Jacee help with HJT Log Please

Chappy · 24 Apr 2009

Hi Jacee

Your link to ComboFix doesn't have the closing tag, I'd edit it for you if I could..

Jacee · 24 Apr 2009

The link works for me as a direct download, hopefully it will work for jblade

black dog · 24 Apr 2009

The link works fine for me.

ikilledkenny · 24 Apr 2009

Use the Unlocker Assistant (made for XP) and have it kill the processes.

Jacee · 25 Apr 2009

Please let me help Chappy's friend without any other's chiming in. I'm doing this as a favor for him.

Thank you for understanding,
~ Jacee ~ :)

Chappy · 25 Apr 2009

Thanx Jacee..:)

BTW, someone fixed the link for you I think, it used to show as {url=xxxxxx} and no closing /url tag but it's fine now.
I know jblade is at work and will get back on this when he's back.

jblade · 25 Apr 2009

ok jacee that sounded so easy i hope i didnt screw it up!

ComboFix 09-04-25.06 - Carson 04/24/2009 23:52.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.382.221 [GMT -7:00]
Running from: c:\documents and settings\Carson\Desktop\ComboFix.exe
FW: ZoneAlarm Pro Firewall *disabled*
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Carson\Application Data\0200000073e65876579C.manifest
c:\documents and settings\Carson\Application Data\0200000073e65876579O.manifest
c:\documents and settings\Carson\Application Data\0200000073e65876579P.manifest
c:\documents and settings\Carson\Application Data\0200000073e65876579S.manifest
c:\documents and settings\Carson\Application Data\inst.exe
c:\windows\GnuHashes.ini
c:\windows\system32\GroupPolicy000.dat
c:\windows\system32\hQtsDcdd.ini
c:\windows\system32\hQtsDcdd.ini2
c:\windows\system32\JjQBJRqr.ini
c:\windows\system32\JjQBJRqr.ini2
c:\windows\system32\mcenspc.dll
c:\windows\system32\tvvCcfii.ini
c:\windows\system32\tvvCcfii.ini2
c:\windows\system32\waIlnUtv.ini
c:\windows\system32\waIlnUtv.ini2
D:\resycled
d:\resycled\boot.com
E:\resycled
e:\resycled\boot.com
.
((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-4-25 )))))))))))))))))))))))))))))))
.
2009-04-23 07:10 . 2004-08-04 12:00 28288 -c--a-w c:\windows\system32\dllcache\xjis.nls
2009-04-23 07:08 . 2004-08-04 12:00 4096 -c--a-w c:\windows\system32\dllcache\rpcref.dll
2009-04-23 07:07 . 2004-08-04 12:00 22016 -c--a-w c:\windows\system32\dllcache\logscrpt.dll
2009-04-23 07:06 . 2004-08-04 12:00 39936 -c--a-w c:\windows\system32\dllcache\hostmib.dll
2009-04-23 07:05 . 2004-08-04 12:00 66082 -c--a-w c:\windows\system32\dllcache\c_20838.nls
2009-04-23 07:04 . 2003-03-24 23:52 188494 -c--a-w c:\windows\system32\dllcache\fpcount.exe
2009-04-23 07:02 . 2009-04-23 07:02 488 ---ha-r c:\windows\system32\logonui.exe.manifest
2009-04-23 07:02 . 2009-04-23 07:02 749 ---ha-r c:\windows\WindowsShell.Manifest
2009-04-23 07:02 . 2009-04-23 07:02 749 ---ha-r c:\windows\system32\wuaucpl.cpl.manifest
2009-04-23 07:02 . 2009-04-23 07:02 749 ---ha-r c:\windows\system32\sapi.cpl.manifest
2009-04-23 07:02 . 2009-04-23 07:02 749 ---ha-r c:\windows\system32\nwc.cpl.manifest
2009-04-23 07:02 . 2009-04-23 07:02 749 ---ha-r c:\windows\system32\ncpa.cpl.manifest
2009-04-22 16:55 . 2009-04-22 16:55 374272 --sha-w c:\windows\system32\90.tmp
2009-04-21 20:54 . 2009-04-21 20:54 374272 --sha-w c:\windows\system32\79.tmp
2009-04-21 17:54 . 2009-04-23 01:25 -------- d-sh--w c:\windows\system32\NetworkService32
