Please download ComboFix by sUBs from HERE or HERE You must download it to and run it from your Desktop
Physically disconnect from the internet.
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Computer Messed Up
hi
my computer is kind of messed up, explorer.exe keeps on ending and then restarting, also seem to remove a sstqq.dll. i have ran vundo fix and that seemed to remove lots of things but it couldn't remove this.
this is my hijack this log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:38, on 16/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\AASDSD\abc.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\imapi.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O2 - BHO: (no name) - {9F0F7504-AA18-41D0-BA08-FD506400135E} - C:\WINDOWS\system32\sstqq.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WireLessMouse] C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\MouseDrv.exe
O4 - HKLM\..\Run: [WireLessKeyboard] C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\PS2USBKbdDrv.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = ?
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: McAfee Application Installer Cleanup (0154811202111113) (0154811202111113mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\0154811202111113mcinst.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Firebird Server (InterBaseServer) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (file missing)
O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe (file missing)
O23 - Service: McAfee Scanner (McODS) - Unknown owner - C:\PROGRA~1\McAfee\VirusScan\mcods.exe (file missing)
O23 - Service: McAfee Proxy Service (McProxy) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (file missing)
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VirusScan\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VirusScan\mcsysmon.exe (file missing)
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - Unknown owner - C:\Program Files\McAfee\MSK\MskSrver.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 4668 bytes
thanks
hi thanks everything seems to be working fine
this is the combofix log:
ComboFix 08-02-16.2 - Man U rulz 2008-02-16 15:51:57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.137 [GMT 0:00]
Running from: C:\Documents and Settings\Man U rulz\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\check_LSA7.txt
C:\Documents and Settings\Man U rulz\Application Data\inst.exe
C:\Documents and Settings\Suhail Aslam.ASLAM.000\Application Data\inst.exe
C:\setup.exe
C:\WINDOWS\adaway.lic
C:\WINDOWS\cookies.ini
C:\WINDOWS\hosts
C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337
C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337\BrowserSearch\BrowserSearch.xml
C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337\BrowserSearch\BrowserSearch.xml.backup
C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337\Configurator\Configurator.xml
C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337\Configurator\Configurator.xml.backup
C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337\Dating\DatingOptions.xml
C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337\Dating\DatingOptions.xml.backup
C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337\ErrorSearch\ErrorSearchOptions.xml
C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337\ErrorSearch\ErrorSearchOptions.xml.backup
C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337\Free_Credit_Score\Free_Credit_ScoreOptions.xml
C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337\Free_Credit_Score\Free_Credit_ScoreOptions.xml.backup
C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337\Layouts\ToolbarLayout.xml
C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337\Layouts\ToolbarLayout.xml.backup
C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337\Manager\ManagerOptions.xml
C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337\Manager\ManagerOptions.xml.backup
C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337\Recipe_RSS\Recipe_RSSOptions.xml
C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337\Recipe_RSS\Recipe_RSSOptions.xml.backup
C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337\Reference\ReferenceOptions.xml
C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337\Reference\ReferenceOptions.xml.backup
C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337\RelatedSearch\RelatedSearchOptions.xml
C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337\RelatedSearch\RelatedSearchOptions.xml.backup
C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337\Ringtones\RingtonesOptions.xml
C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337\Ringtones\RingtonesOptions.xml.backup
C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337\Search_Recipes\Search_RecipesOptions.xml
C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337\Search_Recipes\Search_RecipesOptions.xml.backup
C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337\Toolbar\TBProductsOptions.xml
C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337\Toolbar\TBProductsOptions.xml.backup
C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337\ToolbarLogo\ToolbarLogoOptions.xml
C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337\ToolbarLogo\ToolbarLogoOptions.xml.backup
C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337\ToolbarSearch\ToolbarSearchOptions.xml
C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337\ToolbarSearch\ToolbarSearchOptions.xml.backup
C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337\TravelSearch\TravelSearchOptions.xml
C:\WINDOWS\system32\config\systemprofile\Application Data\Starware337\TravelSearch\TravelSearchOptions.xml.backup
C:\WINDOWS\system32\drivers\sfsync02.sys
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\SYSTEM32\qqtss.ini
C:\WINDOWS\SYSTEM32\qttss.bak1
C:\WINDOWS\SYSTEM32\qttss.ini
C:\WINDOWS\SYSTEM32\srutv.bak1
C:\WINDOWS\SYSTEM32\srutv.ini
C:\WINDOWS\system32\sstqq.dll
C:\WINDOWS\SYSTEM32\sttss.bak1
C:\WINDOWS\SYSTEM32\sttss.bak2
C:\WINDOWS\SYSTEM32\sttss.ini
C:\WINDOWS\system32\x.exe
C:\WINDOWS\SYSTEM32\yycdd.bak1
C:\WINDOWS\SYSTEM32\yycdd.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_SFSYNC02
-------\DomainService
-------\nm
-------\npf
-------\sfsync02
((((((((((((((((((((((((( Files Created from 2008-01-16 to 2008-02-16 )))))))))))))))))))))))))))))))
.
