hjt report help

C

cjswhufc

New Member
there is something wrong with my pc can somebody plaese look at my hjt report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:18:07 PM, on 5/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\csrs.exe
C:\WINDOWS\system32\logon.exe
C:\WINDOWS\system32\spooIsv.exe
C:\WINDOWS\system32\fbwmqp.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\158.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Administrator\Administrator.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\158.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\752.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Network Firewall] C:\WINDOWS\System32\firewall.exe
O4 - HKLM\..\Run: [Client Server Runtime Process] C:\WINDOWS\system32\csrs.exe
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\system32\logon.exe
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINDOWS\system32\spooIsv.exe
O4 - HKLM\..\Run: [PromoReg] C:\WINDOWS\system32\fbwmqp.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Advanced DHTML Enable] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\752.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Administrator] C:\Documents and Settings\Administrator\Administrator.exe /i
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [32NFG94-H61-2SF-N1P-5M1ERH6L6] C:\RECYCLER\S-1-5-21-2750324537-1025774636-323076975-5876\winIgn.exe
O4 - HKCU\..\Run: [12CFG515-K641-55SF-N66P] C:\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556\pqlmq.exe
O4 - HKCU\..\Run: [12CFG515-K641-55SF-N55P] C:\RECYCLER\S-1-5-21-0243336035-3055115375-381863305-1553\vslmq.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 6481 bytes
 
Hello:

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


How to run a scan with Malwarebytes' Anti-Malware

Download Malwarebytes' Anti-Malware from Here , Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Download and post a log with HiJackThis.

Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Double click on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
  • Click Save to save the log file and then the log will open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


In your next reply i will need:
  • The ComboFix log
  • The Malwarebytes' log
  • A HiJackThis log done after the other two scans
  • An update on how your computer is running
 
this is the combo fix report:
ComboFix 09-05-05.03 - Administrator 05/06/2009 9:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2918 [GMT 1:00]
Running from: E:\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ADMINI~1\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\Administrator\Administrator.exe
c:\windows\system32\csrs.exe
c:\windows\system32\logon.exe
c:\windows\system32\spooisv.exe
c:\windows\system32\ssms.exe
E:\Autorun.inf
e:\recycler\Desktop.ini
e:\recycler\lassas.exe

.
((((((((((((((((((((((((( Files Created from 2009-04-06 to 2009-05-06 )))))))))))))))))))))))))))))))
.

