Tech Support Forum - View Single Post

AlyssaM · 06-14-2008, 01:26 PM

Sorry. Ok, I kept Avira. But as for Panda-- we had installed that onto our computer a few years ago, but soon afterwards, I tried uninstalling it. It's still in the Add/Remove programs though, and when I try to click "Remove" to uninstall it, nothing happens. So I don't technically still have it, because I can't even access or open it-- the program isn't on my computer anywhere-- yet when I put the CD in to reinstall it, it says "a version of it is already installed". Yet it doesnt work or even really act like it's still installed. It's been like that for about 2 years now. Is that still bad?

And, although HijackThis says it's under C:\Program Files\Panda Software.... I don't seem to actually have that folder in my program files.

ComboFix 08-06-12.2 - Alyssa 2008-06-14 14:58:14.2 - FAT32x86
Running from: C:\Documents and Settings\Alyssa\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\qoMeBrqo.dll
.
---- Previous Run -------
.
C:\Documents and Settings\Alyssa\Application Data\{2CF0B992-5EEB-4143-99C0-5297EF71F444}
C:\Program Files\Common Files\SLMSS
C:\Program Files\Common Files\SLMSS\acp1.dat
C:\WINDOWS\cookies.ini
C:\WINDOWS\nogxfvblqld.dll
C:\WINDOWS\start.exe
C:\WINDOWS\system32\bmf.cs
C:\WINDOWS\system32\ccs.so
C:\WINDOWS\SYSTEM32\guiocwaq.ini
C:\WINDOWS\system32\ho.ln
C:\WINDOWS\system32\jkkICtrO.dll
C:\WINDOWS\system32\ko.o
C:\WINDOWS\system32\mn.n
C:\WINDOWS\SYSTEM32\OrtCIkkj.ini
C:\WINDOWS\SYSTEM32\OrtCIkkj.ini2
C:\WINDOWS\system32\qawcoiug.dll
C:\WINDOWS\SYSTEM32\siqsadqq.ini
C:\WINDOWS\system32\uiqblbbc.ini
C:\WINDOWS\SYSTEM32\vpcoqymm.ini
C:\WINDOWS\system32\wcpsvcc.exe
C:\WINDOWS\system32\windows.scr
C:\WINDOWS\system32\xxtdnecc.ini
C:\WINDOWS\timessquare1.dat
C:\WINDOWS\Web\default.htt
C:\WINDOWS\xbqmfsed.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_msupdate
-------\Legacy_RDRIV
-------\Service_cmdService
-------\Service_hcnwg4u
-------\Service_msupdate
-------\Service_rdriv

((((((((((((((((((((((((( Files Created from 2008-05-14 to 2008-06-14 )))))))))))))))))))))))))))))))
.

2008-06-14 13:47 . 2008-06-14 13:47 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2008-06-14 09:25 . 2008-06-14 09:25 <DIR> d-------- C:\Combbfx
2008-06-13 14:39 . 2008-06-13 14:39 126 --a------ C:\Temp\ECDC.CMD
2008-06-13 14:34 . 2008-06-13 14:34 264 --a------ C:\WINDOWS\_delis32.ini
2008-06-12 21:29 . 2008-06-13 23:11 121 --a------ C:\WINDOWS\bdagent.INI
2008-06-12 21:24 . 2008-06-12 21:24 <DIR> d-------- C:\Program Files\Ad-Aware 2008
2008-06-12 21:24 . 2008-06-12 21:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-12 21:21 . 2008-06-12 21:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-12 21:04 . 2008-06-12 21:04 <DIR> d-------- C:\Program Files\BitDefender
2008-06-12 20:57 . 2008-06-12 20:57 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2008-06-11 22:55 . 2008-06-11 22:55 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM
2008-06-11 12:44 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\hidusb.sys
2008-06-11 12:44 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\SYSTEM32\dllcache\hidusb.sys
2008-06-11 11:11 . 2008-06-11 11:11 <DIR> d-------- C:\Program Files\TV Media
2008-06-10 09:49 . 2008-06-10 09:49 <DIR> d--hs---- C:\FOUND.069
2008-06-09 10:08 . 2008-06-09 10:08 <DIR> d-------- C:\Deckard
2008-06-08 08:28 . 2003-03-02 10:49 2,142 -ra------ C:\WINDOWS\SYSTEM32\autoexec.nt
2008-06-06 21:37 . 2008-06-06 21:37 <DIR> d-------- C:\Program Files\Avira
2008-06-06 21:37 . 2008-06-06 21:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-06 21:17 . 2008-06-06 21:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-06 20:10 . 2008-06-06 14:49 139,264 --a------ C:\WINDOWS\eslm.exe
2008-06-06 20:07 . 2008-06-06 20:07 0 --a------ C:\274013913
2008-06-06 19:44 . 2008-06-06 19:44 <DIR> d-------- C:\Program Files\Windows Live
