We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Hijack this help
Comments
-
I also ran the flash disinfector but on reboot when it tried to install the optical mouse, it still failed with the same error and wouldn't automatically install the software!It's easier to get forgiveness than to ask permission
0 -
So what problems are there at the moment?
If the mouse is not working in may be worth uninstalling and then reinstalling.
I am still seeing that reg entry. Do you want to try another script?0 -
The machine is incredibly slow and I get the same installation error when I plug in my usb pen drive and it tries to install the software for that.
Yes - I will try another script - it proving to be another stubborn entry lol
So, from the logs, is that the only thing outstanding now?
Thanks again for your help - much appreciatedIt's easier to get forgiveness than to ask permission
0 -
Ok, it is looking ok. I am not sure what the problem is with the usb pen drive - sorry.
Only a few things to do, well three!
1.
Disable Spybot's Teatimer - this could be stopping the Registry part of the CF Script.
Please disable Spybot S&D’s TeaTimer protection, because it is known to interfere with our fixes.
You can enable it again after you're clean.
Open Spybot and click on 'Mode' then click 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.
2.
CF Script
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
Save this as CFScript.txt, in the same location as ComboFix.exeKillAll::
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\!!7bef049a-2c00-11dc-a1ea-000e505b3b81}]
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
3.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:- Download the latest version of Java Runtime Environment (JRE) Version6 and save it to your desktop.
- Scroll down to where it says "Java Runtime Environment (JRE)6 Update 10...allows end-users to run Java applications".
- Click the "Download" button to the right.
- Select your Platform: "Windows".
- Select your Language: "Multi-Language".
- Read the License Agreement, and then check the box that says: "Accept License Agreement".
- Click Continue and the page will refresh.
- Click on the link to download Windows Offline Installation and save the file to your desktop.
- Close any programs you may have running - especially your web browser.
- Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
- Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
- Click the Remove or Change/Remove button.
- Follow the onscreen instructions for the Java uninstaller.
- Repeat as many times as necessary to remove each Java version.
- Reboot your computer once all Java components are removed.
- Then from your desktop double-click on jre-6u10-windows-i586-p.exe
- Follow the on screen instructions to install the latest Java version.
0 -
Thanks so much. It is going to be after the weekend now before I can get back round to run these. I'll update once done.
It's easier to get forgiveness than to ask permission
0 -
Right, have got the machine back at my house again.
1. Spybot teatimer is not running
2. Have run the CFScript
3. Have updated Java and removed all old versions.
Now follows a (very long) combofix report and a new hijack this log.It's easier to get forgiveness than to ask permission
0 -
So I have omitted the entries in the 'snapshot section as I think they are due to my running a system file checker (sfc /scannow) to try and fix the problem with the usb port (it didn't work!!) But if you want to see them, I will try and post although suspect it will take many posts to do it in!!
Here is the first bit of the log
