View Full Version : help please... lol
nikkee
04-10-2008, 09:47 PM
I have been up since yesterday trying to get all the crap off my pc and i do believe i got most of it off... lol hopefully. :/ there is a process that runs on my pc called service.exe and i googled it and it said it was a virus so i have been trying to get it off... i delete it and it comes back :| anyways i ran a hi jack this scan and thought i would post it here to see if i can get some help with this matter... it would be so greatly appreciated. :)
thanks in advance. :)
also there is another process that will run called payjobs.exe that eats up the cpu and i can't find any info on that one at all. :/ it does not seem to appear in here unless i am missing it but i am real curious as to what it is for?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:51:45 PM, on 4/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Lexmark 2500 Series\lxddamon.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\service.exe
C:\Program Files\GhostSurf Platinum\Privacy Auditor.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
C:\Program Files\GhostSurf Platinum\Protector.exe
C:\Program Files\GhostSurf Platinum\Scheduler daemon.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
C:\WINDOWS\system32\service.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\AVENGINE.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
c:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\SRVLOAD.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\WebProxy.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PavBckPT.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\GhostSurf Platinum\SCActiveBlock.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [lxddmon.exe] "C:\Program Files\Lexmark 2500 Series\lxddmon.exe"
O4 - HKLM\..\Run: [lxddamon] "C:\Program Files\Lexmark 2500 Series\lxddamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Security\Panda Internet Security 2008\Inicio.exe"
O4 - HKLM\..\Run: [GhostSurf Reminder] "C:\Program Files\GhostSurf Platinum\Privacy Control Center.exe" reminder
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [Windows Update] service.exe
O4 - HKLM\..\RunServices: [Windows Update] service.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Windows Update] service.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf Platinum\Scheduler daemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Privacy Auditor.lnk = C:\Program Files\GhostSurf Platinum\Privacy Auditor.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\GhostSurf Platinum\Protector.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205005064656[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205005963968[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{E13D400A-066E-4C3E-9879-CF940DDD6455}: NameServer = 4.2.2.1,4.2.2.2
O20 - AppInit_DLLs: secuload.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddse rv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe
--
End of file - 7638 bytes
classicsoftware
04-11-2008, 12:24 AM
Welcome to http://www.pcguide.com/ubb/pcgubb.gif forums
Please read the instructions here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) and post back with a combofix log and a new HJT Log.
nikkee
04-11-2008, 05:38 AM
okay well i did what you said, the first time through combo fix it did not go off, i waited hours and finally took it down manually. :/ this is what i got when i ran it again. it says it deleted the service.exe file but actually it quarantined it.
2007-06-13 06:23 806912 --a- C:\Qoobox\Quarantine\C\WINDOWS\system32\service.ex e.vir
2008-04-11 03:59 39 --a-- C:\Qoobox\Quarantine\catchme.log
ComboFix 08-04-10.7 - Owner 2008-04-11 3:56:38.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.393 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
( Other Deletions )
-- Previous Run --
C:\WINDOWS\system32\service.exe
( Files Created from 2008-03-11 to 2008-04-11 )