2008-06-06 19:44 . 2008-06-06 19:44 <DIR> d--hs---- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-06 19:43 . 2008-06-06 19:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-04 08:39 . 2008-06-04 08:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\SYSTEM32\lsdelete.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-11 18:21 7,168 --sha-w C:\Program Files\Common Files\Thumbs.db
2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-22 19:55 --------- d-----w C:\Documents and Settings\Alyssa\Application Data\acccore
2008-04-22 19:46 --------- d-----w C:\Program Files\AIM6
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\SYSTEM32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\dllcache\win32k.sys
2008-02-04 21:09 49,985,276 ----a-w C:\Documents and Settings\Alyssa\My Documents.zip
2008-01-06 14:21 7,168 --sha-w C:\Program Files\Thumbs.db
2005-06-16 16:42 572 ---ha-w C:\Documents and Settings\Alyssa\hpothb07.dat
2004-11-24 00:19 0 ----a-w C:\Documents and Settings\Alyssa\romlst.dat
2004-11-14 23:02 230,237 ----a-w C:\Documents and Settings\Alyssa\Application Data\tvmknwrd.dll
2004-09-04 23:00 344 ----a-w C:\Program Files\ClearSearchcsie_ron_campaigns.dat
2004-09-04 23:00 296 ----a-w C:\Program Files\ClearSearchcsie_mpu_patterns.dat
2004-09-04 23:00 208 ----a-w C:\Program Files\ClearSearchcsie_mpu_rules.dat
2004-09-04 23:00 136 ----a-w C:\Program Files\ClearSearchcsie_ron_rules.dat
2004-09-04 22:59 88 ----a-w C:\Program Files\ClearSearchcsie_usb_rules.dat
2004-09-04 22:59 482 ----a-w C:\Program Files\ClearSearchcsie_checks.dat
2004-09-04 22:59 3,568 ----a-w C:\Program Files\ClearSearchcsie_usb_campaigns.dat
2004-09-04 22:59 256 ----a-w C:\Program Files\ClearSearchcsie_ss_rules.dat
2004-09-04 22:59 2,976 ----a-w C:\Program Files\ClearSearchcsie_tsb_patterns.dat
2004-09-04 22:59 2,560 ----a-w C:\Program Files\ClearSearchcsie_tsb_edomains.dat
2004-09-04 22:59 2,560 ----a-w C:\Program Files\ClearSearchcsie_ss_edomains.dat
2004-09-04 22:59 18,712 ----a-w C:\Program Files\ClearSearchcsie_usb_patterns.dat
2004-09-04 22:59 136 ----a-w C:\Program Files\ClearSearchcsie_tsb_campaigns.dat
2004-09-04 22:59 104 ----a-w C:\Program Files\ClearSearchcsie_tsb_rules.dat
2004-09-04 22:59 0 ----a-w C:\Program Files\ClearSearchcsie_ss_idomainsd.dat
2003-01-26 18:23 271 --sh--w C:\Program Files\desktop.ini
2003-01-26 18:23 23,357 ---h--w C:\Program Files\folder.htt
1999-02-22 21:46 148,992 ----a-w C:\Program Files\UNWISE.EXE
1984-11-08 16:21 500 ---ha-w C:\Documents and Settings\Alyssa\Application Data\MSWWINEDRVM7.DLL
2005-01-12 13:15 3,547 --sha-w C:\WINDOWS\geses.dat
2005-01-29 04:25 3,547 --sha-w C:\WINDOWS\klhww.dat
2005-01-16 17:40 3,547 --sha-w C:\WINDOWS\moxxj.dat
2006-10-29 16:29 2,516 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
2006-10-29 16:29 88 --sh--r C:\WINDOWS\SYSTEM32\BC2E574C5F.sys
2003-12-18 17:41 1,133 --sh--w C:\WINDOWS\SYSTEM32\YgzI.exe
2005-01-10 10:24 4,354 --sha-w C:\WINDOWS\SYSTEM32\kntiz.dat
2005-01-02 07:02 0 --sha-w C:\WINDOWS\SYSTEM32\dzkrp.dat
2005-01-06 14:22 3,547 --sha-w C:\WINDOWS\SYSTEM32\kjulb.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [ ]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" [ ]
"oiwo"="C:\PROGRA~1\COMMON~1\oiwo\oiwom.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 00:56 53760 C:\WINDOWS\SYSTEM32\narrator.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-03 22:59 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\winot73.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpu27.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Runner.LNK]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Runner.LNK
backup=C:\WINDOWS\pss\Runner.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^jerisue^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=C:\Documents and Settings\jerisue\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM95\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bargains]
C:\Program Files\Bargain Buddy\bin\bargains.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DealHelperUpdate]