ComboFix 08-10-27.02 - another 2008-10-28 9:53:25.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.35 [GMT 0:00]
Running from: C:\Documents and Settings\another\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\another\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-28 )))))))))))))))))))))))))))))))
2008-10-27 22:24 . 2008-10-27 22:24 410,976 --a
C:\WINDOWS\SYSTEM32\deploytk.dll
2008-10-27 22:24 . 2008-10-27 22:24 73,728 --a
C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-10-27 22:01 . 2001-08-17 13:28 794,654 --a
C:\WINDOWS\SYSTEM32\DLLCACHE\usr1801.sys
2008-10-27 22:00 . 2001-08-17 22:36 386,560 --a
C:\WINDOWS\SYSTEM32\DLLCACHE\sgiul50.dll
2008-10-27 21:59 . 2001-08-17 13:28 899,146 --a
C:\WINDOWS\SYSTEM32\DLLCACHE\r2mdkxga.sys
2008-10-27 21:58 . 2001-08-17 14:05 351,616 --a
C:\WINDOWS\SYSTEM32\DLLCACHE\ovcodek2.sys
2008-10-27 21:57 . 2002-08-29 04:00 1,875,968 --a
C:\WINDOWS\SYSTEM32\DLLCACHE\msir3jp.lex
2008-10-27 21:56 . 2002-08-29 04:00 1,158,818 --a
C:\WINDOWS\SYSTEM32\DLLCACHE\korwbrkr.lex
2008-10-27 21:55 . 2002-08-29 04:00 10,129,408 --a
C:\WINDOWS\SYSTEM32\DLLCACHE\hwxkor.dll
2008-10-27 21:54 . 2001-08-17 14:56 1,733,120 --a
C:\WINDOWS\SYSTEM32\DLLCACHE\g400d.dll
2008-10-27 21:53 . 2001-08-17 12:14 952,007 --a
C:\WINDOWS\SYSTEM32\DLLCACHE\diwan.sys
2008-10-27 21:52 . 2002-08-29 04:00 1,677,824 --a
C:\WINDOWS\SYSTEM32\DLLCACHE\chsbrkr.dll
2008-10-27 21:51 . 2001-08-17 13:28 871,388 --a
C:\WINDOWS\SYSTEM32\DLLCACHE\bcmdm.sys
2008-10-27 21:50 . 2001-08-17 13:28 762,780 --a
C:\WINDOWS\SYSTEM32\DLLCACHE\3cwmcru.sys
2008-10-27 21:49 . 2001-08-17 14:56 66,048 --a
C:\WINDOWS\SYSTEM32\DLLCACHE\s3legacy.dll
2008-10-23 20:34 . 2008-10-23 20:34 <DIR> d
C:\WINDOWS\SYSTEM32\scripting
2008-10-23 20:34 . 2008-10-23 20:34 <DIR> d
C:\WINDOWS\SYSTEM32\en
2008-10-23 20:34 . 2008-10-23 20:34 <DIR> d
C:\WINDOWS\l2schemas
2008-10-22 10:59 . 2008-04-14 00:12 712,704
C:\WINDOWS\SYSTEM32\windowscodecs.dll
2008-10-22 10:59 . 2008-04-14 00:12 346,112
C:\WINDOWS\SYSTEM32\windowscodecsext.dll
2008-10-22 10:59 . 2008-04-14 00:12 276,992
C:\WINDOWS\SYSTEM32\wmphoto.dll
2008-10-22 10:59 . 2008-04-14 00:12 69,120
C:\WINDOWS\SYSTEM32\wlanapi.dll
2008-10-22 10:59 . 2008-04-14 00:12 69,120 --a
C:\WINDOWS\SYSTEM32\DLLCACHE\wlanapi.dll
2008-10-22 10:59 . 2008-04-14 00:12 53,248
C:\WINDOWS\SYSTEM32\tsgqec.dll
2008-10-22 10:59 . 2008-04-14 00:12 53,248 --a
C:\WINDOWS\SYSTEM32\DLLCACHE\tsgqec.dll
2008-10-22 10:59 . 2008-04-14 00:12 50,688
C:\WINDOWS\SYSTEM32\tspkg.dll
2008-10-22 10:59 . 2008-04-14 00:12 50,688 --a
C:\WINDOWS\SYSTEM32\DLLCACHE\tspkg.dll
2008-10-22 10:57 . 2008-04-14 00:09 13,463,552 --a
C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll
2008-10-22 10:56 . 2008-04-13 16:36 144,384
C:\WINDOWS\SYSTEM32\DRIVERS\hdaudbus.sys
2008-10-22 10:55 . 2008-04-14 00:11 650,752
C:\WINDOWS\SYSTEM32\dot3ui.dll
2008-10-22 10:54 . 2008-04-14 00:11 136,192 --a
C:\WINDOWS\SYSTEM32\DLLCACHE\aaclient.dll
2008-10-22 10:54 . 2008-04-14 00:11 136,192
C:\WINDOWS\SYSTEM32\aaclient.dll
2008-10-18 10:58 . 2008-10-18 10:58 <DIR> d--hs---- C:\Documents and Settings\another\UserData
2008-10-17 18:32 . 2008-08-14 10:09 2,145,280 --a
C:\WINDOWS\SYSTEM32\DLLCACHE\ntkrnlmp.exe
2008-10-17 18:32 . 2008-08-14 09:33 2,023,936 --a
C:\WINDOWS\SYSTEM32\DLLCACHE\ntkrpamp.exe
2008-10-16 21:22 . 2008-10-25 21:18 1,393 --a
C:\WINDOWS\imsins.BAK
2008-10-14 21:47 . 2008-10-14 21:47 <DIR> d
C:\WINDOWS\ERUNT
2008-10-14 21:42 . 2008-10-15 19:04 <DIR> d
C:\SDFix
2008-10-13 21:36 . 2008-10-26 12:40 <DIR> d--h
C:\$AVG8.VAULT$
2008-10-11 11:19 . 2008-10-23 22:06 <DIR> d
C:\Documents and Settings\NetworkService\Application Data\yahoo!