2009-05-05 22:33 . 2009-05-05 22:33 -------- d-----w c:\program files\ToniArts
2009-05-05 22:32 . 2009-05-05 22:32 90624 ----a-w c:\windows\system32\fnphc.exe
2009-05-05 22:32 . 2009-05-05 22:32 90624 ----a-w c:\windows\system32\bwglvys.exe
2009-05-05 22:27 . 2009-05-05 22:27 90624 ----a-w c:\windows\system32\nxtity.exe
2009-05-05 22:16 . 2009-05-05 22:16 -------- d-----w c:\program files\Trend Micro
2009-05-05 22:14 . 2009-05-05 22:14 90624 ----a-w c:\windows\system32\fgrt.exe
2009-05-05 22:00 . 2009-05-05 22:00 -------- d-----w c:\program files\Common Files\InstallShield
2009-05-05 21:35 . 2009-05-05 21:35 90624 ----a-w c:\windows\system32\nyunn.exe
2009-05-05 21:29 . 2009-05-05 21:29 90624 ----a-w c:\windows\system32\wojm.exe
2009-05-05 21:27 . 2004-08-03 22:08 26496 -c--a-w c:\windows\system32\dllcache\usbstor.sys
2009-05-05 20:19 . 2009-05-05 20:19 90624 ----a-w c:\windows\system32\hwcdso.exe
2009-05-05 20:16 . 2009-05-05 20:16 -------- d-----w c:\program files\Alwil Software
2009-05-05 20:13 . 2009-05-05 20:13 90624 ----a-w c:\windows\system32\qcoweu.exe
2009-05-05 20:13 . 2009-05-05 20:13 90624 ----a-w c:\windows\system32\kbkmp.exe
2009-05-05 20:05 . 2006-10-26 18:56 32592 ----a-w c:\windows\system32\msonpmon.dll
2009-05-05 20:05 . 2009-05-05 20:05 -------- d-----w c:\program files\Microsoft Works
2009-05-05 20:05 . 2009-05-05 20:05 -------- d-----w c:\program files\MSBuild
2009-05-05 20:03 . 2009-05-05 20:03 -------- d-----w c:\windows\SHELLNEW
2009-05-05 20:02 . 2009-05-05 20:02 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft Help
2009-05-05 20:02 . 2009-05-05 20:10 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-05 19:58 . 2009-05-05 19:58 -------- d--h--r C:\MSOCache
2009-05-05 19:52 . 2009-05-05 19:52 -------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-05-05 19:48 . 2009-05-05 19:48 -------- d-----w c:\program files\Common Files\Control Panels
2009-05-05 19:47 . 2009-05-05 19:47 -------- d-----w c:\documents and settings\All Users\Application Data\ALM
2009-05-05 19:42 . 2009-05-05 19:42 -------- d-----w c:\program files\QuickTime
2009-05-05 19:42 . 2009-05-05 21:04 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-05-05 19:39 . 2007-02-20 15:04 190696 ----a-w c:\windows\system32\NPSWF32_FlashUtil.exe
2009-05-05 19:39 . 2007-02-20 15:04 2463976 ----a-w c:\windows\system32\NPSWF32.dll
2009-05-05 19:35 . 2009-05-05 19:35 -------- d-----w c:\program files\Bonjour
2009-05-05 19:33 . 2009-05-05 19:33 -------- d-----w c:\program files\Common Files\Macrovision Shared
2009-05-05 19:30 . 2009-05-05 19:50 -------- d-----w c:\program files\Common Files\Adobe
2009-05-05 19:25 . 2009-05-05 19:25 -------- d-s---w c:\windows\system32\Microsoft
2009-05-05 19:21 . 2009-05-05 19:21 -------- d-----w c:\windows\ServicePackFiles
2009-05-05 19:20 . 2004-08-03 23:56 2897920 ------w c:\windows\system32\xpsp2res.dll
2009-05-05 19:20 . 2004-03-17 13:36 15872 ----a-w c:\windows\system32\spupdsvc.exe
2009-05-05 19:19 . 2009-05-05 19:19 -------- d-----w c:\windows\EHome
2009-05-05 19:10 . 2009-05-05 19:10 90624 ----a-w c:\windows\system32\gsmkx.exe
2009-05-05 19:10 . 2009-05-05 19:10 90624 ----a-w c:\windows\system32\hrnxnbc.exe
2009-05-05 19:03 . 2009-05-05 19:03 90624 ----a-w c:\windows\system32\xugy.exe
2009-05-05 19:03 . 2009-05-05 19:03 90624 ----a-w c:\windows\system32\yvkahg.exe
2009-05-05 19:02 . 2009-05-05 19:02 20961 ---h--w c:\windows\system32\config\systemprofile\.exe
2009-05-05 18:59 . 2009-05-05 20:24 70088 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-05 18:59 . 2009-05-05 18:59 -------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2009-05-05 18:58 . 2009-05-05 18:58 119 ----a-w c:\windows\system32\fmhbzr.bat
2009-05-05 18:58 . 2009-05-05 18:58 125 ----a-w c:\windows\system32\aoxvah.bat
2009-05-05 18:55 . 2009-05-05 18:55 482816 ----a-w c:\windows\system32\fbwmqp.exe
2009-05-05 18:54 . 2009-05-05 18:54 90624 ----a-w c:\windows\system32\wueqf.exe
2009-05-05 18:54 . 2009-05-05 18:54 140338 ---ha-w c:\windows\system32\wahid.exe
2009-05-05 18:54 . 2009-05-05 18:54 90624 ----a-w c:\windows\system32\pjrjurl.exe
2009-05-05 18:51 . 2009-05-05 18:51 21428 ---ha-w c:\windows\system32\bpxk.exe
2009-05-05 18:51 . 2009-05-05 18:51 -------- d-----w c:\windows\ASUSInstAll
2009-05-05 18:51 . 2009-05-05 18:51 118784 ---ha-w c:\windows\system32\ervb.exe
2009-05-05 18:50 . 2009-05-05 18:50 90624 ----a-w c:\windows\system32\byfckoex.exe
2009-05-05 18:49 . 2009-05-05 18:49 90624 ----a-w c:\windows\system32\klfperg.exe
2009-05-05 18:44 . 2009-05-05 22:33 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-05 18:44 . 2009-05-05 22:05 -------- d-----w c:\program files\profile
2009-05-05 18:44 . 2009-05-05 18:44 -------- d-----w c:\program files\log
2009-05-05 18:42 . 2004-08-13 02:56 5810 ----a-r c:\windows\system32\drivers\ASACPI.sys
2009-05-05 18:42 . 2007-08-01 03:39 12536 ----a-w c:\windows\system32\drivers\ASUSHWIO.SYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-05 22:01 . 2009-05-05 22:01 -------- d-----w c:\program files\Analog Devices
2009-05-05 19:23 . 2009-05-04 21:59 86327 ----a-w c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-05-04 21:59 . 2009-05-04 21:59 -------- d-----w c:\program files\microsoft frontpage
2009-05-04 21:59 . 2001-08-23 12:00 67 --sha-w c:\windows\Fonts\desktop.ini
2009-05-04 21:57 . 2009-05-04 21:57 21640 ----a-w c:\windows\system32\emptyregdb.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-03 1667584]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2008-03-19 13508608]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2008-03-19 86016]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 624248]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-10-08 1036288]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-03-19 1630208]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\fbwmqp.exe"=
"c:\\WINDOWS\\system32\\userinit.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"53:UDP"= 53:UDP:Promo

S2 acpi32;acpi32;c:\windows\system32\drivers\acpi32.sys [5/5/2009 8:22 PM 30464]
.
Contents of the 'Scheduled Tasks' folder

2009-05-05 c:\windows\Tasks\At1.job
- e:\\Look2Me-Destroyer.exe [2009-05-05 21:10]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Administrator - c:\documents and settings\Administrator\Administrator.exe
HKCU-Run-32NFG94-H61-2SF-N1P-5M1ERH6L6 - c:\recycler\S-1-5-21-2750324537-1025774636-323076975-5876\winIgn.exe
HKCU-Run-12CFG515-K641-55SF-N66P - c:\recycler\S-1-5-21-0243636035-3055115376-381863306-1556\pqlmq.exe
HKCU-Run-12CFG515-K641-55SF-N55P - c:\recycler\S-1-5-21-0243336035-3055115375-381863305-1553\vslmq.exe
HKLM-Run-Client Server Runtime Process - c:\windows\system32\csrs.exe
HKLM-Run-Spooler SubSystem App - c:\windows\system32\spooIsv.exe
Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-06 09:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\ADMINI~1\LOCALS~1\Temp\Perflib_Perfdata_2d4c.dat 16384 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2009-05-06 9:11
ComboFix-quarantined-files.txt 2009-05-06 08:11

Pre-Run: 237,140,561,920 bytes free
Post-Run: 237,171,515,392 bytes free

155

this is the malware report:
Malwarebytes' Anti-Malware 1.36
Database version: 2081
Windows 5.1.2600 Service Pack 2

5/6/2009 9:27:13 AM
mbam-log-2009-05-06 (09-27-11).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|)
Objects scanned: 181927
Time elapsed: 11 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\acpi32 (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\acpi32 (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\acpi32 (Rootkit.Agent) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{5A6EB91A-229B-4F86-8B0E-3AF8D2C843AF}\RP14\A0011714.exe (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{5A6EB91A-229B-4F86-8B0E-3AF8D2C843AF}\RP14\A0011800.exe (Trojan.Backdoor) -> No action taken.
C:\System Volume Information\_restore{5A6EB91A-229B-4F86-8B0E-3AF8D2C843AF}\RP9\A0008694.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\ervb.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\wahid.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\drivers\acpi32.sys (Rootkit.Agent) -> No action taken.
C:\WINDOWS\Temp\BN2.tmp (Trojan.Agent) -> No action taken.

this is the hjt:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:28:04 AM, on 5/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 5631 bytes



as you can see the malware picked up errors in the system 32 i have not removed any of the files it found to be infected. should they be reomved? the pc seems to be running ok apart from time to time it will cut off and a blue scren will appear with an error but it only appears moementarly so i do not have time to read it.
 
Yes please run Malwarebytes again and remove all items that it finds, but this time check for updates, you are not using the lastest definitions. According to your combofix log you are still infected. Please rerun Malwarebytes first, then do combofix again and then finally rerun hijackthis and post all 3 logs in that order.
 
You must log in or register to reply here.
Back
Top