C:\WINDOWS\DHUpdt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eZWO]
C:\PROGRA~1\Web Offer\wo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HXIUL.EXE]
C:\Program Files\Alset\HelpExpress\jerisue\HXIUL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
C:\Program Files\Microsoft Money\System\Money Express.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power Scan]
C:\Program Files\Power Scan\powerscan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLL]
C:\WINDOWS\Downloaded Program Files\bridge.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAHAgent]
C:\WINDOWS\System32\SahAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-12-18 10:28 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VBouncer]
C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VVSN]
C:\Program Files\VVSN\VVSN.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebSavingsfromEbates]
wjview /cp:p C:\Program Files\WebSavingsfromEbates\System\Code Main lp: C:\Program Files\WebSavingsfromEbates

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windows auto update]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xqjibmmkbzwl]
C:\WINDOWS\System32\qnlrbt.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MoneyStartUp"=C:\Program Files\Microsoft Money\System\Money Startup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WorksFUD"=C:\Program Files\Microsoft Works\wkfud.exe
"Microsoft Works Portfolio"=C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
"Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe
"HPStart"=c:\hp\hpcoach\hpstart.wsf
"Tour"=C:\WINDOWS\wincool.exe /30m

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"MMTray"=C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
"hpsysdrv"=C:\WINDOWS\SYSTEM32\hpsysdrv.exe
"Delay"=C:\WINDOWS\delayrun.exe
"MotiveMonitor"=C:\Program Files\Motive\motmon.exe
"mgavrtclexe"=C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe
"wcmdmgr"=C:\WINDOWS\wt\wcmdmgrl.exe -launch
"LoadQM"=loadqm.exe
"CMESys"="C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
"webHancer Agent"="C:\Program Files\webHancer\Programs\whAgent.exe"
"OEMCleanup"=C:\WINDOWS\OPTIONS\OEMRESET.EXE /O
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\ccapp.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Documents and Settings\\Alyssa\\Desktop\\Installations\\uTorrent.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\LNE100V5.sys [2001-10-24 19:16]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2005-04-21 00:33]
S0 winot73;winot73;C:\WINDOWS\system32\Drivers\Winot73.sys []
S0 Winpu27;Winpu27;C:\WINDOWS\system32\Drivers\Winpu27.sys []
S2 AIM;AOL Instant Messanger;"C:\WINDOWS\aim.exe" []
S2 PAVFIRES;Panda Firewall Service;C:\Program Files\Panda Software\Panda Platinum Internet Security\Firewall\PavFires.exe []
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 22:59]
S3 ComFiltr;Panda Anti-Dialer;C:\WINDOWS\System32\DRIVERS\COMFiltr.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2008-06-07 13:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2008-06-14 19:10:22 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job"
- C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE
"2008-06-03 05:00:04 C:\WINDOWS\Tasks\Maintenance-Defragment programs.job"
- C:\WINDOWS\DEFRAG.EXE
"2008-06-01 04:30:02 C:\WINDOWS\Tasks\Maintenance-Disk cleanup.job"
- C:\WINDOWS\CLEANMGR.EXE
"2004-08-25 19:59:32 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1085255803.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-14 15:14:44
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Ad-Aware 2008\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-06-14 15:18:28 - machine was rebooted [Alyssa]
ComboFix-quarantined-files.txt 2008-06-14 19:18:12

Pre-Run: 5,022,629,888 bytes free
Post-Run: 5,011,767,296 bytes free

281 --- E O F --- 2008-05-28 16:01:22