2008-10-11 11:06 . 2008-10-26 12:41 <DIR> d
C:\WINDOWS\SYSTEM32\DRIVERS\Avg
2008-10-11 11:06 . 2008-10-11 11:06 <DIR> d
C:\Program Files\AVG
2008-10-11 11:06 . 2008-10-11 11:06 <DIR> d
C:\Documents and Settings\All Users\Application Data\avg8
2008-10-11 11:06 . 2008-10-11 11:06 97,928 --a
C:\WINDOWS\SYSTEM32\DRIVERS\avgldx86.sys
2008-10-11 11:06 . 2008-10-11 11:06 76,040 --a
C:\WINDOWS\SYSTEM32\DRIVERS\avgtdix.sys
2008-10-11 11:06 . 2008-10-11 11:06 10,520 --a
C:\WINDOWS\SYSTEM32\avgrsstx.dll
2008-10-11 11:00 . 2004-10-15 17:32 83,096 --a
C:\WINDOWS\SYSTEM32\SSSensor.dll
2008-10-11 11:00 . 2004-10-15 17:17 60,496 --a
C:\WINDOWS\SYSTEM32\DRIVERS\Teefer.sys
2008-10-11 11:00 . 2004-10-15 17:18 21,075 --a
C:\WINDOWS\SYSTEM32\DRIVERS\wpsdrvnt.sys
2008-10-11 11:00 . 2004-10-15 17:32 14,568 --a
C:\WINDOWS\SYSTEM32\DRIVERS\wg6n.sys
2008-10-11 11:00 . 2004-10-15 17:32 14,568 --a
C:\WINDOWS\SYSTEM32\DRIVERS\wg5n.sys
2008-10-11 11:00 . 2004-10-15 17:32 14,568 --a
C:\WINDOWS\SYSTEM32\DRIVERS\wg4n.sys
2008-10-11 11:00 . 2004-10-15 17:32 14,568 --a
C:\WINDOWS\SYSTEM32\DRIVERS\wg3n.sys
2008-10-11 10:59 . 2008-10-11 10:59 <DIR> d
C:\Program Files\Sygate
2008-10-11 10:50 . 2008-10-11 10:50 <DIR> d
C:\Program Files\Lavasoft
2008-10-11 10:50 . 2008-10-11 10:53 <DIR> d
C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-11 10:48 . 2008-10-11 10:59 <DIR> d
C:\Program Files\Common Files\Wise Installation Wizard
2008-10-11 10:33 . 2008-10-26 07:54 <DIR> d-a
C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-11 10:32 . 2008-10-11 10:32 <DIR> d
C:\Program Files\SpywareBlaster
2008-10-11 10:23 . 2008-10-11 10:25 <DIR> d
C:\Program Files\Spybot - Search & Destroy
2008-10-11 10:23 . 2008-10-15 18:05 <DIR> d
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-11 09:41 . 2008-10-11 09:41 <DIR> d
C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-10-11 09:39 . 2004-09-24 16:05 <DIR> d
C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-10-11 09:39 . 2004-09-24 16:07 <DIR> d
C:\Documents and Settings\Administrator\Application Data\Sonic
2008-10-11 09:39 . 2004-09-24 16:02 <DIR> d
C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-10-11 09:39 . 2004-09-24 16:07 <DIR> d
C:\Documents and Settings\Administrator\Application Data\AOL
2008-10-11 09:39 . 2008-10-11 09:39 <DIR> d
C:\Documents and Settings\Administrator
2008-10-11 09:35 . 2008-10-15 20:53 <DIR> d
C:\Program Files\Malwarebytes' Anti-Malware
2008-10-11 09:35 . 2008-10-11 09:35 <DIR> d
C:\Documents and Settings\another\Application Data\Malwarebytes
2008-10-11 09:35 . 2008-10-11 09:35 <DIR> d
C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-11 09:35 . 2008-09-09 23:07 38,528 --a
C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-10-11 09:35 . 2008-09-09 23:07 17,200 --a
C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-10-11 09:32 . 2008-10-11 09:32 <DIR> d
C:\Program Files\Trend Micro
2008-09-30 20:51 . 2008-09-30 20:51 <DIR> d
C:\Program Files\Samsung
2008-09-30 20:02 . 2008-09-30 20:02 <DIR> d
C:\Program Files\Windows Media Connect 2
2008-09-30 20:00 . 2008-09-30 20:00 <DIR> d
C:\WINDOWS\SYSTEM32\LogFiles
2008-09-30 20:00 . 2008-09-30 20:01 <DIR> d
C:\WINDOWS\SYSTEM32\DRIVERS\UMDF
2008-09-30 19:15 . 2006-05-03 21:53 174,592 --a
C:\WINDOWS\SYSTEM32\framedyn.dll
2008-09-30 19:14 . 2008-09-30 19:15 <DIR> d
C:\WINDOWS\SYSTEM32\Samsung_USB_Drivers
2008-09-30 19:14 . 2006-07-24 15:05 5,632 --a
C:\WINDOWS\SYSTEM32\DRIVERS\StarOpen.sys
2008-09-30 19:14 . 2005-08-28 19:51 766 --a
C:\WINDOWS\SYSTEM32\Uninstall.ico
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-27 22:24
d
w C:\Program Files\Java
2008-10-02 19:01
d--h--w C:\Program Files\InstallShield Installation Information
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-09-01 19:13
d
w C:\Documents and Settings\another\Application Data\AdobeUM
((((((((((((((((((((((((((((( snapshot_2008-10-18_11.21.00.31 )))))))))))))))))))))))))))))))))))))))))
I have omitted submitting this section as it would take about a dozen posts to do it - unless you think you need the data on it???It's easier to get forgiveness than to ask permission
0 -
Here is the second part of the combofix log
