 12:13 . 2002-12-18 18:46 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-06-15 11:52 . 2008-06-18 20:43 2,397 --a------ C:\WINDOWS\mozver.dat
2008-06-09 15:03 . 2008-06-09 15:03 0 --a------ C:\WINDOWS\MS.INI
2008-06-08 16:26 . 2008-06-08 16:26 <DIR> d-------- C:\Documents and Settings\varhuem\Application Data\CiscoCAA
2008-06-08 16:25 . 2008-06-08 16:25 <DIR> d-------- C:\savinstall
2008-06-08 16:25 . 2008-06-08 16:25 <DIR> d-------- C:\Program Files\Cisco Systems
2008-06-02 14:58 . 2008-06-02 15:11 27 --a------ C:\WINDOWS\settings.ini
2008-05-29 15:28 . 2008-05-29 15:28 <DIR> d-------- C:\Documents and Settings\varhuem\Application Data\DivX
2008-05-29 15:27 . 2008-05-29 15:27 <DIR> d-------- C:\Program Files\DivX
2008-05-29 15:27 . 2007-07-09 15:07 118,520 --a------ C:\WINDOWS\system32\pxinsi64.exe
2008-05-29 15:27 . 2007-07-09 15:07 116,472 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2008-05-29 15:23 . 2008-05-29 15:23 <DIR> d-------- C:\Program Files\AC3Filter
2008-05-27 19:57 . 2008-05-27 19:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-22 13:34 . 2008-05-22 13:34 <DIR> d-------- C:\Program Files\Google
2008-05-22 13:34 . 2008-06-19 07:47 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-21 21:54 . 2008-06-18 13:37 <DIR> d-------- C:\Documents and Settings\varhuem\Application Data\uTorrent
2008-05-21 21:53 . 2008-06-15 12:31 <DIR> d-------- C:\Program Files\uTorrent
2008-05-21 16:18 . 2008-06-19 20:27 476 --a------ C:\WINDOWS\hpbafd.ini
2008-05-21 14:17 . 1998-06-18 00:00 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2008-05-21 14:16 . 2008-06-16 14:26 <DIR> d-------- C:\Program Files\matlib
2008-05-21 14:15 . 2008-05-21 14:17 <DIR> d-------- C:\MATLIB
2008-05-21 14:15 . 2008-05-21 14:15 78 --a------ C:\WINDOWS\mes.ini
2008-05-21 14:07 . 1996-12-09 13:51 703,984 --a------ C:\WINDOWS\system32\Ss32x25.ocx
2008-05-21 14:07 . 1998-06-24 00:00 260,920 --a------ C:\WINDOWS\system32\MSDATGRD.OCX
2008-05-21 14:07 . 1995-12-04 14:09 210,944 --a------ C:\WINDOWS\system32\MSVCRT10.DLL
2008-05-21 14:07 . 1998-06-18 00:00 146,944 --a------ C:\WINDOWS\system32\VB6EXT.OLB
2008-05-21 14:01 . 2008-05-21 14:08 <DIR> d-------- C:\Program Files\CAMWorks2008-07
2008-05-21 13:56 . 2008-05-21 13:58 <DIR> d-------- C:\Program Files\CAMWorksFlexLM
2008-05-21 12:38 . 2008-05-21 12:40 <DIR> d-------- C:\Program Files\Winamp
2008-05-21 12:38 . 2008-05-21 12:40 <DIR> d-------- C:\Documents and Settings\varhuem\Application Data\Winamp
2008-05-21 09:52 . 2008-05-21 09:52 0 --a------ C:\WINDOWS\system32\history.aaw
2008-05-21 09:51 . 2008-06-15 15:06 153 --a------ C:\WINDOWS\wininit.ini
2008-05-21 09:25 . 2008-05-21 09:25 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-21 09:25 . 2008-05-21 09:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-21 09:24 . 2008-05-21 09:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-21 09:23 . 2008-06-16 14:39 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-21 09:23 . 2008-06-16 14:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-20 15:39 . 2008-05-21 13:48 7,680 --ahs---- C:\WINDOWS\Thumbs.db

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-20 12:14 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-06-20 03:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-18 02:08 --------- d-----w C:\Documents and Settings\varhuem\Application Data\U3
2008-06-16 22:28 --------- d-----w C:\Program Files\SolidWorks
2008-06-16 22:27 --------- d-----w C:\Documents and Settings\Default User\Application Data\SolidWorks
2008-06-02 18:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-21 18:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-19 18:04 --------- d-----w C:\Program Files\LMC
2008-05-19 18:04 --------- d-----w C:\Program Files\Common Files\LMC
2008-05-16 23:36 --------- d-----w C:\Program Files\Avanquest update
2008-05-16 23:35 --------- d-----w C:\Program Files\Motorola Phone Tools
2008-05-16 23:34 --------- d-----w C:\Program Files\Common Files\Motorola Shared
2008-05-16 23:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-05-16 19:12 --------- d-----w C:\Program Files\Motorola USB Drivers
2008-05-15 19:48 --------- d-----w C:\Program Files\Investintech.com Inc
2008-05-15 00:12 --------- d-----w C:\Documents and Settings\varhuem\Application Data\vlc
2008-05-15 00:11 --------- d-----w C:\Program Files\VideoLAN
2008-05-15 00:11 --------- d-----w C:\Program Files\AIM6
2008-05-15 00:11 --------- d-----w C:\Documents and Settings\varhuem\Application Data\acccore
2008-05-15 00:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-05-15 00:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-05-15 00:10 --------- d-----w C:\Program Files\Common Files\AOL
2008-05-06 13:29 --------- d-----w C:\Program Files\Common Files\Bcgsoft
2008-05-06 12:16 --------- d-----w C:\Program Files\Microsoft Works
2008-05-02 14:04 --------- d-----w C:\Documents and Settings\varhuem\Application Data\SolidWorks
2008-05-01 18:32 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-05-01 18:32 --------- d-----w C:\Program Files\Common Files\L&H
2008-05-01 18:19 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-05-01 18:17 --------- d-----w C:\Documents and Settings\setup.WIT-B94B9000F37\Application Data\Autodesk
2008-05-01 18:16 --------- d-----w C:\Program Files\Autodesk
2008-04-30 15:48 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-04-30 15:48 --------- d-----w C:\Program Files\Common Files\Merge Modules
2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-22 19:31 --------- d-----w C:\Program Files\Java
2008-04-22 19:30 --------- d-----w C:\Program Files\Common Files\Java
2008-04-22 19:15 --------- d-----w C:\Program Files\QuickTime
2008-04-22 19:15 --------- d-----w C:\Documents and Settings\varhuem\Application Data\Apple Computer
2008-04-22 19:15 --------- d-----w C:\Documents and Settings\setup.WIT-B94B9000F37\Application Data\Apple Computer
2008-04-22 19:15 --------- d-----w C:\Documents and Settings\Default User\Application Data\Apple Computer
2008-04-22 19:15 --------- d-----w C:\Documents and Settings\admin\Application Data\Apple Computer
2008-04-22 19:14 --------- d-----w C:\Program Files\Apple Software Update
2008-04-22 19:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-22 19:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-04-17 07:19 737,280 ----a-w C:\WINDOWS\iun6002.exe
2004-03-15 21:51 114,688 ----a-w C:\Program Files\internet explorer\plugins\LV71ActiveXControl.dll
2003-05-01 13:36 114,688 ----a-w C:\Program Files\internet explorer\plugins\LV7ActiveXControl.dll
2006-01-23 14:32 131,072 ----a-w C:\Program Files\internet explorer\plugins\LV80ActiveXControl.dll
2007-02-08 14:48 133,920 ----a-w C:\Program Files\internet explorer\plugins\LV82ActiveXControl.dll
.

((((((((((((((((((((((((((((( snapshot@2008-06-20_ 7.37.16.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-20 11:15:04 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-20 12:13:48 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-06-20 11:33:55 122,312 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-06-20 11:57:39 122,830 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-06-20 11:33:55 546,116 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-06-20 11:57:39 546,992 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-23 12:53 68856]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-03-25 16:21 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVHotkey"="nvHotkey.dll" [2007-04-28 19:05 67584 C:\WINDOWS\system32\nvhotkey.dll]
"NvMediaCenter"="NvMCTray.dll" [2007-04-28 19:05 81920 C:\WINDOWS\system32\nvmctray.dll]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-03 20:56 143360]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-28 19:05 8429568]

C:\Documents and Settings\admin\Start Menu\Programs\Startup\
Shortcut to bg.lnk - C:\Documents and Settings\Administrator\BGinfo\bg.bat [2008-04-17 10:19:11 34]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Shortcut to bg.lnk - C:\Documents and Settings\Administrator\BGinfo\bg.bat [2008-04-17 10:19:11 34]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2746289630-3061505222-2800193894-17919\Scripts\Logon\0\0]
"Script"=\\wit.private\SysVol\wit.private\scripts\students.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=C:\WINDOWS\pss\Bluetooth Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
--a------ 2007-03-20 16:40 1884160 C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIMWDInstallFilename]
--------- 2004-01-12 16:29 102400 C:\PROGRA~1\AIM\AIMWDI~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2007-07-02 13:29 159744 C:\Program Files\DellTPad\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
--a------ 2007-10-09 19:17 2183168 C:\WINDOWS\system32\WLTRAY.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2006-03-07 13:02 53408 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
C:\Program Files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-04-28 19:05 8429568 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-04-28 19:05 81920 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-04-28 19:05 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpStopperProfessional]
C:\Program Files\Panicware\Pop-Up Stopper Professional\PopUpStopperProfessional.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2007-02-19 14:26 303104 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
--a------ 2004-08-03 20:56 143360 C:\WINDOWS\system32\mobsync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
--a------ 2006-03-17 06:34 124656 C:\PROGRA~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 NIPALK;NIPALK;C:\WINDOWS\system32\drivers\nipalk.sys [2007-02-15 22:59]
R0 nipbcfk;National Instruments Class Upper Filter Driver;C:\WINDOWS\system32\drivers\nipbcfk.sys [2007-02-15 17:23]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;"C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe" -service []
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2007-02-21 10:00]
R2 mxssvr;NI Configuration Manager;"C:\Program Files\National Instruments\MAX\nimxs.exe" [2007-03-20 16:19]
R2 NextMove;NextMove;C:\WINDOWS\system32\drivers\NEXTMOVE.SYS [1999-08-27 09:40]
R2 ni488enumsvc;NI-488.2 Enumeration Service;C:\WINDOWS\system32\nipalsm.exe [2007-02-16 10:21]
R2 niarbk;niarbk;C:\WINDOWS\system32\drivers\niarbk.dll [2007-02-02 09:36]
R2 nibffrk;nibffrk;C:\WINDOWS\system32\drivers\nibffrk.dll [2007-02-02 09:37]
R2 nidevldu;NI Device Loader;C:\WINDOWS\system32\nipalsm.exe [2007-02-16 10:21]
R2 nimdsk;nimdsk;C:\WINDOWS\system32\drivers\nimdsk.dll [2007-02-02 09:37]
R2 nipxirmk;nipxirmk;C:\WINDOWS\system32\drivers\nipxirmkl.sys [2007-02-22 11:18]
R2 nistck;nistck;C:\WINDOWS\system32\drivers\nistck.dll [2007-02-02 09:38]
R2 NITaggerService;National Instruments Variable Engine;"C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe" [2007-02-06 22:47]
R2 NiViPxiK;NI-VISA PXI Driver;C:\WINDOWS\system32\drivers\NiViPxiKl.sys [2007-02-23 10:25]
R2 Remote Solver for COSMOSFloWorks 2007;Remote Solver for COSMOSFloWorks 2007;"C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe" [2007-02-27 17:27]
R3 nidimk;nidimk;C:\WINDOWS\system32\drivers\nidimkl.sys [2007-02-21 22:20]
R3 nimdbgk;nimdbgk;C:\WINDOWS\system32\drivers\nimdbgkl.sys [2007-02-21 21:46]
R3 nimru2k;nimru2k;C:\WINDOWS\system32\drivers\nimru2kl.sys [2007-02-21 22:39]
R3 nimstsk;nimstsk;C:\WINDOWS\system32\drivers\nimstskl.sys [2007-02-25 20:12]
R3 nimxdfk;nimxdfk;C:\WINDOWS\system32\drivers\nimxdfkl.sys [2007-02-21 22:10]
R3 niorbk;niorbk;C:\WINDOWS\system32\drivers\niorbkl.sys [2007-02-21 21:39]
S2 Nidaq32k;Nidaq32k;C:\WINDOWS\system32\drivers\Nidaq32k.sys [2007-02-02 10:55]
S2 nidmmk;NI DMM and Data Logger Kernel Driver;C:\WINDOWS\system32\drivers\nidmmk.dll [2007-02-02 10:57]
S3 lvalarmk;lvalarmk;C:\WINDOWS\system32\drivers\lvalarmk.sys [2007-01-11 10:18]
S3 ni1006k;NI PXI-1006 Chassis Pilot;C:\WINDOWS\system32\drivers\ni1006k.sys [2007-02-22 11:40]
S3 ni1045k;NI PXI-1045 Chassis Pilot;C:\WINDOWS\system32\drivers\ni1045kl.sys [2007-02-22 11:43]
S3 ni488lock;NI-488.2 Locking Service;C:\WINDOWS\system32\drivers\ni488lock.sys [2007-02-26 12:40]
S3 nicdrk;nicdrk;C:\WINDOWS\system32\drivers\nicdrkl.sys [2007-02-22 18:18]
S3 nidmxfk;nidmxfk;C:\WINDOWS\system32\drivers\nidmxfkl.sys [2007-02-25 20:12]
S3 nidsark;nidsark;C:\WINDOWS\system32\drivers\nidsarkl.sys [2007-02-23 17:43]
S3 nidwgk;nidwgk;C:\WINDOWS\system32\drivers\nidwgkl.sys [2007-02-23 22:32]
S3 niemrk;niemrk;C:\WINDOWS\system32\drivers\niemrkl.sys [2007-02-25 19:13]
S3 niesrk;niesrk;C:\WINDOWS\system32\drivers\niesrkl.sys [2007-02-25 19:13]
S3 nifslk;nifslk;C:\WINDOWS\system32\drivers\nifslkl.sys [2007-02-22 13:21]
S3 nigplk;nigplk;C:\WINDOWS\system32\drivers\nigplkl.sys [2007-02-23 16:20]
S3 nihsdrk;nihsdrk;C:\WINDOWS\system32\drivers\nihsdrkl.sys [2007-02-24 01:10]
S3 nimsdrk;nimsdrk;C:\WINDOWS\system32\drivers\nimsdrkl.sys [2007-02-25 20:10]
S3 nimslk;nimslk;C:\WINDOWS\system32\drivers\nimslk.dll [2006-12-18 12:55]
S3 nimsrlk;nimsrlk;C:\WINDOWS\system32\drivers\nimsrlk.dll [2006-12-18 12:55]
S3 nimxpk;nimxpk;C:\WINDOWS\system32\drivers\nimxpkl.sys [2007-02-22 13:26]
S3 ninshsdk;ninshsdk;C:\WINDOWS\system32\drivers\ninshsdkl.sys [2007-02-23 17:25]
S3 nipalfwedl;nipalfwedl;C:\WINDOWS\system32\drivers\nipalfwedl.sys [2007-02-15 23:00]
S3 nipalusbedl;nipalusbedl;C:\WINDOWS\system32\drivers\nipalusbedl.sys [2007-02-15 23:00]
S3 nipsdk;nipsdk;C:\WINDOWS\system32\drivers\nipsdkl.sys [2007-02-23 22:19]
S3 nipxigpk;NI PXI Generic Chassis Pilot;C:\WINDOWS\system32\drivers\nipxigpk.sys [2007-02-22 11:45]
S3 nirfsa2k;nirfsa2k;C:\WINDOWS\system32\drivers\nirfsa2kl.sys [2007-02-24 04:19]
S3 niscdk;niscdk;C:\WINDOWS\system32\drivers\niscdkl.sys [2007-02-26 16:31]
S3 nisdigk;nisdigk;C:\WINDOWS\system32\drivers\nisdigkl.sys [2007-02-25 19:11]
S3 nisftk;nisftk;C:\WINDOWS\system32\drivers\nisftkl.sys [2007-02-24 00:17]
S3 nisldk;nisldk;C:\WINDOWS\system32\drivers\nisldkl.sys [2007-02-23 22:05]
S3 nismbusk;nismbusk;C:\WINDOWS\system32\drivers\nismbusk.sys [2007-02-22 11:34]
S3 nispdk;nispdk;C:\WINDOWS\system32\drivers\nispdkl.sys [2007-02-26 16:31]
S3 nisrcdk;nisrcdk;C:\WINDOWS\system32\drivers\nisrcdkl.sys [2007-02-23 22:28]
S3 nissrk;nissrk;C:\WINDOWS\system32\drivers\nissrkl.sys [2007-02-25 19:13]
S3 nistc2k;nistc2k;C:\WINDOWS\system32\drivers\nistc2kl.sys [2007-02-22 20:17]
S3 nistcrk;nistcrk;C:\WINDOWS\system32\drivers\nistcrkl.sys [2007-02-23 03:14]
S3 niswdk;niswdk;C:\WINDOWS\system32\drivers\niswdkl.sys [2007-02-23 20:44]
S3 nitiork;nitiork;C:\WINDOWS\system32\drivers\nitiorkl.sys [2007-02-23 15:54]
S3 nitnr2k;nitnr2k;C:\WINDOWS\system32\drivers\nitnr2kl.sys [2007-02-24 00:09]
S3 NiViFWK;NI-VISA FireWire Driver;C:\WINDOWS\system32\drivers\NiViFWKl.sys [2007-02-22 10:42]
S3 NiViPciK;NI-VISA PCI Driver;C:\WINDOWS\system32\drivers\NiViPciKl.sys [2007-02-23 10:25]
S3 niwfrk;niwfrk;C:\WINDOWS\system32\drivers\niwfrkl.sys [2007-02-25 19:13]
S3 nixsrk;nixsrk;C:\WINDOWS\system32\drivers\nixsrkl.sys [2007-02-25 19:13]
S3 usb6xxxk;usb6xxxk;C:\WINDOWS\system32\drivers\usb6xxxk.sys [2007-02-25 19:11]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{644520cc-2277-11dd-b316-001e37ed397d}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a034b3c6-2665-11dd-b323-001644bc7fc4}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-06-18 01:43:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-19 16:05:00 C:\WINDOWS\Tasks\OGADaily.job"
- C:\WINDOWS\system32\OGAVerify.exe
"2008-06-20 12:14:01 C:\WINDOWS\Tasks\OGALogon.job"
- C:\WINDOWS\system32\OGAVerify.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-20 08:14:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2008-06-20 8:19:31 - machine was rebooted [varhuem]
ComboFix-quarantined-files.txt 2008-06-20 12:19:23