2008-04-10 23:01 . 2008-04-10 23:01 17,144 --a-- C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-04-10 20:50 . 2008-04-11 03:31 <DIR> d-- C:\WINDOWS\system32\hdined32.nls.{00021401-0000-0000-C000-000000000046}
2008-04-10 20:48 . 2008-04-10 20:48 244 --ah- C:\sqmnoopt06.sqm
2008-04-10 20:48 . 2008-04-10 20:48 244 --ah- C:\sqmnoopt05.sqm
2008-04-10 20:48 . 2008-04-10 20:48 232 --ah- C:\sqmdata06.sqm
2008-04-10 20:48 . 2008-04-10 20:48 232 --ah- C:\sqmdata05.sqm
2008-04-10 19:51 . 2008-04-10 19:51 <DIR> d- C:\Program Files\Trend Micro
2008-04-10 19:50 . 2008-04-10 21:10 <DIR> d- C:\Program Files\burnatonce
2008-04-10 09:53 . 2008-04-10 09:53 24,576 --a- C:\WINDOWS\system32\VundoFixSVC.exe
2008-04-10 09:33 . 2008-04-10 09:53 <DIR> d-- C:\VundoFix Backups
2008-04-09 16:56 . 2008-04-09 16:56 376 --a-- C:\WINDOWS\ODBC.INI
2008-04-09 16:54 . 2008-04-09 16:54 <DIR> d--- C:\Program Files\Microsoft ActiveSync
2008-04-09 16:52 . 2008-04-09 16:54 <DIR> d--- C:\WINDOWS\ShellNew
2008-04-08 22:38 . 2008-04-08 22:38 244 --ah- C:\sqmnoopt04.sqm
2008-04-08 22:38 . 2008-04-08 22:38 232 --ah-- C:\sqmdata04.sqm
2008-04-08 22:37 . 2008-04-08 22:37 244 --ah- C:\sqmnoopt03.sqm
2008-04-08 22:37 . 2008-04-08 22:37 232 --ah-- C:\sqmdata03.sqm
2008-04-08 22:28 . 2008-04-08 22:28 244 --ah-- C:\sqmnoopt02.sqm
2008-04-08 22:28 . 2008-04-08 22:28 232 --ah-- C:\sqmdata02.sqm
2008-04-08 22:27 . 2008-04-08 22:27 244 --ah-- C:\sqmnoopt01.sqm
2008-04-08 22:27 . 2008-04-08 22:27 232 --ah-- C:\sqmdata01.sqm
2008-04-07 22:09 . 2008-04-07 22:09 <DIR> d--- C:\Program Files\Xilisoft
2008-04-06 15:46 . 2008-04-06 15:46 244 --ah--- C:\sqmnoopt00.sqm
2008-04-06 15:46 . 2008-04-06 15:46 232 --ah--- C:\sqmdata00.sqm
2008-04-05 13:07 . 2008-04-10 09:57 <DIR> d-a--- C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-05 13:07 . 2007-09-02 17:56 77,312 --a--- C:\WINDOWS\system\Keygen.exe
2008-04-04 19:28 . 2008-04-04 19:28 <DIR> d--- C:\Documents and Settings\Owner\Application Data\Broderbund
2008-04-04 19:28 . 2008-04-04 19:28 <DIR> d--- C:\Documents and Settings\All Users\Application Data\Broderbund
2008-04-04 19:25 . 2008-04-04 19:25 <DIR> d--- C:\Program Files\Broderbund
2008-04-03 17:25 . 2008-04-03 17:25 13,668 --a-- C:\WINDOWS\system32\wpa.bak
2008-04-01 11:17 . 2008-04-01 11:17 <DIR> d-- C:\Program Files\IrfanView
2008-04-01 09:00 . 2008-04-07 20:18 <DIR> d-- C:\Program Files\My Journal
2008-03-29 22:22 . 2008-03-29 22:22 <DIR> d-- C:\Program Files\Lavasoft
2008-03-29 22:22 . 2008-03-29 22:23 <DIR> d--- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-29 22:20 . 2008-03-29 22:20 <DIR> d--- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-29 12:37 . 2008-03-29 12:37 <DIR> d--- C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-03-27 21:08 . 2008-03-27 21:08 <DIR> d---- C:\Program Files\Clock
2008-03-27 11:42 . 2008-03-27 11:42 <DIR> d--- C:\Program Files\Stardock
2008-03-27 11:42 . 2008-03-27 11:42 <DIR> d-- C:\Program Files\Common Files\Stardock
2008-03-27 11:42 . 2008-03-27 11:44 163,712 --a-- C:\WINDOWS\system32\drivers\vidstub.sys
2008-03-27 11:36 . 2008-03-27 11:38 <DIR> d--- C:\Program Files\XL Delete
2008-03-27 11:36 . 2008-03-27 11:36 <DIR> d--h--- C:\Documents and Settings\All Users\Application Data\{94FB5242-4A3E-4443-BB8D-C9E397CC6528}
2008-03-27 11:00 . 2008-03-27 11:00 <DIR> d---- C:\Program Files\uTorrent
2008-03-27 11:00 . 2008-04-10 16:15 <DIR> d--- C:\Documents and Settings\Owner\Application Data\uTorrent
2008-03-27 10:28 . 2008-03-28 14:38 754 --a--- C:\WINDOWS\WORDPAD.INI
2008-03-27 09:48 . 2008-03-27 09:48 86 --a-- C:\WINDOWS\wininit.ini
2008-03-27 09:47 . 2008-03-27 09:48 <DIR> d--- C:\Program Files\12Ghosts
2008-03-17 17:33 . 2008-03-17 17:41 <DIR> d--- C:\Program Files\Common Files\Adobe
2008-03-16 19:47 . 2008-03-16 19:49 <DIR> d--- C:\Program Files\samegame
2008-03-14 15:23 . 2008-03-14 15:23 102 --a- C:\WINDOWS\system32\UserRequest_1205522608.tmp
2008-03-13 19:01 . 2008-04-11 02:38 13,880 --a-- C:\WINDOWS\system32\drivers\COMFiltr.sys