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:23:23 PM, on 6/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ad-Aware 2008\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Alyssa\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.lycos.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - <default> - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} - http://67.15.101.3/g_bin/eng/boards_2_0_0_20.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://spaces.msn.com/PhotoUpload/Ms...cab?10,0,911,0
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1155644189618
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - http://upload.facebook.com/controls/...ploader4_5.cab
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware 2008\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe (file missing)
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (antivirscheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Unknown owner - C:\Program Files\Panda Software\Panda Platinum Internet Security\Firewall\PavFires.exe (file missing)
O23 - Service: Panda anti-virus service (PAVSRV) - Unknown owner - C:\Program Files\Panda Software\Panda Platinum Internet Security\pavsrv51.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6638 bytes

06-14-2008, 01:26 PM	#10 (permalink)
AlyssaM Registered User Join Date: Jun 2008 Posts: 12 OS: Windows XP	Re: Ah, spyware! Help!! Sorry. Ok, I kept Avira. But as for Panda-- we had installed that onto our computer a few years ago, but soon afterwards, I tried uninstalling it. It's still in the Add/Remove programs though, and when I try to click "Remove" to uninstall it, nothing happens. So I don't technically still have it, because I can't even access or open it-- the program isn't on my computer anywhere-- yet when I put the CD in to reinstall it, it says "a version of it is already installed". Yet it doesnt work or even really act like it's still installed. It's been like that for about 2 years now. Is that still bad? And, although HijackThis says it's under C:\Program Files\Panda Software.... I don't seem to actually have that folder in my program files. ComboFix 08-06-12.2 - Alyssa 2008-06-14 14:58:14.2 - FAT32x86 Running from: C:\Documents and Settings\Alyssa\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\qoMeBrqo.dll . ---- Previous Run ------- . C:\Documents and Settings\Alyssa\Application Data\{2CF0B992-5EEB-4143-99C0-5297EF71F444} C:\Program Files\Common Files\SLMSS C:\Program Files\Common Files\SLMSS\acp1.dat C:\WINDOWS\cookies.ini C:\WINDOWS\nogxfvblqld.dll C:\WINDOWS\start.exe C:\WINDOWS\system32\bmf.cs C:\WINDOWS\system32\ccs.so C:\WINDOWS\SYSTEM32\guiocwaq.ini C:\WINDOWS\system32\ho.ln C:\WINDOWS\system32\jkkICtrO.dll C:\WINDOWS\system32\ko.o C:\WINDOWS\system32\mn.n C:\WINDOWS\SYSTEM32\OrtCIkkj.ini C:\WINDOWS\SYSTEM32\OrtCIkkj.ini2 C:\WINDOWS\system32\qawcoiug.dll C:\WINDOWS\SYSTEM32\siqsadqq.ini C:\WINDOWS\system32\uiqblbbc.ini C:\WINDOWS\SYSTEM32\vpcoqymm.ini C:\WINDOWS\system32\wcpsvcc.exe C:\WINDOWS\system32\windows.scr C:\WINDOWS\system32\xxtdnecc.ini C:\WINDOWS\timessquare1.dat C:\WINDOWS\Web\default.htt C:\WINDOWS\xbqmfsed.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_CMDSERVICE -------\Legacy_msupdate -------\Legacy_RDRIV -------\Service_cmdService -------\Service_hcnwg4u -------\Service_msupdate -------\Service_rdriv ((((((((((((((((((((((((( Files Created from 2008-05-14 to 2008-06-14 ))))))))))))))))))))))))))))))) . 2008-06-14 13:47 . 2008-06-14 13:47 <DIR> d-------- C:\Program Files\Common Files\Panda Software 2008-06-14 09:25 . 2008-06-14 09:25 <DIR> d-------- C:\Combbfx 2008-06-13 14:39 . 2008-06-13 14:39 126 --a------ C:\Temp\ECDC.CMD 2008-06-13 14:34 . 2008-06-13 14:34 264 --a------ C:\WINDOWS\_delis32.ini 2008-06-12 21:29 . 2008-06-13 23:11 121 --a------ C:\WINDOWS\bdagent.INI 2008-06-12 21:24 . 2008-06-12 21:24 <DIR> d-------- C:\Program Files\Ad-Aware 2008 2008-06-12 21:24 . 2008-06-12 21:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-06-12 21:21 . 