Pre-Run: 120,213,803,008 bytes free
Post-Run: 120,226,344,960 bytes free

460 --- E O F --- 2008-05-14 20:19:24
 
C

camaro1185

New Member
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:20, on 2008-06-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\WINDOWS\system32\nipalsm.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\mobsync.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.vernier.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5852F5ED-8BF4-11D4-A245-0080C6F74284} (isInstalled Class) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL...-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://antivirus.wit.edu/webinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wit.private
O17 - HKLM\Software\..\Telephony: DomainName = wit.private
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wit.private
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wit.private
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: NI-488.2 Enumeration Service (ni488enumsvc) - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NI Device Loader (nidevldu) - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI PXI Resource Manager (nipxirmu) - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: Remote Solver for COSMOSFloWorks 2007 - Unknown owner - C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 11576 bytes
 
C

camaro1185

New Member
thanks for the help it seems to be running a lot better now. im gonna see if i get any problems during the day today but it looks good. thanks again.
 
ceewi1

ceewi1

VIP Member
Great, the active infection has been removed. Just a couple of last things that can be removed for cleanup purposes.

Please run HijackThis and choose Do a system scan only.

Place a check next to the following entries:

  • [*]O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
Please close all open windows except for HijackThis and choose Fix checked

Please delete the following files:
C:\WINDOWS\system32\ihpinktu.dll
C:\WINDOWS\system32\vrfqmbdx.dll

Please click on Start -> Run. Type ComboFix /u and click OK.
Note the space between the ComboFix and the /u
This will remove the backups that ComboFix has created as well as the program itself.



Below I have included some ideas on how to prevent future infections.

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please navigate to http://windowsupdate.microsoft.com and download all the Critical Updates for Windows. These will patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.

Some good free firewalls are ZoneAlarm, Kerio, or Outpost. All of these will provide a far greater level of protection than the firewall built into Windows.
A tutorial on understanding and using firewalls may be found here.

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's
Immunize and TeaTimer features if you don't have the resident part of another anti-spyware program running.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.

If you use Internet Explorer, it is a good idea to use IE-Spyad which provides protections against malicious websites.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure are looking for anti-spyware programs, you can find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.
If you are interested, Firefox may be downloaded from here
Opera is available here: http://www.opera.com/download/

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help. :)
 
You must log in or register to reply here.
Top