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"STManager"="C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" [2003-10-16 118784]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" [2005-08-31 2478080]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2004-09-07 1871872]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2004-02-25 496752]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-09-24 98304]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-02-16 147456]
"EPSON Stylus C64 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE" [2003-05-27 99840]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"PinnacleDriverCheck"="C:\WINDOWS\System32\PSDrvCheck.exe" [2004-03-10 406016]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-07-16 180269]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 114688]
"EPSON Stylus Photo R220 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE" [2005-03-09 98304]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-10-11 1234712]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-10-27 136600]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-12-14 113664]
AOL 9.0 Tray Icon.lnk - C:\Program Files\AOL 9.0\aoltray.exe [2004-09-24 156784]
BT Yahoo! Help.lnk - C:\Program Files\BT Yahoo\BT Yahoo Help\bin\matcli.exe [2005-05-21 217088]
Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [2002-01-09 200704]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YPAGER.EXE"=
"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\SpeedTouch\\Dr SpeedTouch\\drst.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-10-11 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-10-11 875288]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-10-11 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-10-11 76040]
R2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe [2008-10-27 152984]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\!!7bef049a-2c00-11dc-a1ea-000e505b3b81}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Toy.exe
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-28 10:09:28
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\vsdatant]
"ImagePath"=""
.
Other Running Processes
.
C:\Program Files\Sygate\SPF\Smc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-10-28 10:23:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-28 10:22:36
ComboFix2.txt 2008-10-18 10:21:45
ComboFix3.txt 2008-10-15 22:04:55
ComboFix4.txt 2008-10-13 19:19:12
Pre-Run: 10,883,166,208 bytes free
Post-Run: 11,014,438,912 bytes free
11393 --- E O F --- 2008-10-25 21:19:05It's easier to get forgiveness than to ask permission
0 -
And here is the latest hijack this log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:26:48, on 28/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - !!3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - !!53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - !!761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB002" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: BT Yahoo! Help.lnk = C:\Program Files\BT Yahoo\BT Yahoo Help\bin\matcli.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O9 - Extra button: BT Yahoo! Services - !!5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: BT - !!69CF4E2C-CA90-40BF-9834-D902C337474B} - http://www.bt.com (file missing) (HKCU)
O9 - Extra button: Homepage - {AC795FE4-7900-434E-B6BF-D02DA157509E} - http://bt.yahoo.com (file missing) (HKCU)
O16 - DPF: !!406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.truprint.co.uk/TruprintActivia.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
--
End of file - 8728 bytesIt's easier to get forgiveness than to ask permission
0 -
Your friend use AOL?
There appears to be lots of entries for that.
That bloody entry is still there - [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\!!7bef049a-2c00-11dc-a1ea-000e505b3b81}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Toy.exe
Can you show all files and then search for Toy.exe.
What else is wrong?0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 352.2K Banking & Borrowing
- 253.6K Reduce Debt & Boost Income
- 454.3K Spending & Discounts
- 245.3K Work, Benefits & Business
- 601K Mortgages, Homes & Bills
- 177.5K Life & Family
- 259.1K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards