View Full Version : Help Needed. winh32.exe-also
azztro
05-01-2008, 12:48 AM
i also have the same problem when i enter www.ultimate-guitar.com, i have no problem accessing it with firefox but when i used iexplorer things went bad, this all sort of viruses pop up and messes my pc, i have an Avast 4.8 HE antivirus and detects the viruses, so i immediately scanned my pc and found several viruses but i dont know if it really removed the virus coz my pc got awfully slow and my task manager was disabled. and i got this system error message that keeps popping up, my desktop wallpaper went blank i only see icons and i cant put my own wallpaper... i run gpedit.msc so i can enable my taskmanager and i stop the process of things that i know suppose not to run.. and every time i click my computer theres a message that says "c:\windows\explorer.exe" and then a website will pop up, i already download the necessary tools needed(i think) to remove the viruses which i think still is in my system, i have HJT, vundofix, virtumundobegone, combofix... and heres my log of HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:52 AM, on 5/1/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspn et_admin.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\JetAudio\JetAudio.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn5\yt.dll
O1 - Hosts: 124.217.252.77 www.bravesentry.com
O1 - Hosts: 124.217.252.77 bravesentry.com
O1 - Hosts: 124.217.252.78 secure.isoftpay.com
O1 - Hosts: 124.217.252.77 www.bravesentry.com
O1 - Hosts: 124.217.252.77 bravesentry.com
O1 - Hosts: 124.217.252.78 secure.isoftpay.com
O1 - Hosts: 124.217.252.77 www.bravesentry.com
O1 - Hosts: 124.217.252.77 bravesentry.com
O1 - Hosts: 124.217.252.78 secure.isoftpay.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn5\yt.dll
O2 - BHO: (no name) - {2808C1CE-498B-4C8D-ADAF-7581D1078ED5} - C:\WINDOWS\System32\admpars.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn5\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Caffe-Server] c:\program files\Caffe\Server.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [lr1] C:\WINDOWS\system32\ll1.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [sysemls] C:\WINDOWS\System32\1.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [lr1] C:\WINDOWS\system32\ll1.exe (User 'Default user')
O4 - Startup: jetAudio.lnk = C:\Program Files\JetAudio\JetAudio.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} - http://www.mariatv.it/SOPCORE.CAB
O16 - DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} (Quantum Streaming IE VersionManager Class) - http://qmedia.xlontech.net/100170/sdk/latest/qsp2ie06041001.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{496EA7BD-44B3-40A9-8117-8CC1FD02AD6F}: NameServer = 58.69.254.3,58.69.254.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4BF95B1-7198-423E-9D62-BAAC980CE8C1}: NameServer = 58.69.254.3,58.69.254.8
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\System32\DPWLEvHd.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: l1 - Unknown owner - C:\WINDOWS\system32\ll1.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 8343 bytes
i thought i can remove the virus on my own if i just follow what you said above so i wont be disturbing anyone, but i found out that its different from my log, so to play it safe i posted my problems here... please help me... and im already saying sorry if i disturb anyone..
PrntRhd
05-01-2008, 01:52 AM
I split this into its own thread, most infection removal is unique to your PC.
azztro
05-01-2008, 03:08 AM
ok thanks, sorry i didnt know that...
so please anyone help me
classicsoftware
05-04-2008, 08:42 PM
You are badly infected.
You will need to run Combofix next. Please read the instructions here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) and post back with:
The combofix log.
A new HJT Log.
A description of how the system is running.
azztro
05-08-2008, 12:35 PM
after i scanned my pc using combofix, my wallpaper just showed up... my pc run a little faster but not like what it used to be... these are the only things i noticed for now... anyway here are the logs for combo fix and hjt
ComboFix 08-05-01.3 - ASTRO 2008-05-09 0:18:33.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.696 [GMT 8:00]
Running from: C:\Documents and Settings\ASTRO\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ASTRO\Desktop\winxpsp1_en_pro_bf.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\ASTRO\Application Data\inst.exe
C:\Documents and Settings\ASTRO\Application Data\Install.dat
C:\WINDOWS\mrofinu27.exe
.
((((((((((((((((((((((((( Files Created from 2008-04-08 to 2008-05-08 )))))))))))))))))))))))))))))))
.
2008-05-09 00:15 . 2008-05-09 00:15 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.da t.LOG
2008-05-04 01:36 . 2008-05-04 16:15 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-04 01:36 . 2008-05-04 01:36 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-01 00:46 . 2008-05-01 00:46 <DIR> d-------- C:\VundoFix Backups
2008-05-01 00:43 . 2008-05-01 00:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-30 21:27 . 2008-04-30 21:27 <DIR> d-------- C:\Sierra
2008-04-30 12:06 . 2008-05-07 15:48 2,184 --a------ C:\WINDOWS\system32\wpa.dbl
2008-04-29 22:12 . 2008-04-29 22:12 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-19 20:45 . 1998-07-17 13:36 140,800 --a------ C:\WINDOWS\system32\tm20dec.ax
2008-04-19 20:39 . 2008-04-19 20:39 <DIR> d-------- C:\Program Files\Final Fantasy VII
2008-04-19 12:30 . 2008-04-19 12:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-03-26 04:14 --------- d-----w C:\Program Files\danny_kay1710
2008-03-25 08:03 2,829 ----a-w C:\WINDOWS\War3Unin.pif
2008-03-25 08:03 139,264 ----a-w C:\WINDOWS\War3Unin.exe
2008-03-15 12:36 --------- d-----w C:\Program Files\Power Tab Software
2008-02-09 11:25 47,360 ----a-w C:\Documents and Settings\ASTRO\Application Data\pcouffin.sys
2006-09-08 16:25 319 --sh--w C:\WINDOWS\system32\ll1.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0A94AFAA-21B6-4930-B900-4BC2FFDACF51}]
C:\WINDOWS\System32\admpars.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2808C1CE-498B-4C8D-ADAF-7581D1078ED5}]
C:\WINDOWS\System32\admpars.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5562D6A8-F793-4A37-9C6C-0C62BA8B7493}]
C:\WINDOWS\System32\admpars.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B6C21D1-D6A5-47E9-A80E-A6C261D43863}]
C:\WINDOWS\System32\admpars.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Caffe-Server"="c:\program files\Caffe\Server.exe" [2003-05-01 12:04 2587136]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 03:41 13312]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"DPAgnt"="C:\Program Files\DigitalPersona\Bin\DPAgnt.exe" [2004-10-13 18:24 913408]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"lr1"="C:\WINDOWS\system32\ll1.exe" [2006-09-09 00:25 319]
"sysemls"="C:\WINDOWS\System32\1.exe" [ ]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58 1744896]
C:\Documents and Settings\ASTRO\Start Menu\Programs\Startup\
jetAudio.lnk - C:\Program Files\JetAudio\JetAudio.exe [2007-06-16 12:05:55 2621508]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"AutoUpdate"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DPWLN ]
C:\WINDOWS\System32\DPWLEvHd.dll 2004-10-13 18:29 102400 C:\WINDOWS\system32\DPWLEvHd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ImageFox.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ImageFox.lnk
backup=C:\WINDOWS\pss\ImageFox.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACD mPower Tools]
C:\Program Files\ACD Systems\mPower Tools\1.0\mPowerTools.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2004-06-10 21:10 339968 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-11-16 19:04 139264 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]
--a------ 2004-02-24 16:00 49152 C:\WINDOWS\VM_STI.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Caffe-Client]
c:\program files\Caffe\Client.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Caffe-Server]
--a------ 2003-05-01 12:04 2587136 c:\program files\Caffe\Server.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2002-08-29 03:41 13312 C:\WINDOWS\System32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriveSystem]
C:\WINDOWS\System32\maxpaynowti1.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C67 Series]
--a------ 2005-01-25 12:00 98304 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA AP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-15 13:11 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lr2]
C:\WINDOWS\system32\ll2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msconfig38]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2002-08-20 15:08 1511453 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msvcc25]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mysvcig38]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2007-03-23 13:20 227328 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-14 23:43 286720 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-12-08 17:35 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu27.exe
azztro
05-08-2008, 12:35 PM
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\secures23]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-09-13 13:31 22880040 C:\Program Files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
--a------ 2003-05-05 08:57 143360 C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
--a------ 2005-01-06 14:04 1466368 C:\Program Files\Spyware Doctor\swdoctor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-04-13 03:48 36975 C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sysems]
C:\WINDOWS\system32\syslem.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sysms]
C:\Documents and Settings\ASTRO\1.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System]
C:\WINDOWS\System32\wind32.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-09-11 21:00 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tweak UI]
--a------ 2006-11-02 15:42 106544 C:\WINDOWS\system32\TWEAKUI.cpl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\userinit]
C:\WINDOWS\System32\ntos.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vcdplayx]
--a------ 2002-03-18 16:31 57344 C:\WINDOWS\vcdplayx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualDrive]
--a------ 2002-04-02 19:34 204800 C:\Program Files\FarStone\VirtualDrive\VDTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
C:\Windows\xpupdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinDVR SchSvr]
--a------ 2003-06-09 12:23 151552 C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winystems25]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
R1 aswSP;avast! Self Protection;C:\WINDOWS\System32\drivers\aswSP.sys [2008-03-30 02:31]
R1 cdawdm;CDAWDM;C:\WINDOWS\System32\DRIVERS\CDAWDM.s ys [2002-01-24 15:25]
R2 aspnet_admin;ASP.NET Admin Service;C:\WINDOWS\Microsoft.NET\Framework\v2.0.40 607\aspnet_admin.exe [2004-07-07 23:02]
R3 dpK0Bx01;Fingerprint Reader Filter Driver;C:\WINDOWS\System32\DRIVERS\dpK0Bx01.sys [2004-08-04 16:58]
R3 UsbdpFP;Fingerprint Reader Class Driver;C:\WINDOWS\System32\DRIVERS\UsbdpFP.sys [2004-08-04 16:59]
S2 l1;l1;C:\WINDOWS\system32\ll1.exe [2006-09-09 00:25]
S3 SetupNTGLM7X;SetupNTGLM7X;G:\NTGLM7X.sys []
.
Contents of the 'Scheduled Tasks' folder
"2007-03-07 13:02:56 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
"2008-05-03 04:41:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
************************************************** ************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2008-05-09 00:22:02
Windows 5.1.2600 Service Pack 1 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ATI2EVXX.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASWUPDSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\PROGRAM FILES\DIGITALPERSONA\BIN\DPWINLCT.EXE
C:\PROGRAM FILES\IVT CORPORATION\BLUESOLEIL\BTNTSERVICE.EXE
C:\PROGRAM FILES\DIGITALPERSONA\BIN\DPHOST.EXE
C:\PROGRAM FILES\COMMON FILES\LIGHTSCRIBE\LSSRVC.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\PROGRAM FILES\ANALOG DEVICES\SOUNDMAX\SMAGENT.EXE
C:\WINDOWS\SYSTEM32\WDFMGR.EXE
C:\PROGRAM FILES\DIGITALPERSONA\BIN\DPFUSMGR.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\WINDOWS\SYSTEM32\ATI2EVXX.EXE
.
************************************************** ************************
.
Completion time: 2008-05-09 0:23:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-08 16:23:42
Pre-Run: 1,224,065,024 bytes free
Post-Run: 1,549,123,584 bytes free
winxpsp1_en_pro_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
207
azztro
05-08-2008, 12:37 PM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:52 AM, on 5/9/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspn et_admin.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn5\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn5\yt.dll
O2 - BHO: (no name) - {0A94AFAA-21B6-4930-B900-4BC2FFDACF51} - C:\WINDOWS\System32\admpars.dll (file missing)
O2 - BHO: (no name) - {2808C1CE-498B-4C8D-ADAF-7581D1078ED5} - C:\WINDOWS\System32\admpars.dll (file missing)
O2 - BHO: (no name) - {5562D6A8-F793-4A37-9C6C-0C62BA8B7493} - C:\WINDOWS\System32\admpars.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {9B6C21D1-D6A5-47E9-A80E-A6C261D43863} - C:\WINDOWS\System32\admpars.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn5\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKCU\..\Run: [Caffe-Server] c:\program files\Caffe\Server.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [lr1] C:\WINDOWS\system32\ll1.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [sysemls] C:\WINDOWS\System32\1.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [lr1] C:\WINDOWS\system32\ll1.exe (User 'Default user')
O4 - Startup: jetAudio.lnk = C:\Program Files\JetAudio\JetAudio.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} - http://www.mariatv.it/SOPCORE.CAB
O16 - DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} (Quantum Streaming IE VersionManager Class) - http://qmedia.xlontech.net/100170/sdk/latest/qsp2ie06041001.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{496EA7BD-44B3-40A9-8117-8CC1FD02AD6F}: NameServer = 58.69.254.3,58.69.254.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4BF95B1-7198-423E-9D62-BAAC980CE8C1}: NameServer = 58.69.254.3,58.69.254.8
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\System32\DPWLEvHd.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: l1 - Unknown owner - C:\WINDOWS\system32\ll1.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 8058 bytes
i hope this helps in fixing my problems... im thanking you in advance!!!
classicsoftware
05-09-2008, 01:48 AM
Open Hijackthis and place a check next to:
O2 - BHO: (no name) - {0A94AFAA-21B6-4930-B900-4BC2FFDACF51} - C:\WINDOWS\System32\admpars.dll (file missing)
O2 - BHO: (no name) - {2808C1CE-498B-4C8D-ADAF-7581D1078ED5} - C:\WINDOWS\System32\admpars.dll (file missing)
O2 - BHO: (no name) - {5562D6A8-F793-4A37-9C6C-0C62BA8B7493} - C:\WINDOWS\System32\admpars.dll (file missing)
O2 - BHO: (no name) - {9B6C21D1-D6A5-47E9-A80E-A6C261D43863} - C:\WINDOWS\System32\admpars.dll (file missing)
O4 - HKUS\S-1-5-18\..\Run: [lr1] C:\WINDOWS\system32\ll1.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [sysemls] C:\WINDOWS\System32\1.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [lr1] C:\WINDOWS\system32\ll1.exe (User 'Default user')
O23 - Service: l1 - Unknown owner - C:\WINDOWS\system32\ll1.exe
Close all program and browser windows except fro Hijackthis and click fix checked.
Re-boot and post a fresh log and tell me how the system is going.
azztro
05-10-2008, 12:16 AM
my pc is working fine now(i think), i dont have that annoying prompt everytime i open explorer or my computer, the system error dont also pop up in the system tray but the thing is my Avast AV is not in my system tray also, usually every time i start my pc it automatically start up and update itself but somehow it was disabled and i cant get it to automatically start even in the msconfig-startup but aside from that everything is fine now... anyway here is the new log of hjt
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:37:45 AM, on 5/10/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspn et_admin.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\program files\Caffe\Server.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\JetAudio\JetAudio.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn5\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn5\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn5\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKCU\..\Run: [Caffe-Server] c:\program files\Caffe\Server.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Startup: jetAudio.lnk = C:\Program Files\JetAudio\JetAudio.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} - http://www.mariatv.it/SOPCORE.CAB
O16 - DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} (Quantum Streaming IE VersionManager Class) - http://qmedia.xlontech.net/100170/sdk/latest/qsp2ie06041001.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{496EA7BD-44B3-40A9-8117-8CC1FD02AD6F}: NameServer = 58.69.254.3,58.69.254.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4BF95B1-7198-423E-9D62-BAAC980CE8C1}: NameServer = 58.69.254.3,58.69.254.8
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\System32\DPWLEvHd.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 7564 bytes
classicsoftware
05-10-2008, 01:56 PM
Your system looks clean. Now I need you to do the following:
1) Delete all restore points.
2) Create a new restore point.
3) Download and install SP2 (http://www.microsoft.com/downloads/details.aspx?familyid=049C9DBE-3B8E-4F30-8245-9E368D3CDB5A&displaylang=en).
Once SP2 is installed. Post back with a fresh HJT log and let me know how the system is running. It is the lack of security in SP1 that got you infected in the first place.
azztro
05-11-2008, 11:04 AM
umm as much as i want to upgrade to SP2... im afraid i cant, cuz this pc that im using is the server to my little computer shop that i own.. and i have a system timer that controls the usage of the client pc, and it can only run if all the pcs are running the same OS, in my case they are all running SP1, if i were to upgrade my pc(server), then i have to upgrade all 19 of my clients, which can be a bit a troublesome... so i may have to be contended using SP1. but if you can tell that my pc is ok right now then im ok with it, i may just have to be cautious on the sites, links and file that i click. so in that note thank you very very much for the help you gave, i really really appreciate it. hope you continue to help others. thanks again!!!
classicsoftware
05-11-2008, 11:35 AM
I must admonish you. You must upgrade all of these PC's to SP2 and do it as soon as possible. You and people like you are one of the main reasons this crap spreads as easily as it does. You are responsible for twenty unprotected PC's on the net. That is 20 potential spam-bots.
Bite the bullet and get this done. Not just for yourself, but for the rest of us....
azztro
05-12-2008, 12:24 AM
aw ok... but it'll take sometime, ill try first on my pc... let you know what happened..
Don't 'try'...do it.
XP now is up to SP3, which fixes even more security issues. Yes, there are a couple of problems with SP3 on some systems, but it is nearly as important as SP2...but only nearly. Get SP2 done...like, yesterday.
azztro
05-14-2008, 05:02 AM
hmmm.... 2 mods? ok i get the urgency of the situation but 2 mods? isnt that a little too overboard? anyway ive done what you told me to do, my pc is now running sp2, soon ill upgrade my other client pcs... here is the log of my hjt:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:16:51 PM, on 5/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspn et_admin.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\program files\Caffe\Server.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\JetAudio\JetAudio.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn5\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn5\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn5\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKCU\..\Run: [Caffe-Server] c:\program files\Caffe\Server.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Startup: jetAudio.lnk = C:\Program Files\JetAudio\JetAudio.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} - http://www.mariatv.it/SOPCORE.CAB
O16 - DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} (Quantum Streaming IE VersionManager Class) - http://qmedia.xlontech.net/100170/sdk/latest/qsp2ie06041001.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{496EA7BD-44B3-40A9-8117-8CC1FD02AD6F}: NameServer = 58.69.254.3,58.69.254.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4BF95B1-7198-423E-9D62-BAAC980CE8C1}: NameServer = 58.69.254.3,58.69.254.8
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\System32\DPWLEvHd.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 7890 bytes
ill try running hjt and combofix on 2 of my clients and ill try to fix it on my own, i think i sort of have an idea of what to do,things to remove... but if anything bad happens ill just seek for your help or advice...
Budfred
05-14-2008, 07:51 AM
Just to throw a third Mod into the mix -- if you have a problem updating to SP2 on any of those client PCs, it likely means they are already infected... It is also important to realize -- without SP2, you can get infected just going online -- it doesn't have to be at dodgy sites or downloading infected programs... If those computers never go online and you keep the server armored, it isn't quite as dangerous not updating them... However, I doubt that is the case, so the sooner the better... If you go here:
http://www.microsoft.com/technet/Downloads/default.mspx
and download the offline version of SP2 with subsequent updates, you can push it out to all of those computers very quickly...
Read this thread...
http://www.pcguide.com/vb/showthread.php?t=62787
Those are the kind of attacks (the ones that end up infecting 'safe' sites) that usually push malware to those who don't visit 'dodgy' sites.
And 20+ infected machines means 20+ more 'pwned' machines spreading more of this crap...think of it this way...each infected machine that you have is no longer yours. Some slimeball in Russia now owns it.
classicsoftware
05-14-2008, 10:31 PM
ill try running hjt and combofix on 2 of my clients and ill try to fix it on my own, i think i sort of have an idea of what to do,things to remove... but if anything bad happens ill just seek for your help or advice...
Be careful what you remove with HJT as it can sink a system if your not careful
azztro
05-16-2008, 12:33 AM
wow 3 mods, now im starting to feel a bit special(just kidding)..
umm i was just starting to fix my clients, im already stuck with a problem.. i cant install windows recovery system, i drag the file to combofix and a prompt says that my combofix is outdated and shows the date of that day... i already installed hjt and scanned it, and i already saw lots of infected files but i thought running combofix first would lessen the infected files, but i cant install it, i tried downloading it directly from that pc but it still says the same prompt... help please...
Budfred
05-16-2008, 07:40 AM
You need to download a fresh copy of ComboFix... It is updated constantly and the developer included that feature because people were trying to use it even when it was several months or weeks out of date...
azztro
05-16-2008, 08:55 AM
where can i download new combofix file? i tried downloading from BleepingComputer.com
ForoSpyware.com
GeeksTogo.com
but just when its about to finish downloading, it says cannot download file missing file, contact admin blah blah..
classicsoftware
05-16-2008, 09:02 AM
Can you download a copy on to your clean machine and then either transfer over the network or via CD
azztro
05-16-2008, 09:34 AM
actually im downloading it from my pc that you just helped me clean... and i tried downloading it from 3 of the sites but still cant download it
classicsoftware
05-16-2008, 10:01 AM
Can you download it from the net onto the clean PC?
azztro
05-16-2008, 10:24 AM
the computer im using right now is the pc that you just helped me clean, im downloading it from this pc(server) and i cant finish downloading it, first i copy the combofix (the one used to clean this pc) then transfered it to my clients.. then i got the prompt that says its outdated... i tried downloading it directly from the client pc and i cant finish it, then i tried DLing it here on my pc(server) and its the same thing, i cant download it from either the clean pc or the pc im trying to fix
classicsoftware
05-16-2008, 11:27 AM
I just donwloaded it no problem. Please send me PM with your e-mail address and I'll e-mail a copy to you.
vBulletin v3.6.1, Copyright ©2000-2012, Jelsoft Enterprises Ltd.