2008-06-12 21:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-06-12 21:04 . 2008-06-12 21:04 <DIR> d-------- C:\Program Files\BitDefender 2008-06-12 20:57 . 2008-06-12 20:57 <DIR> d-------- C:\Program Files\Common Files\BitDefender 2008-06-11 22:55 . 2008-06-11 22:55 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM 2008-06-11 12:44 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\hidusb.sys 2008-06-11 12:44 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\SYSTEM32\dllcache\hidusb.sys 2008-06-11 11:11 . 2008-06-11 11:11 <DIR> d-------- C:\Program Files\TV Media 2008-06-10 09:49 . 2008-06-10 09:49 <DIR> d--hs---- C:\FOUND.069 2008-06-09 10:08 . 2008-06-09 10:08 <DIR> d-------- C:\Deckard 2008-06-08 08:28 . 2003-03-02 10:49 2,142 -ra------ C:\WINDOWS\SYSTEM32\autoexec.nt 2008-06-06 21:37 . 2008-06-06 21:37 <DIR> d-------- C:\Program Files\Avira 2008-06-06 21:37 . 2008-06-06 21:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira 2008-06-06 21:17 . 2008-06-06 21:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP 2008-06-06 20:10 . 2008-06-06 14:49 139,264 --a------ C:\WINDOWS\eslm.exe 2008-06-06 20:07 . 2008-06-06 20:07 0 --a------ C:\274013913 2008-06-06 19:44 . 2008-06-06 19:44 <DIR> d-------- C:\Program Files\Windows Live 2008-06-06 19:44 . 2008-06-06 19:44 <DIR> d--hs---- C:\Program Files\Common Files\WindowsLiveInstaller 2008-06-06 19:43 . 2008-06-06 19:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-06-04 08:39 . 2008-06-04 08:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater 2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\SYSTEM32\lsdelete.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-11 18:21 7,168 --sha-w C:\Program Files\Common Files\Thumbs.db 2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys 2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys 2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys 2008-04-22 19:55 --------- d-----w C:\Documents and Settings\Alyssa\Application Data\acccore 2008-04-22 19:46 --------- d-----w C:\Program Files\AIM6 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll 2008-03-27 08:12 151,583 ------w C:\WINDOWS\SYSTEM32\dllcache\msjint40.dll 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys 2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\dllcache\win32k.sys 2008-02-04 21:09 49,985,276 ----a-w C:\Documents and Settings\Alyssa\My Documents.zip 2008-01-06 14:21 7,168 --sha-w C:\Program Files\Thumbs.db 2005-06-16 16:42 572 ---ha-w C:\Documents and Settings\Alyssa\hpothb07.dat 2004-11-24 00:19 0 ----a-w C:\Documents and Settings\Alyssa\romlst.dat 2004-11-14 23:02 230,237 ----a-w C:\Documents and Settings\Alyssa\Application Data\tvmknwrd.dll 2004-09-04 23:00 344 ----a-w C:\Program Files\ClearSearchcsie_ron_campaigns.dat 2004-09-04 23:00 296 ----a-w C:\Program Files\ClearSearchcsie_mpu_patterns.dat 2004-09-04 23:00 208 ----a-w C:\Program Files\ClearSearchcsie_mpu_rules.dat 2004-09-04 23:00 136 ----a-w C:\Program Files\ClearSearchcsie_ron_rules.dat 2004-09-04 22:59 88 ----a-w C:\Program Files\ClearSearchcsie_usb_rules.dat 2004-09-04 22:59 482 ----a-w C:\Program Files\ClearSearchcsie_checks.dat 2004-09-04 22:59 3,568 ----a-w C:\Program Files\ClearSearchcsie_usb_campaigns.dat 2004-09-04 22:59 256 ----a-w C:\Program Files\ClearSearchcsie_ss_rules.dat 2004-09-04 22:59 2,976 ----a-w C:\Program Files\ClearSearchcsie_tsb_patterns.dat 2004-09-04 22:59 2,560 ----a-w C:\Program Files\ClearSearchcsie_tsb_edomains.dat 2004-09-04 22:59 2,560 ----a-w C:\Program Files\ClearSearchcsie_ss_edomains.dat 2004-09-04 22:59 18,712 ----a-w C:\Program Files\ClearSearchcsie_usb_patterns.dat 2004-09-04 22:59 136 ----a-w C:\Program Files\ClearSearchcsie_tsb_campaigns.dat 2004-09-04 22:59 104 ----a-w C:\Program Files\ClearSearchcsie_tsb_rules.dat 2004-09-04 22:59 0 ----a-w C:\Program Files\ClearSearchcsie_ss_idomainsd.dat 2003-01-26 18:23 271 --sh--w C:\Program Files\desktop.ini 2003-01-26 18:23 