2008-03-13 03:43 . 2008-03-27 11:39 <DIR> d---- C:\Documents and Settings\All Users\Application Data\XL Delete
2008-03-11 01:51 . 2008-03-11 01:51 0 --a-- C:\WINDOWS\system32\drivers\wnmsav.dat
( Find3M Report )
2008-04-11 07:47 256,800 --a-w C:\WINDOWS\system32\drivers\APPFCONT.DAT.bck
2008-04-11 07:47 256,800 --a-w C:\WINDOWS\system32\drivers\APPFCONT.DAT
2008-04-11 07:47 1,224 --a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG.bck
2008-04-11 07:47 1,224 --a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG
2008-04-11 07:40 ---d-----w C:\Program Files\PeerGuardian2
2008-04-11 04:05 ----d-----w C:\Program Files\Lx_cats
2008-04-10 04:23 ----d-----w C:\Program Files\Common Files\LightScribe
2008-04-01 14:11--d-----w C:\Documents and Settings\Owner\Application Data\FaxCtr
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-11 00:38 --------- d-----w C:\Documents and Settings\Owner\Application Data\vlc
2008-03-11 00:36 --------- d-----w C:\Program Files\VideoLAN
2008-03-09 21:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\sentinel
2008-03-09 21:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-09 21:35 --------- d-----w C:\Program Files\Panda Security
2008-03-09 21:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Backup
2008-03-09 21:32 --------- d-----w C:\Program Files\Common Files\Panda Software
2008-03-09 08:30 --------- d-----w C:\Program Files\Realtek AC97
2008-03-09 08:27 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-09 08:26 --------- d-----w C:\Program Files\Realtek
2008-03-09 08:25 --------- d-----w C:\Documents and Settings\Owner\Application Data\InstallShield
2008-03-09 08:04 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
2008-03-09 07:11 --------- d-----w C:\Program Files\Intel
2008-03-09 07:09 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-03-09 01:07 --------- d-----w C:\Program Files\Driver-Soft
2008-03-08 23:29 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-08 23:29 --------- d-----w C:\Program Files\Windows Live
2008-03-08 23:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-08 19:34 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lexmark Productivity Studio
2008-03-08 19:32 --------- d-----w C:\Program Files\Lexmark Fax Solutions
2008-03-08 19:32 --------- d-----w C:\Program Files\Lexmark 2500 Series
2008-03-08 19:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\FaxCtr
2008-03-08 19:23 --------- d-----w C:\Program Files\Lexmark Toolbar
2008-03-08 18:23 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-01 01:45 53,248 ----a-w C:\WINDOWS\system32\CSVer.dll
nikkee
04-11-2008, 05:39 AM
sorry had to split the file because it was too long :/
(Reg Loading Points )
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 22:40 1421824]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"lxddmon.exe"="C:\Program Files\Lexmark 2500 Series\lxddmon.exe" [2007-06-11 15:27 291760]
"lxddamon"="C:\Program Files\Lexmark 2500 Series\lxddamon.exe" [2007-04-30 04:19 20480]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2007-06-11 15:28 312240]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 17:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 15:52 849280]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 16:48 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 16:44 126976]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
"APVXDWIN"="C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.exe" [2007-11-23 14:33 406832]
"SCANINICIO"="C:\Program Files\Panda Security\Panda Internet Security 2008\Inicio.exe" [2007-07-11 14:17 27952]
"BootSkin Startup Jobs"="C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-26 16:21 270336]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices]
"Windows Update"="service.exe" []
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-02-15 19:02 50736 C:\WINDOWS\system32\avldr.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=secuload.dll
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\lxddcoms.exe"=
"C:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"=
"C:\\Program Files\\Lexmark 2500 Series\\App4R.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Lexmark 2500 Series\\lxddmon.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\ lxddpswx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\ lxddjswx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\ lxddtime.exe"=
R1 APPFLT;App Filter Plugin;C:\WINDOWS\system32\Drivers\APPFLT.SYS [2007-09-28 13:05]
R1 DSAFLT;DSA Filter Plugin;C:\WINDOWS\system32\Drivers\DSAFLT.SYS [2007-05-11 08:33]
R1 FNETMON;NetMon Filter Plugin;C:\WINDOWS\system32\Drivers\fnetmon.SYS [2007-11-14 17:48]
R1 IDSFLT;Ids Filter Plugin;C:\WINDOWS\system32\Drivers\IDSFLT.SYS [2007-07-11 10:39]
R1 NETFLTDI;Panda Net Driver [TDI Layer];C:\WINDOWS\system32\Drivers\NETFLTDI.SYS [2007-10-25 08:50]
R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys [2007-05-23 15:40]
R1 SMSFLT;SMS Filter Plugin;C:\WINDOWS\system32\Drivers\SMSFLT.SYS [2007-05-11 08:33]
R1 WNMFLT;Wifi Monitor Filter Plugin;C:\WINDOWS\system32\Drivers\WNMFLT.SYS [2007-05-11 08:33]
R2 cpoint;Panda CPoint Driver;C:\WINDOWS\system32\Drivers\cpoint.sys [2007-06-08 07:44]
R2 lxdd_device;lxdd_device;C:\WINDOWS\system32\lxddco ms.exe [2007-05-25 05:41]
R2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys [2007-07-12 13:49]
R3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []
R3 NETIMFLT01050097;PANDA NDIS IM Filter Miniport v1.5.0.97;C:\WINDOWS\system32\DRIVERS\netimflt.sys [2007-11-19 13:01]
R3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\system32\PavSRK.s ys []
R3 PavTPK.sys;PavTPK.sys;C:\WINDOWS\system32\PavTPK.s ys []
S2 lxddCATSCustConnectService;lxddCATSCustConnectServ ice;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lx ddserv.exe [2007-05-25 05:41]
*Newly Created Service* - COMFILTR
.
Contents of the 'Scheduled Tasks' folder
"2008-04-11 07:32:59 C:\WINDOWS\Tasks\At1.job"
- C:\Program Files\Panda Security\Panda Internet Security 2008\PAVJOBS.EXEn/PROGRAMADA PAV5.tsk PAV_FOG.OPC
.
************************************************** ********
catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2008-04-11 03:59:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ********
.
Completion time: 2008-04-11 4:00:25
ComboFix-quarantined-files.txt 2008-04-11 08:00:15
Pre-Run: 43,579,342,848 bytes free
Post-Run: 43,609,460,736 bytes free
.
2008-04-09 23:09:57 --- E O F ---
nikkee
04-11-2008, 05:41 AM
and finally here is my hjt log ...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:05:11 AM, on 4/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\AVENGINE.EXE
c:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lexmark 2500 Series\lxddamon.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PavBckPT.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\GhostSurf Platinum\SCActiveBlock.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [lxddmon.exe] "C:\Program Files\Lexmark 2500 Series\lxddmon.exe"
O4 - HKLM\..\Run: [lxddamon] "C:\Program Files\Lexmark 2500 Series\lxddamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Security\Panda Internet Security 2008\Inicio.exe"
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\RunServices: [Windows Update] service.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205005064656[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205005963968[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{E13D400A-066E-4C3E-9879-CF940DDD6455}: NameServer = 4.2.2.1,4.2.2.2
O20 - AppInit_DLLs: secuload.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddse rv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe
--
End of file - 6680 bytes
now i must sleep ... lol i have been at this entirely too long. :eek:
thank you again for your help...
classicsoftware
04-15-2008, 10:33 PM
Open Hijackthis and place a check next to:
O4 - HKLM\..\RunServices: [Windows Update] service.exe
close all program and browser windows and click fix checked.
Re-boot, post a fresh log and let me know how the system is running.
nikkee
04-15-2008, 11:29 PM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:19 PM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\AVENGINE.EXE
c:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark 2500 Series\lxddamon.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\SRVLOAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\WebProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\avciman.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\psimreal.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PavBckPT.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\GhostSurf Platinum\SCActiveBlock.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [lxddmon.exe] "C:\Program Files\Lexmark 2500 Series\lxddmon.exe"
O4 - HKLM\..\Run: [lxddamon] "C:\Program Files\Lexmark 2500 Series\lxddamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Security\Panda Internet Security 2008\Inicio.exe"
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205005064656[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205005963968[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{E13D400A-066E-4C3E-9879-CF940DDD6455}: NameServer = 4.2.2.1,4.2.2.2
O20 - AppInit_DLLs: secuload.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddse rv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe
--
End of file - 7067 bytes
nikkee
04-15-2008, 11:36 PM
there is the new log...
I also ran dr. web earlier today and these came up on there and i was wondering if i could delete these without a problem? Just a little concerned because it having to do with system restore. My pc in general seems to be running alright, although like when i run a program like i am running dr. web right now and it is making the CPU shoot up to 100%
A0007701.bat;C:\System Volume Information\_restore{85150D78-7064-47CC-B529-04E406683F1B}\RP70;Probably BATCH.Virus;;
A0007707.bat;C:\System Volume Information\_restore{85150D78-7064-47CC-B529-04E406683F1B}\RP70;Probably SCRIPT.Virus;;
A0008783.bat;C:\System Volume Information\_restore{85150D78-7064-47CC-B529-04E406683F1B}\RP70;Probably BATCH.Virus;;
A0008790.bat;C:\System Volume Information\_restore{85150D78-7064-47CC-B529-04E406683F1B}\RP70;Probably SCRIPT.Virus;;
A0008822.EXE;C:\System Volume Information\_restore{85150D78-7064-47CC-B529-04E406683F1B}\RP70;Program.PsExec.170;;
A0008831.bat;C:\System Volume Information\_restore{85150D78-7064-47CC-B529-04E406683F1B}\RP70;Probably BATCH.Virus;;
A0008837.bat;C:\System Volume Information\_restore{85150D78-7064-47CC-B529-04E406683F1B}\RP70;Probably SCRIPT.Virus;;
classicsoftware
04-16-2008, 12:10 AM
Clear out your system restore and create a new restore point.
nikkee
04-16-2008, 12:35 AM
ok I did that. :)
classicsoftware
04-16-2008, 01:15 AM
Run Combofix again., Dr. Web again, re-boot and give me a HJT log.
nikkee
04-16-2008, 01:18 AM
quick question. do i delete the files in dr web?
classicsoftware
04-16-2008, 01:24 AM
It depends, if they are in system restore, they should be gone.
nikkee
04-16-2008, 01:27 AM
yeah that is what I was thinking but was not sure. I will do the other and be back. thanks.
nikkee
04-16-2008, 01:55 AM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:52:55 AM, on 4/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\AVENGINE.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
c:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lexmark 2500 Series\lxddamon.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\avciman.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\psimreal.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\SRVLOAD.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\WebProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PavBckPT.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\GhostSurf Platinum\SCActiveBlock.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [lxddmon.exe] "C:\Program Files\Lexmark 2500 Series\lxddmon.exe"
O4 - HKLM\..\Run: [lxddamon] "C:\Program Files\Lexmark 2500 Series\lxddamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Security\Panda Internet Security 2008\Inicio.exe"
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205005064656[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205005963968[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{E13D400A-066E-4C3E-9879-CF940DDD6455}: NameServer = 4.2.2.1,4.2.2.2
O20 - AppInit_DLLs: secuload.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddse rv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda security\panda internet security 2008\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\PsImSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe
--
End of file - 7067 bytes
vBulletin v3.6.1, Copyright ©2000-2012, Jelsoft Enterprises Ltd.