2008-02-15 15:30 . 2008-02-15 15:30 d-------- C:\Documents and Settings\Roohi Aslam\Application Data\Nero
2008-02-15 15:17 . 2008-02-15 15:20 d-------- C:\Documents and Settings\Suhail Aslam.ASLAM.000\DoctorWeb
2008-02-15 15:02 . 2008-02-15 15:02 98,709 --a------ C:\Program Files\udefender_setup.exe
2008-02-15 14:57 . 2008-02-15 14:57 12,288 --a------ C:\Program Files\tmp439187.exe
2008-02-15 14:57 . 2008-02-15 14:57 12,288 --a------ C:\Program Files\tmp438656.exe
2008-02-15 14:57 . 2008-02-15 14:57 12,288 --a------ C:\Program Files\tmp438031.exe
2008-02-15 14:57 . 2008-02-15 14:57 10,240 --a------ C:\Program Files\tmp438093.exe
2008-02-15 14:56 . 2008-02-15 14:56 d-------- C:\Documents and Settings\Man U rulz\Application Data\Nero
2008-02-15 09:26 . 2008-02-15 09:26 12,288 --a------ C:\Program Files\tmp67664125.exe
2008-02-15 09:26 . 2008-02-15 09:26 12,288 --a------ C:\Program Files\tmp67635875.exe
2008-02-15 09:26 . 2008-02-15 09:26 10,240 --a------ C:\Program Files\tmp67659125.exe
2008-02-15 09:26 . 2008-02-15 09:26 10,240 --a------ C:\Program Files\tmp67636500.exe
2008-02-15 09:26 . 2008-02-15 09:26 10,240 --a------ C:\Program Files\tmp67635859.exe
2008-02-15 08:45 . 2008-02-15 08:45 d-------- C:\Documents and Settings\Suhail Aslam.ASLAM.000\Application Data\Nero
2008-02-15 08:41 . 2008-02-15 08:43 d-------- C:\Program Files\Common Files\Nero
2008-02-15 08:41 . 2008-02-15 08:41 d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-02-15 08:09 . 2008-02-15 08:09 d-------- C:\Documents and Settings\Suhail Aslam.ASLAM.000\Application Data\vlc
2008-02-14 11:51 . 2007-05-30 12:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2008-02-14 11:39 . 2008-02-11 19:12 12,800 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\DiagnosticScan.SYS
2008-02-14 09:18 . 2008-02-14 13:27 160,568 --a------ C:\WINDOWS\SYSTEM32\winivstr.exe
2008-02-14 09:11 . 2008-02-14 09:11 6,672 --a------ C:\WINDOWS\SYSTEM32\ibuntu.dll
2008-02-14 09:11 . 2008-02-14 09:11 2,528 --a------ C:\WINDOWS\SYSTEM32\krnllds.sys
2008-02-14 03:01 . 2008-02-14 03:03 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-02-12 18:50 . 2008-02-12 18:50 d-------- C:\Documents and Settings\Aslam and Afshan\Application Data\Apple Computer
2008-02-11 17:58 . 2008-02-11 17:58 d-------- C:\Documents and Settings\Aslam and Afshan\Application Data\Sports Interactive
2008-02-11 17:55 . 2008-02-13 20:12 d-------- C:\Documents and Settings\Aslam and Afshan\Application Data\uTorrent
2008-02-09 10:38 . 2008-02-09 10:38 d-------- C:\bin
2008-02-08 22:59 . 2008-02-09 10:07 179 --a------ C:\handle.dat
2008-02-08 18:29 . 2008-02-08 18:41 43,520 --a------ C:\WINDOWS\SYSTEM32\CmdLineExt03.dll
2008-02-08 18:10 . 2008-02-08 18:10 d-------- C:\Program Files\THQ
2008-02-08 18:07 . 2008-02-15 18:02 d-------- C:\Program Files\MagicDisc
2008-02-08 18:07 . 2008-02-11 23:36 92,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mcdbus.sys
2008-02-08 12:50 . 2008-02-14 13:09 117,366 --a------ C:\WINDOWS\hpoins11.dat
2008-02-04 20:35 . 2008-02-04 20:35 d-------- C:\Documents and Settings\Suhail Aslam.ASLAM.000\Application Data\MailFrontier
2008-02-04 20:31 . 2008-02-08 20:25 13,070,880 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2008-02-04 20:31 . 2008-02-08 20:25 17,444 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx
2008-02-04 20:07 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-02-04 20:06 . 2008-02-04 20:06 d-------- C:\Program Files\Zone Labs
2008-02-04 20:06 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\SYSTEM32\zpeng24.dll
2008-02-04 20:06 . 2008-02-15 17:52 355,091 --a------ C:\WINDOWS\SYSTEM32\vsconfig.xml
2008-02-04 19:25 . 2008-02-14 12:33 d-------- C:\MyBackup
2008-02-04 19:23 . 2008-02-14 13:05 d-------- C:\Program Files\PC Tune-Up
2008-02-02 19:31 . 2008-02-02 19:31 d-------- C:\Documents and Settings\All Users\Application Data\Dell
2008-02-02 19:27 . 2008-02-02 19:27 d-------- C:\WatchNow
2008-01-27 11:42 . 2008-01-27 11:42 d-------- C:\Documents and Settings\Suhail Aslam.ASLAM.000\Application Data\McAfee.com Personal Firewall
2008-01-27 11:36 . 2008-01-27 13:30 17,888 --a------ C:\WINDOWS\SYSTEM32\Status.MPF
2008-01-27 06:50 . 2008-01-27 06:50 d-------- C:\Documents and Settings\Suhail Aslam.ASLAM.000\Application Data\McAfee
2008-01-26 22:21 . 2008-02-04 20:20 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-01-26 21:37 . 2008-02-04 20:35 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-26 09:36 . 2008-01-26 09:37 d-------- C:\Program Files\CCleaner
2008-01-24 20:05 . 2001-08-17 13:53 6,784 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\serscan.sys
2008-01-24 20:05 . 2001-08-17 13:53 6,784 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\serscan.sys
2008-01-24 20:05 . 2008-01-24 20:05 685 --a------ C:\WINDOWS\hpntwksetup.ini
2008-01-24 20:05 . 2008-01-24 20:05 160 --a------ C:\WINDOWS\SYSTEM32\AddPort.ini
2008-01-24 19:50 . 2008-01-24 19:48 116,734 --------- C:\WINDOWS\hpoins11.dat.temp
2008-01-24 19:50 . 2007-04-19 23:14 11,634 --------- C:\WINDOWS\hpomdl11.dat.temp
2008-01-24 07:45 . 2008-02-15 15:49 d-------- C:\TEMP
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 18:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-15 08:41 --------- d-----w C:\Program Files\Nero
2008-02-15 08:05 --------- d-----w C:\Documents and Settings\Suhail Aslam.ASLAM.000\Application Data\uTorrent
2008-02-15 03:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-14 13:51 --------- d-----w C:\Program Files\Trend Micro
2008-02-13 13:20 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-02-13 10:10 --------- d-----w C:\Documents and Settings\Aslam and Afshan\Application Data\HP
2008-02-09 20:00 --------- d-----w C:\Program Files\Google
2008-02-09 18:58 --------- d-----w C:\Documents and Settings\Suhail Aslam.ASLAM.000\Application Data\U3
2008-02-08 17:04 --------- d-----w C:\Documents and Settings\Suhail Aslam.ASLAM.000\Application Data\Apple Computer
2008-02-08 13:06 --------- d-----w C:\Program Files\HP
2008-02-08 13:04 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-02-08 07:25 --------- d-----w C:\Documents and Settings\Suhail Aslam.ASLAM.000\Application Data\LimeWire
2008-02-04 20:32 --------- d-----w C:\Program Files\McAfee.com
2008-02-01 19:52 --------- d-----w C:\Program Files\Microsoft Games
2008-01-26 15:08 --------- d-----w C:\Program Files\Call of Duty
2008-01-26 09:36 --------- d-----w C:\Program Files\Yahoo!
2008-01-25 20:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-01-25 07:27 --------- d-----w C:\Documents and Settings\Suhail Aslam.ASLAM.000\Application Data\HP
2008-01-24 22:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-01-23 22:26 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-08 08:00 --------- d-----w C:\Program Files\EverNote
2008-01-07 19:11 --------- d-----w C:\Program Files\Prism
2008-01-07 19:11 --------- d-----w C:\Documents and Settings\Suhail Aslam.ASLAM.000\Application Data\Prism
2008-01-07 18:03 --------- d-----w C:\Program Files\Paragon Software
2008-01-06 21:57 --------- d-----w C:\Program Files\Norton Security Scan
2008-01-06 21:54 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-06 21:54 --------- d-----w C:\Program Files\Bonjour
2008-01-06 21:53 --------- d-----w C:\Program Files\VB Decompiler Lite
2008-01-06 21:53 --------- d-----w C:\Program Files\Elaborate Bytes
2008-01-06 21:46 --------- d-----w C:\Program Files\Microsoft Expression
2008-01-06 21:38 --------- d-----w C:\Program Files\Jasc Software Inc
2008-01-06 21:34 47,360 ----a-w C:\Documents and Settings\Suhail Aslam.ASLAM.000\Application Data\pcouffin.sys
2008-01-06 21:34 --------- d-----w C:\Program Files\VSO
2008-01-06 21:34 --------- d-----w C:\Documents and Settings\Suhail Aslam.ASLAM.000\Application Data\Vso
2008-01-06 21:30 --------- d-----w C:\Program Files\DS-3200 Wireless Optical Slimline Deskset
2008-01-06 16:36 --------- d-----w C:\Program Files\Windows Live
2008-01-06 16:34 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-06 16:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-01 08:32 --------- d-----w C:\Program Files\Mp3 My Mp3 2.0
2007-12-29 10:33 --------- d-----w C:\Documents and Settings\Aslam and Afshan\Application Data\LimeWire
2007-12-28 20:20 --------- d-----w C:\Documents and Settings\Aslam and Afshan\Application Data\MailFrontier
2007-12-28 20:19 --------- d--h--w C:\Documents and Settings\Aslam and Afshan\Application Data\GTek
2007-12-27 14:33 --------- d-----w C:\Program Files\Java
2007-12-25 14:41 --------- d-----w C:\Program Files\Microsoft XNA
2007-12-25 12:26 --------- d-----w C:\Program Files\Microsoft Silverlight
2007-12-24 23:10 --------- d-----w C:\Program Files\The Game Creators
2007-12-23 23:16 --------- d-----w C:\Program Files\Microsoft Visual Studio 9.0
2007-12-23 23:13 --------- d-----w C:\Program Files\Microsoft Web Designer Tools
2007-12-23 11:35 --------- d-----w C:\Program Files\Common Files\Merge Modules
2007-12-23 11:20 --------- d-----w C:\Program Files\Microsoft Synchronization Services
2007-12-23 11:20 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2007-12-23 11:01 --------- d-----w C:\Program Files\Microsoft SDKs
2007-12-23 10:54 --------- d-----w C:\Program Files\Reference Assemblies
2007-12-23 10:54 --------- d-----w C:\Program Files\MSBuild
2007-12-23 10:40 --------- d-----w C:\Program Files\MSXML 6.0
2007-12-23 09:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-12-22 20:37 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-22 20:11 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-12-18 21:02 --------- d-----w C:\Documents and Settings\Man U rulz\Application Data\U3
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-13 19:09 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-12-04 09:59 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-11-17 21:55 47,360 ----a-w C:\Documents and Settings\Man U rulz\Application Data\pcouffin.sys
2006-07-07 06:14 86,232 ----a-w C:\Documents and Settings\Roohi Aslam\Application Data\GDIPFONTCACHEV1.DAT
2006-05-19 04:37 85,776 ----a-w C:\Documents and Settings\Man U rulz\Application Data\GDIPFONTCACHEV1.DAT
2005-11-16 10:54 32 -c--a-r C:\Documents and Settings\All Users\hash.dat
2002-12-06 09:45 3,336,112 ----a-w C:\Documents and Settings\Suhail Aslam.ASLAM.000\icc2003 setup.exe
2007-08-07 12:12 1,731,977 --sha-w C:\WINDOWS\SYSTEM32\hgjlm.bak1
2007-09-08 13:23 2,020,437 --sha-w C:\WINDOWS\SYSTEM32\hgjlm.bak2
2007-07-06 22:02 1,851,797 --sha-w C:\WINDOWS\SYSTEM32\hgjlm.ini2
2007-09-17 04:17 6,448 --sha-w C:\WINDOWS\SYSTEM32\kjkkj.bak1
2007-09-23 14:54 6,488 --sha-w C:\WINDOWS\SYSTEM32\kjkkj.bak2
2007-09-17 20:51 0 --sh--w C:\WINDOWS\SYSTEM32\kjkkj.ini2
2007-09-13 06:42 2,008,515 --sha-w C:\WINDOWS\SYSTEM32\kjllm.bak1
2007-09-15 08:18 2,012,178 --sha-w C:\WINDOWS\SYSTEM32\kjllm.bak2
2007-09-09 03:08 2,010,394 --sha-w C:\WINDOWS\SYSTEM32\rtstv.bak1
2007-09-10 16:47 6,448 --sha-w C:\WINDOWS\SYSTEM32\rtstv.bak2
2005-07-29 15:24 472 --sha-r C:\WINDOWS\TW9oYW1tYWQgQXNsYW0\nq6CsqYQsqk0krhPsqX.vbs
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [ ]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 13:56 15360]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 21:46 135168]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 01:41 49152]
"WireLessMouse"="C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\MouseDrv.exe" [2005-08-30 14:35 303104]
"WireLessKeyboard"="C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\PS2USBKbdDrv.exe" [2005-08-30 10:51 319488]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-12 13:56 15360]
C:\Documents and Settings\Suhail Aslam.ASLAM.000\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-02-08 18:07:15 546816]
C:\Documents and Settings\Aslam and Afshan\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2007-08-16 22:07:08 147456]
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632]
C:\Documents and Settings\Roohi Aslam\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632]
C:\Documents and Settings\Man U rulz\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-02-08 18:07:15 546816]
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 06:56:20 73728]
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe~ [2007-07-09 22:24:38 1134592]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atwtusb]
--a------ 2005-09-21 18:08 290816 C:\WINDOWS\SYSTEM32\ATWTUSB.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-09-26 00:52 50736 C:\Program Files\Common Files\AOL\1191103640\ee\AOLSoftware.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\MsnMsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-27 08:41 282624 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-02 06:38 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-08-07 14:42 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2007-12-03 13:21 3461120 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HostManager"="C:\Program Files\Common Files\AOL\1136040786\ee\AOLSoftware.exe"
"AOLDialer"=C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"LogitechVideoTray"=C:\Program Files\Logitech\Video\LogiTray.exe
"LogMeIn GUI"="C:\Program Files\LogMeIn\LogMeInSystray.exe"
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
R1 aiptektp;HyperPen;C:\WINDOWS\system32\DRIVERS\aiptektp.sys [2004-07-07 16:02]
R2 EAPPkt;Realtek EAPPkt Protocol;C:\WINDOWS\system32\DRIVERS\EAPPkt.sys [2005-04-01 10:42]
R2 NwSapAgent;SAP Agent;C:\WINDOWS\system32\svchost.exe [2004-08-12 14:06]
S2 0154811202111113mcinstcleanup;McAfee Application Installer Cleanup (0154811202111113);C:\WINDOWS\TEMP\0154811202111113mcinst.exe C:\PROGRA~1\COMMON~1\McAfee\Installer\cleanup.ini -cleanup -nolog []
S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\RaInfo.sys []
S3 InterBaseServer;Firebird Server;C:\Program Files\Firebird\bin\ibserver []
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys []
S3 tcpip_patcher;tcpip_patcher;C:\Program Files\Ares\tcpip_patcher.sys []
S4 dev5_ap1;dev5_ap1;"C:\phpdev5\apache\Apache.exe" []
S4 dev5_ap2;dev5_ap2;"C:\phpdev5\apache2\bin\Apache.exe" []
S4 PCIDPWD;PCIDPWD;C:\WINDOWS\system32\drivers\ahacessr.sys []
S4 vcdrom;Virtual CD-ROM Device Driver;C:\Documents and Settings\Suhail Aslam.ASLAM.000\Desktop\VCdRom.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{306cf31e-0000-11dc-9868-00038a000015}]
\Shell\AutoRun\command - G:\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{91c6192e-f3b2-11db-9855-00038a000015}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{91c61938-f3b2-11db-9855-00038a000015}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
"2008-02-16 02:08:00 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-09-30 11:23:24 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-02-16 16:10:00 C:\WINDOWS\Tasks\User_Feed_Synchronization-{BE38E89A-F225-4F41-B4B9-0911AC44C4FD}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-16 16:04:35
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\wanmpsvc.exe
.
**************************************************************************
.
Completion time: 2008-02-16 16:10:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-16 16:10:11
.
2008-02-15 03:03:44 --- E O F ---
and this is my new Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:10:41, on 16/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\MouseDrv.exe
C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\PS2USBKbdDrv.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\AASDSD\abc.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WireLessMouse] C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\MouseDrv.exe
O4 - HKLM\..\Run: [WireLessKeyboard] C:\Program Files\DS-3200 Wireless Optical Slimline Deskset\PS2USBKbdDrv.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = ?
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: McAfee Application Installer Cleanup (0154811202111113) (0154811202111113mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\0154811202111113mcinst.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Firebird Server (InterBaseServer) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (file missing)
O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe (file missing)
O23 - Service: McAfee Scanner (McODS) - Unknown owner - C:\PROGRA~1\McAfee\VirusScan\mcods.exe (file missing)
O23 - Service: McAfee Proxy Service (McProxy) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (file missing)
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VirusScan\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VirusScan\mcsysmon.exe (file missing)
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - Unknown owner - C:\Program Files\McAfee\MSK\MskSrver.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 4708 bytes
can you reccommed what i should do to stop this from happening agian, i have got Zone Alarm internet security suite already
Do you have McAfee on your PC still?
To help prevent this in future, be careful of your surfing habits and do not use Internet Explorer and do not click on a link that you are not sure of.
Right click on hijackthis.exe and rename it analysethis before you next run it.
========
1. Please open Notepad Click Start , then Run
Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
File::
C:\Program Files\udefender_setup.exe
C:\Program Files\tmp439187.exe
C:\Program Files\tmp438656.exe
C:\Program Files\tmp438031.exe
C:\Program Files\tmp438093.exe
C:\Program Files\tmp67664125.exe
C:\Program Files\tmp67635875.exe
C:\Program Files\tmp67659125.exe
C:\Program Files\tmp67636500.exe
C:\Program Files\tmp67635859.exe
C:\WINDOWS\SYSTEM32\hgjlm.bak1
C:\WINDOWS\SYSTEM32\hgjlm.bak2
C:\WINDOWS\SYSTEM32\hgjlm.ini2
C:\WINDOWS\SYSTEM32\kjkkj.bak1
C:\WINDOWS\SYSTEM32\kjkkj.bak2
C:\WINDOWS\SYSTEM32\kjkkj.ini2
C:\WINDOWS\SYSTEM32\kjllm.bak1
C:\WINDOWS\SYSTEM32\kjllm.bak2
C:\WINDOWS\SYSTEM32\rtstv.bak1
C:\WINDOWS\SYSTEM32\rtstv.bak2
Folder::
C:\WINDOWS\TW9oYW1tYWQgQXNsYW0Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Save the above as CFScript.txt
4. Physically disconnect from the internet.
5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
[IMG]http://i5.photobucket.com/albums/y153/crunchie1/CFScript.gif[/IMG]
7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:Combofix.txt
A new HijackThis log.
Please take note:
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
![http://i5.photobucket.com/albums/y153/crunchie1/CFScript.gif[/IMG]](http://i5.photobucket.com/albums/y153/crunchie1/CFScript.gif%5B/IMG%5D){kind=link}