23,357 ---h--w C:\Program Files\folder.htt 1999-02-22 21:46 148,992 ----a-w C:\Program Files\UNWISE.EXE 1984-11-08 16:21 500 ---ha-w C:\Documents and Settings\Alyssa\Application Data\MSWWINEDRVM7.DLL 2005-01-12 13:15 3,547 --sha-w C:\WINDOWS\geses.dat 2005-01-29 04:25 3,547 --sha-w C:\WINDOWS\klhww.dat 2005-01-16 17:40 3,547 --sha-w C:\WINDOWS\moxxj.dat 2006-10-29 16:29 2,516 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys 2006-10-29 16:29 88 --sh--r C:\WINDOWS\SYSTEM32\BC2E574C5F.sys 2003-12-18 17:41 1,133 --sh--w C:\WINDOWS\SYSTEM32\YgzI.exe 2005-01-10 10:24 4,354 --sha-w C:\WINDOWS\SYSTEM32\kntiz.dat 2005-01-02 07:02 0 --sha-w C:\WINDOWS\SYSTEM32\dzkrp.dat 2005-01-06 14:22 3,547 --sha-w C:\WINDOWS\SYSTEM32\kjulb.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [ ] "MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" [ ] "oiwo"="C:\PROGRA~1\COMMON~1\oiwo\oiwom.exe" [ ] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2004-08-04 00:56 53760 C:\WINDOWS\SYSTEM32\narrator.exe] "tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-03 22:59 44544] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.VDOM"= vdowave.drv "vidc.DIV3"= DivXc32.dll "vidc.DIV4"= DivXc32f.dll "msacm.divxa32"= DivXa32.acm [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\winot73.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpu27.sys] @="Driver" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Runner.LNK] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Runner.LNK backup=C:\WINDOWS\pss\Runner.LNKCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^jerisue^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe] path=C:\Documents and Settings\jerisue\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM] C:\Program Files\AIM95\aim.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bargains] C:\Program Files\Bargain Buddy\bin\bargains.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DealHelperUpdate] C:\WINDOWS\DHUpdt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eZWO] C:\PROGRA~1\Web Offer\wo.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HXIUL.EXE] C:\Program Files\Alset\HelpExpress\jerisue\HXIUL.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent] C:\Program Files\Microsoft Money\System\Money Express.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power Scan] C:\Program Files\Power Scan\powerscan.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLL] C:\WINDOWS\Downloaded Program Files\bridge.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAHAgent] C:\WINDOWS\System32\SahAgent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2005-12-18 10:28 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VVSN] C:\Program Files\VVSN\VVSN.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebSavingsfromEbates] wjview /cp:p C:\Program Files\WebSavingsfromEbates\System\Code Main lp: C:\Program Files\WebSavingsfromEbates [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA] C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windows auto update] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xqjibmmkbzwl] C:\WINDOWS\System32\qnlrbt.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "MoneyStartUp"=C:\Program Files\Microsoft Money\System\Money Startup.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "WorksFUD"=C:\Program Files\Microsoft Works\wkfud.exe "Microsoft Works Portfolio"=C:\Program Files\Microsoft Works\WksSb.exe /AllUsers "Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe "HPStart"=c:\hp\hpcoach\hpstart.wsf "Tour"=C:\WINDOWS\wincool.exe /30m [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys] "MMTray"=C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe "hpsysdrv"=C:\WINDOWS\SYSTEM32\hpsysdrv.exe "Delay"=C:\WINDOWS\delayrun.exe "MotiveMonitor"=C:\Program Files\Motive\motmon.exe "mgavrtclexe"=C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe "wcmdmgr"=C:\WINDOWS\wt\wcmdmgrl.exe -launch "LoadQM"=loadqm.exe "CMESys"="C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE" "webHancer Agent"="C:\Program Files\webHancer\Programs\whAgent.exe" "OEMCleanup"=C:\WINDOWS\OPTIONS\OEMRESET.EXE /O "LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\ccapp.exe"= "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Windows Media Player\\wmplayer.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\Internet Explorer\\iexplore.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "C:\\Documents and Settings\\Alyssa\\Desktop\\Installations\\uTorrent.exe"= "C:\\Program Files\\AIM6\\aim6.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38] R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\LNE100V5.sys [2001-10-24 19:16] R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2005-04-21 00:33] S0 winot73;winot73;C:\WINDOWS\system32\Drivers\Winot73.sys [] S0 Winpu27;Winpu27;C:\WINDOWS\system32\Drivers\Winpu27.sys [] S2 AIM;AOL Instant Messanger;"C:\WINDOWS\aim.exe" [] S2 PAVFIRES;Panda Firewall Service;C:\Program Files\Panda Software\Panda Platinum Internet Security\Firewall\PavFires.exe [] S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 22:59] S3 ComFiltr;Panda Anti-Dialer;C:\WINDOWS\System32\DRIVERS\COMFiltr.sys [] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl . Contents of the 'Scheduled Tasks' folder "2008-06-07 13:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job" "2008-06-14 19:10:22 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job" - C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE "2008-06-03 05:00:04 C:\WINDOWS\Tasks\Maintenance-Defragment programs.job" - C:\WINDOWS\DEFRAG.EXE "2008-06-01 04:30:02 C:\WINDOWS\Tasks\Maintenance-Disk cleanup.job" - C:\WINDOWS\CLEANMGR.EXE "2004-08-25 19:59:32 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1085255803.job" - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-14 15:14:44 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Ad-Aware 2008\aawservice.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe . ************************************************************************ . Completion time: 2008-06-14 15:18:28 - machine was rebooted [Alyssa] ComboFix-quarantined-files.txt 2008-06-14 19:18:12 Pre-Run: 5,022,629,888 bytes free Post-Run: 5,011,767,296 bytes free 281 --- E O F --- 2008-05-28 16:01:22 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:23:23 PM, on 6/14/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Ad-Aware 2008\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Alyssa\Desktop\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.lycos.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R3 - URLSearchHook: (no name) - <default> - (no file) R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file) O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} - http://67.15.101.3/g_bin/eng/boards_2_0_0_20.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://spaces.msn.com/PhotoUpload/Ms...cab?10,0,911,0 O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/...oUploader3.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1155644189618 O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.bitdefender.com/scan/Msie/bitdefender.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - http://upload.facebook.com/controls/...ploader4_5.cab O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file) O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware 2008\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe (file missing) O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (antivirscheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Panda Firewall Service (PAVFIRES) - Unknown owner - C:\Program Files\Panda Software\Panda Platinum Internet Security\Firewall\PavFires.exe (file missing) O23 - Service: Panda anti-virus service (PAVSRV) - Unknown owner - C:\Program Files\Panda Software\Panda Platinum Internet Security\pavsrv51.exe (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 6638 bytes