Skip to main content

bamajim

10.4K Posts

April 24th, 2007 13:00

possessedpath

1. Please go HERE and download the newer version of Hijackthis.

Save it to your Desktop and run it

Then rerun Hijackthis (with the newer version) and repost your log
 
bamajim   Graduate of MRU
CastleCops  Instructor






possessedpath

7 Posts

April 24th, 2007 17:00

ok,here it is
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\xloadnet\xloadnet.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\WWDFKJZW\HiJackThis_v2[1].exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn9\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn9\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15477B21-9AE5-4C5B-BD36-57909E241967} - C:\WINDOWS\system32\empwmomi.dll
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\xiugkngw.dll (file missing)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {40E2EA0D-034A-4F66-BF04-9C3C0F438DC8} - C:\WINDOWS\system32\pmkhf.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {777BCCE0-49EC-4B8A-956A-ED50B196DC30} - C:\WINDOWS\system32\empwmomi.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn9\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [xloadnet] "C:\Program Files\xloadnet\xloadnet.exe"
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\__c00F1CDF.dat",setvm
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [A00F7020F4.exe] C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\_A00F7020F4.exe
O4 - HKCU\..\Run: [A00F702F1D.exe] C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\_A00F702F1D.exe
O4 - HKCU\..\Run: [A00F70468D.exe] C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\_A00F70468D.exe
O4 - HKCU\..\Run: [A00F705989.exe] C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\_A00F705989.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.line6.net
O15 - Trusted Zone: *.sxload.net (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/chuzzle/popcaploader_v6.cab
O20 - Winlogon Notify: pmkhf - C:\WINDOWS\system32\pmkhf.dll
O20 - Winlogon Notify: __c003732E - C:\WINDOWS\system32\__c003732E.dat
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
--
End of file - 12383 bytes

bamajim

10.4K Posts

April 24th, 2007 18:00

possessedpath

We have some work to do here. It will take a couple of runs at this to completely remove the infection so please be patient

1. Please download VundoFix.exe to your desktop.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

2. Re Run Hijackthis
  • At the Main window select " Open the misc tool section"
    Then select " Open uninstall manager"
    Then " save list" and save it to your desktop
Copy and paste that list as a reply to this thread

Your reply should include
  • Your C:\Vundofix.txt log
    Your Uninstall log from Hijackthis
    bamajim   Graduate of MRU
    CastleCops  Instructor



    possessedpath

    7 Posts

    April 25th, 2007 01:00

    sorry i think i gave you the wrong one.here you go.
     
    "HP_Owner" - 07-04-24 21:40:22    Service Pack 2 
    ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\HP_Owner\Desktop\"

    (((((((((((((((((((((((((((((((   Files Created from 2007-03-24 to 2007-04-24  ))))))))))))))))))))))))))))))))))

    2007-04-24 20:42   d-------- C:\VundoFix Backups
    2007-04-24 02:16   d-------- C:\Program Files\RogueRemover
    2007-04-24 00:50   d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PopCap
    2007-04-24 00:02   d-------- C:\DOCUME~1\MELICA~1.000\APPLIC~1\AdobeUM
    2007-04-23 03:41 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys
    2007-04-22 09:36 119,808 --a------ C:\WINDOWS\system32\__c00F1CDF.dat
    2007-04-22 02:41 54,784 --a------ C:\WINDOWS\vlb.exe
    2007-04-22 02:41 36,352 --a------ C:\WINDOWS\system32\__c00E1639.dat
    2007-04-22 02:41 36,352 --a------ C:\WINDOWS\system32\__c00A2244.dat
    2007-04-22 02:41 36,352 --a------ C:\WINDOWS\system32\__c008FC52.dat
    2007-04-22 02:41 36,352 --a------ C:\WINDOWS\system32\__c003732E.dat
    2007-04-21 15:11   d-------- C:\Program Files\Postal2
    2007-04-21 14:57 86,016 --a------ C:\WINDOWS\unvise32.exe
    2007-04-21 14:53   d-------- C:\Program Files\Postal2STP
    2007-04-21 14:44   d-------- C:\Program Files\MagicISO
    2007-04-18 19:39   d-------- C:\JADE
    2007-04-18 17:52   d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\BitTorrent
    2007-04-18 16:57 12,928 --a------ C:\WINDOWS\system32\drivers\filedisk.sys
    2007-04-18 14:19   d---s---- C:\DOCUME~1\rj\UserData
    2007-04-18 02:36 48,776 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
    2007-04-18 02:36 115,000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
    2007-04-18 01:43   d-------- C:\Program Files\Norton Internet Security
    2007-04-17 13:29   d---s---- C:\DOCUME~1\LOCALS~1\UserData
    2007-04-17 13:28   d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Google
    2007-04-16 13:41   d-------- C:\Program Files\XviD
    2007-04-16 13:31   d-------- C:\Program Files\NimoCodec Pack
    2007-04-16 11:01   d-------- C:\DOCUME~1\rj\APPLIC~1\yahoo!
    2007-04-16 10:50   d-------- C:\DOCUME~1\rj\APPLIC~1\Google
    2007-04-14 08:35   d-------- C:\DOCUME~1\MELICA~1.000\APPLIC~1\Viewpoint
    2007-04-14 08:24   d-------- C:\DOCUME~1\MELICA~1.000\APPLIC~1\acccore
    2007-04-13 23:09   d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\Viewpoint
    2007-04-13 20:44 1,048,576 --ah----- C:\DOCUME~1\rj\NTUSER.DAT
    2007-04-13 20:44   d-------- C:\DOCUME~1\rj\WINDOWS
    2007-04-13 20:44   d-------- C:\DOCUME~1\rj\APPLIC~1\Symantec
    2007-04-13 20:44   d-------- C:\DOCUME~1\rj\APPLIC~1\SampleView
    2007-04-13 20:44   d-------- C:\DOCUME~1\rj\APPLIC~1\Real
    2007-04-13 20:44   d-------- C:\DOCUME~1\rj\APPLIC~1\Intuit
    2007-04-13 20:44   d-------- C:\DOCUME~1\rj\APPLIC~1\Apple Computer
    2007-04-13 17:26   d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\acccore
    2007-04-13 01:31   d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\AdobeUM
    2007-04-12 22:26   d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\Line 6
    2007-04-12 10:59   d-------- C:\DOCUME~1\MELICA~1.000\APPLIC~1\yahoo!
    2007-04-12 10:58   d-------- C:\DOCUME~1\MELICA~1.000\APPLIC~1\Google
    2007-04-12 10:57 1,048,576 --ah----- C:\DOCUME~1\MELICA~1.000\NTUSER.DAT
    2007-04-12 10:57   d-------- C:\DOCUME~1\MELICA~1.000\WINDOWS
    2007-04-12 10:57   d-------- C:\DOCUME~1\MELICA~1.000\APPLIC~1\Symantec
    2007-04-12 10:57   d-------- C:\DOCUME~1\MELICA~1.000\APPLIC~1\SampleView
    2007-04-12 10:57   d-------- C:\DOCUME~1\MELICA~1.000\APPLIC~1\Real
    2007-04-12 10:57   d-------- C:\DOCUME~1\MELICA~1.000\APPLIC~1\Intuit
    2007-04-12 10:57   d-------- C:\DOCUME~1\MELICA~1.000\APPLIC~1\Apple Computer
    2007-04-12 07:38   d---s---- C:\DOCUME~1\HP_Owner\UserData
    2007-04-12 05:09   d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\HP
    2007-04-12 04:11 225,280 --a------ C:\WINDOWS\system32\rewire.dll
    2007-04-12 04:11   d-------- C:\Program Files\VstPlugins
    2007-04-12 03:39 245,408 --a------ C:\WINDOWS\system32\unicows.dll
    2007-04-12 03:39 19,968 --a------ C:\WINDOWS\system32\cpuinf32.dll
    2007-04-12 03:39 1,415,680 --a------ C:\WINDOWS\system32\WMV9VCM.dll
    2007-04-12 00:39 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
    2007-04-12 00:35 12 --a------ C:\DOCUME~1\HP_Owner\USERDATA.DAT
    2007-04-11 22:54   d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\yahoo!
    2007-04-11 22:23   d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\Google
    2007-04-11 21:19 15,360 -ra------ C:\WINDOWS\system32\drivers\NetMotCM.sys
    2007-04-11 21:06   dr-hs---- C:\cmdcons
    2007-04-11 21:04 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
    2007-04-11 21:02 3,145,728 --ah----- C:\DOCUME~1\HP_Owner\NTUSER.DAT
    2007-04-11 21:02   d-------- C:\DOCUME~1\HP_Owner\WINDOWS
    2007-04-11 21:02   d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\Symantec
    2007-04-11 21:02   d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\SampleView
    2007-04-11 21:02   d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\Real
    2007-04-11 21:02   d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\Intuit
    2007-04-11 21:02   d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\Apple Computer
    2007-04-06 00:15   d-------- C:\Program Files\support.com
    2007-04-06 00:15   d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Support.com
    2007-04-01 05:13   d-------- C:\USERDATA
    2007-04-01 05:11 262,144 --a------ C:\DOCUME~1\APPLIC~1\NTUSER.DAT

    ((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-04-24 20:55 -------- d-------- C:\Program Files\Common Files\symantec shared
    2007-04-24 02:59 36352 --a------ C:\WINDOWS\system32\__c003732e.dat
    2007-04-22 23:10 10 --a------ C:\WINDOWS\popcinfo.dat
    2007-04-22 17:12 -------- d-------- C:\Program Files\gamespy arcade
    2007-04-22 09:36 119808 --a------ C:\WINDOWS\system32\__c00f1cdf.dat
    2007-04-21 14:38 12528 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
    2007-04-19 16:56 -------- d-------- C:\Program Files\conquer 2.0
    2007-04-19 15:30 -------- d-------- C:\Program Files\camstudio
    2007-04-18 17:32 -------- d-------- C:\Program Files\ea games
    2007-04-18 02:42 -------- d-------- C:\Program Files\symantec
    2007-04-16 23:52 -------- d-------- C:\Program Files\divx
    2007-04-14 01:26 -------- d-------- C:\Program Files\mta san andreas
    2007-04-12 04:14 -------- d-------- C:\Program Files\image-line
    2007-04-12 00:00 -------- d-------- C:\Program Files\rockstar games
    2007-04-11 22:52 -------- d-------- C:\Program Files\ffdshow
    2007-04-11 22:49 -------- d-------- C:\Program Files\google
    2007-04-11 21:05 3645 --a------ C:\WINDOWS\viassary-hp.reg
    2007-04-11 21:03 -------- d-------- C:\Program Files\easy internet signup
    2007-04-11 20:44 -------- d-------- C:\Program Files\windows nt
    2007-04-11 20:44 -------- d-------- C:\Program Files\movie maker
    2007-04-11 20:44 -------- d-------- C:\Program Files\messenger
    2007-04-09 13:10 -------- d-------- C:\Program Files\viewpoint
    2007-04-06 12:38 -------- d-------- C:\Program Files\msn messenger
    2007-04-05 06:23 -------- d-------- C:\Program Files\ares
    2007-04-01 23:15 -------- d-------- C:\Program Files\line6
    2007-03-23 17:09 -------- d-------- C:\Program Files\Common Files\wise installation wizard
    2007-03-22 16:21 -------- d-------- C:\Program Files\multi theft auto
    2007-03-15 08:13 -------- d-------- C:\Program Files\popcap games
    2007-03-12 05:27 -------- d-------- C:\Program Files\america's army server manager
    2007-03-12 05:27 -------- d-------- C:\Program Files\america's army
    2007-03-12 01:34 -------- d-------- C:\Program Files\myspace
    2007-03-08 23:00 32 --a------ C:\WINDOWS\msocreg32.dat
    2007-03-08 20:30 -------- d-------- C:\Program Files\vob
    2007-03-08 20:28 -------- d-------- C:\Program Files\steinberg

    ((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))
     
     
    *Note* empty entries & legit default entries are not shown
     
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    {02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn9\yt.dll
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    {15477B21-9AE5-4C5B-BD36-57909E241967} C:\WINDOWS\system32\empwmomi.dll
    {1557B435-8242-4686-9AA3-9265BF7525A4} C:\WINDOWS\system32\xiugkngw.dll
    {1E8A6170-7264-4D0F-BEAE-D42A53123C75} C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
    {40E2EA0D-034A-4F66-BF04-9C3C0F438DC8} C:\WINDOWS\system32\pmkhf.dll
    {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} C:\Program Files\Yahoo!\Common\yiesrvc.dll
    {777BCCE0-49EC-4B8A-956A-ED50B196DC30} C:\WINDOWS\system32\empwmomi.dll
    {AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar2.dll
    {FDB0126A-FA26-403D-B08C-02BE2E4F5F38} C:\WINDOWS\system32\pmkhf.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "High Definition Audio Property Page Shortcut"="HDAShCut.exe"
    "HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
    "Persistence"="C:\\WINDOWS\\system32\\igfxpers.exe"
    "HPHUPD08"="c:\\Program Files\\HP\\Digital Imaging\\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\\hphupd08.exe"
    "PCDrProfiler"=""
    "HPBootOp"="\"C:\\Program Files\\Hewlett-Packard\\HP Boot Optimizer\\HPBootOp.exe\" /run"
    "LSBWatcher"="c:\\hp\\drivers\\hplsbwatcher\\lsburnwatcher.exe"
    "HP Software Update"=hex(2):43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,\
    "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\"  -osboot"
    "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
    "osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""
    "Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
    "ares"="\"C:\\Program Files\\Ares\\Ares.exe\" -h"
    "swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
    "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
    "Aim6"="\"C:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp"
    "BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c003732E
    HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
       Authentication Packages REG_MULTI_SZ    msv1_0\0\0
       Security Packages REG_MULTI_SZ    kerberos\0msv1_0\0schannel\0wdigest\0\0
       Notification Packages REG_MULTI_SZ    scecli\0\0
     
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
    HTTPFilter REG_MULTI_SZ    HTTPFilter\0\0
    LocalService REG_MULTI_SZ    Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService REG_MULTI_SZ    DnsCache\0\0
    DcomLaunch REG_MULTI_SZ    DcomLaunch\0TermService\0\0
    rpcss REG_MULTI_SZ    RpcSs\0\0
    imgsvc REG_MULTI_SZ    StiSvc\0\0
    termsvcs REG_MULTI_SZ    TermService\0\0

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9eac1006-e897-11db-af52-806d6172696f}]
    Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
    *newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST

    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    C:\WINDOWS\tasks\Easy Internet Sign-up.job
    C:\WINDOWS\tasks\HPCeeSchedule.job
    C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - HP_Owner.job
    ********************************************************************
    catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-04-24 21:46:42
    Windows 5.1.2600 Service Pack 2 NTFS
    scanning hidden processes ...
    scanning hidden services ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0

    ********************************************************************
    Completion time: 07-04-24 21:46:55
    C:\ComboFix-quarantined-files.txt ... 07-04-24 21:46

    possessedpath

    7 Posts

    April 25th, 2007 01:00

    here you go
     
    VundoFix V6.3.20
    Checking Java version...
    Scan started at 8:42:59 PM 4/24/2007
    Listing files found while scanning....
    C:\WINDOWS\system32\fhkmp.bak1
    C:\WINDOWS\system32\fhkmp.bak2
    C:\WINDOWS\system32\fhkmp.ini
    C:\WINDOWS\system32\fhkmp.ini2
    C:\WINDOWS\system32\fhkmp.tmp
    C:\WINDOWS\system32\pmkhf.dll
    Beginning removal...
     Attempting to delete C:\WINDOWS\system32\fhkmp.bak1
    C:\WINDOWS\system32\fhkmp.bak1 Has been deleted!
     Attempting to delete C:\WINDOWS\system32\fhkmp.bak2
    C:\WINDOWS\system32\fhkmp.bak2 Has been deleted!
     Attempting to delete C:\WINDOWS\system32\fhkmp.ini
    C:\WINDOWS\system32\fhkmp.ini Has been deleted!
     Attempting to delete C:\WINDOWS\system32\fhkmp.ini2
    C:\WINDOWS\system32\fhkmp.ini2 Has been deleted!
     Attempting to delete C:\WINDOWS\system32\fhkmp.tmp
    C:\WINDOWS\system32\fhkmp.tmp Has been deleted!
     Attempting to delete C:\WINDOWS\system32\pmkhf.dll
    C:\WINDOWS\system32\pmkhf.dll Has been deleted!
    Performing Repairs to the registry.
    Done!
     
     
     
    and heres my uninstall list

    Adobe Audition 2.0
    Adobe Flash Player 9 ActiveX
    Adobe Reader 7.0
    AIM 6
    AppCore
    Ares 2.0.8
    AV
    Blasterball 2 from Hewlett-Packard Desktops (remove only)
    Blasterball 2 Holidays from Hewlett-Packard Desktops (remove only)
    Boggle Supreme from Hewlett-Packard Desktops (remove only)
    Bookworm Deluxe from Hewlett-Packard Desktops (remove only)
    Bounce Symphony from Hewlett-Packard Desktops (remove only)
    ccCommon
    Conquer 2.0
    Crystal Maze from Hewlett-Packard Desktops (remove only)
    Data Fax SoftModem with SmartCP
    Digby's Donuts from Hewlett-Packard Desktops (remove only)
    Easy Internet Sign-up
    FATE Demo from Hewlett-Packard Desktops (remove only)
    FL Studio 6
    Flip Words from Hewlett-Packard Desktops (remove only)
    GearBox 3.00 (Remove Only)
    Google Toolbar for Internet Explorer
    GTA San Andreas
    High Definition Audio Driver Package - KB888111
    Hijackthis 1.99.1
    HijackThis 1.99.1
    HP Boot Optimizer
    HP Deskjet Printer Preload
    HP Document Viewer 5.3
    HP Game Console and games
    HP Image Zone 5.3
    HP Imaging Device Functions 5.3
    HP Multimedia Keyboard Software
    HP Organize
    HP Photosmart 330,380,420,470,7800,8000,8200 Series
    HP Photosmart Cameras 5.0
    HP PSC & OfficeJet 5.3.B
    HP Software Update
    HP Solution Center & Imaging Support Tools 5.3
    Insaniquarium Deluxe from Hewlett-Packard Desktops (remove only)
    Intel(R) Graphics Media Accelerator Driver
    IntelliMover Data Transfer Demo
    InterVideo WinDVD Player
    iTunes
    J2SE Runtime Environment 5.0
    Jewel Quest from Hewlett-Packard Desktops (remove only)
    LiveUpdate 3.2 (Symantec Corporation)
    LiveUpdate Notice (Symantec Corporation)
    Magic ISO Maker v5.3 (build 0209)
    Mah Jong Quest from Hewlett-Packard Desktops (remove only)
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1
    Microsoft Money 2005
    Microsoft Office Standard Edition 2003
    Microsoft Plus! Dancer LE
    Microsoft Plus! Digital Media Edition Installer
    Microsoft Plus! Photo Story 2 LE
    Microsoft Works
    MSRedist
    MTA: Race for San Andreas 1.1.1
    muvee autoProducer 4.0
    Norton AntiVirus
    Norton Confidential Browser Component
    Norton Confidential Web Protection Component
    Norton Internet Security
    Norton Internet Security
    Norton Internet Security
    Norton Internet Security
    Norton Internet Security (Symantec Corporation)
    Norton Protection Center
    Office 2003 Tour
    PC-Doctor 5 for Windows
    Polar Bowler from Hewlett-Packard Desktops (remove only)
    Polar Golfer from Hewlett-Packard Desktops (remove only)
    Postal 2 Share The Pain
    Puzzle Express from Hewlett-Packard Desktops (remove only)
    Python 2.2 pywin32 extensions (build 203)
    Python 2.2.3
    Quicken 2005
    QuickTime
    RealPlayer
    Remove WeatherBug Installer
    Ricochet Lost Worlds from Hewlett-Packard Desktops (remove only)
    RogueRemover 1.17
    SCRABBLE Blast from Hewlett-Packard Desktops (remove only)
    SCRABBLE from Hewlett-Packard Desktops (remove only)
    SCRABBLE Rack Attack from Hewlett-Packard Desktops (remove only)
    Security Update for Windows XP (KB883939)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896422)
    Sonic Express Labeler
    Sonic MyDVD Plus
    Sonic RecordNow Audio
    Sonic RecordNow Copy
    Sonic RecordNow Data
    Sonic Update Manager
    SPBBC 32bit
    Super Granny from Hewlett-Packard Desktops (remove only)
    Swarm from Hewlett-Packard Desktops (remove only)
    Symantec Real Time Storage Protection Component
    SymNet
    Tradewinds from Hewlett-Packard Desktops (remove only)
    Updates from HP (remove only)
    Viewpoint Media Player
    Windows Installer 3.1 (KB893803)
    Windows Media Format Runtime
    Windows Media Player 10
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB883667
    Windows XP Hotfix - KB885250
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB887742
    Windows XP Hotfix - KB888113
    Windows XP Hotfix - KB888239
    Windows XP Hotfix - KB890175
    Windows XP Hotfix - KB891781
    Windows XP Hotfix - KB893066
    XviD MPEG-4 Codec
    Yahoo! Browser Services
    Yahoo! Install Manager
    Yahoo! Internet Mail
    Yahoo! Messenger
    Yahoo! Toolbar
     

    bamajim

    10.4K Posts

    April 25th, 2007 01:00


    possessedpath

    1. Download this file - combofix.exe
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it shall produce a log for you. Post that log in your next reply

    Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
     
    bamajim   Graduate of MRU
    CastleCops  Instructor

    possessedpath

    7 Posts

    April 25th, 2007 01:00


    07-04-21 16:00      64000    --a------    C:\Qoobox\Quarantine\C\Program Files\xloadnet\xloadnet.exe.vir
    07-04-23 19:42      131604    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\dkqiwuct.dll.vir
    07-04-23 20:12      131604    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\empwmomi.dll.vir
    07-04-23 23:50      131604    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\cjpfrmov.dll.vir
    07-04-24 02:03      131604    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\thhraqru.dll.vir

    Folder PATH listing for volume HP_PAVILION
    Volume serial number is B03B-9423
    C:\QOOBOX
    \---Quarantine
        +---C
        |   +---Program Files
        |   |   \---xloadnet
        |   |           xloadnet.exe.vir
        |   |          
        |   \---WINDOWS
        |       \---system32
        |               cjpfrmov.dll.vir
        |               dkqiwuct.dll.vir
        |               empwmomi.dll.vir
        |               thhraqru.dll.vir
        |              
        \---Registry_backups

    bamajim

    10.4K Posts

    April 25th, 2007 15:00

    possessedpath
     
    Not much showing there. Are you still getting the pop-ups?
     
    Please post a fresh Hijackthis log
     
    bamajim   Graduate of MRU
    CastleCops  Instructor

    possessedpath

    7 Posts

    April 25th, 2007 18:00

    nope,theyre still showing up
     
    heres the log
     
    Logfile of HijackThis v1.99.1
    Scan saved at 2:57:16 PM, on 4/25/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
    C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Ares\Ares.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
    C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCMTR.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
    c:\windows\system\hpsysdrv.exe
    C:\Program Files\Java\jre1.5.0\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Hijackthis\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn9\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn9\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {15477B21-9AE5-4C5B-BD36-57909E241967} - C:\WINDOWS\system32\empwmomi.dll (file missing)
    O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\xiugkngw.dll (file missing)
    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
    O2 - BHO: (no name) - {40E2EA0D-034A-4F66-BF04-9C3C0F438DC8} - C:\WINDOWS\system32\pmkhf.dll (file missing)
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: (no name) - {777BCCE0-49EC-4B8A-956A-ED50B196DC30} - C:\WINDOWS\system32\empwmomi.dll (file missing)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {FDB0126A-FA26-403D-B08C-02BE2E4F5F38} - C:\WINDOWS\system32\pmkhf.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn9\yt.dll
    O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
    O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
    O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
    O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.line6.net
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/chuzzle/popcaploader_v6.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O20 - Winlogon Notify: __c003732E - C:\WINDOWS\system32\__c003732E.dat
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

    bamajim

    10.4K Posts

    April 25th, 2007 20:00

    possessedpath

    1. Please download ATF Cleaner by Atribune.
    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
      Click Exit on the Main menu to close the program.

    For Technical Support, double-click the e-mail address located at the bottom of each menu.

    This will remove all files from the items that are checked so if you have some cookies you'd like to save. please move them to a different directory first.

    2. Go here and Download AVG Anti-Spyware
    ( 30 day free trial version) Save it to Your Desktop
     
    Double Click AVG Anti-Spyware-setup
    (It will create its own folder)
    Once the program starts You will be at the Status menu
    • Under "Your computers Security"
      Click Update now (next to last update)
      After the update loads
      Under Automatic updates Uncheck download and install updates automatically(recommended)
      (you can always select maual updates the next day)
    At the top toolbar Click Scanner Then the settings tab
    • Under How to act? Set default action for detected malwareTo Quarantine
      Under how to scan All boxes should be checked
      Under Possibly unwanted software All boxes should be checked
      Under reports Select Automatically generate report after every scan
      Uncheck Only if threats were found
      Under what to scan Scan every file should be highlited
    Exit AVG  (But do not run it yet)
     
    Reboot into Safe Mode
    This can be done by
    • Restart your PC, and after it starts, but before you see the Windows Splash screen
      Begin tapping the F8 key twice a second untill you reach another menu screen (black background with white menu choices)
      Use your arrow keys and select Safe Mode and then Enter
    Run AVG Anti-Spyware
    • Click scanner
      Select Complete system scan
    Once the scan finishes
    • Select Apply all actions (The items found will be quarantined)
      Click save report as (Another window will open)
      Save it to your desktop
      (By default It will be saved in the AVG folder as)
      C:\Program Files\Grisoft\AVG anti-spyware 7.5\Reports
    Exit AVG
     
    Reboot your PC in Normal Mode->>Re run Hijackthis and post a fresh Hijackthis log.
    • Double click the report-scan txt. you saved to your desktop
      It will open in Notepad
      Copy and paste that report as a reply to this thread
    Your reply should include
    • your report_scan.txt log from AVG
      bamajim   Graduate of MRU
      CastleCops  Instructor


      possessedpath

      7 Posts

      April 26th, 2007 01:00

      whenever i run the avg anti spyware in safe mode it closes after about half way through the scanning process

      bamajim

      10.4K Posts

      April 26th, 2007 14:00

      possessedpath

      We have some suspicious files I'd like to have checked


      1. Please upload these files to Jotti's Online Virus Scan
      • C:\WINDOWS\system32\__c003732e.dat
        C:\WINDOWS\vlb.exe

      • Click " Browse" at the top of the page
        - Navigate to (Locate )Using Windows Explorer
        • (Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)

        • C:\WINDOWS\system32\__c003732e.dat

        - Click " Open" Then the "Submit" and let the scan finish
        - Scroll down to the bottom of the page to find the results
        - Copy/paste the results in your next reply.
      Then Repeat for both files
       
      bamajim   Graduate of MRU
      CastleCops  Instructor


      Was this post helpful?

      View All

      No Events found!

      Top