2009-04-21 00:54 . 2009-04-21 00:54 374272 --sha-w c:\windows\system32\55.tmp
2009-04-21 00:54 . 2009-04-21 00:54 615 ----a-w c:\windows\system32\6wkBX8Q.vbs
2009-04-18 21:52 . 2006-09-29 18:26 176165 ----a-w c:\windows\system32\drv23260.dll
2009-04-18 21:52 . 2006-09-29 18:25 208935 ----a-w c:\windows\system32\drv33260.dll
2009-04-18 21:52 . 2006-09-29 18:24 217127 ----a-w c:\windows\system32\drv43260.dll
2009-04-18 09:04 . 2009-04-20 04:00 -------- d-----w c:\documents and settings\Carson\Local Settings\Application Data\Corel
2009-04-18 09:03 . 2009-04-20 04:06 2828 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-04-18 09:03 . 2009-04-20 03:51 88 --sha-r c:\windows\system32\480696C863.sys
2009-04-18 09:02 . 2009-04-18 09:03 -------- d-----w c:\documents and settings\Carson\Application Data\Corel
2009-04-18 09:01 . 2009-04-18 09:01 -------- d-----w c:\documents and settings\All Users\Application Data\Corel
2009-04-18 08:43 . 2009-04-18 08:43 -------- d-----w c:\documents and settings\Carson\Application Data\InstallShield
2009-04-15 19:57 . 2009-04-15 19:57 56 ---ha-w c:\windows\system32\ezsidmv.dat
2009-04-15 19:57 . 2009-04-21 21:24 -------- d-----w c:\documents and settings\Carson\Application Data\skypePM
2009-04-15 19:54 . 2009-04-21 21:24 -------- d-----w c:\documents and settings\Carson\Application Data\Skype
2009-04-15 19:53 . 2009-04-15 19:54 -------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-04-06 02:32 . 2009-04-06 02:32 -------- d-----w c:\documents and settings\Carson\Application Data\Publish Providers
2009-04-06 02:30 . 2009-04-06 02:30 -------- d-----w c:\documents and settings\Carson\Local Settings\Application Data\Sony
2009-04-06 02:30 . 2009-04-06 02:30 -------- d-----w c:\documents and settings\Carson\Application Data\Sony
2009-04-06 00:56 . 2009-04-06 02:29 34 ----a-w c:\windows\cdplayer.ini
2009-04-02 23:40 . 2009-04-02 23:40 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-04-01 22:54 . 2009-04-01 22:54 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-04-01 22:54 . 2009-04-18 21:50 -------- d-----w c:\documents and settings\Carson\Local Settings\Application Data\Google
2009-04-01 06:52 . 2009-04-01 06:51 353808 ----a-w c:\windows\sysguard.exe.vir
2009-03-31 04:19 . 2009-03-31 04:19 -------- d-----w c:\documents and settings\Carson\Local Settings\Application Data\WinAVI
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-25 07:03 . 2009-02-11 06:56 -------- d-----w c:\documents and settings\Carson\Application Data\Azureus
2009-04-24 23:30 . 2009-03-04 21:53 -------- d-----w c:\documents and settings\All Users\Application Data\Vso
2009-04-24 11:43 . 2009-02-11 08:27 -------- d-----w c:\documents and settings\Carson\Application Data\Vso
2009-04-24 09:04 . 2009-03-13 09:34 -------- d-----w c:\documents and settings\Carson\Application Data\Any Video Converter Professional
2009-04-24 06:33 . 2009-02-20 00:14 -------- d-----w c:\program files\Trojan Remover
2009-04-23 07:40 . 2009-02-11 06:46 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-23 07:00 . 2009-02-11 06:12 22720 ----a-w c:\windows\system32\emptyregdb.dat
2009-04-23 01:23 . 2009-04-23 01:24 2075136 ----a-w c:\windows\Internet Logs\xDB10.tmp
2009-04-22 22:22 . 2009-02-25 02:02 -------- d-----w c:\documents and settings\Carson\Application Data\LimeWire
2009-04-20 19:27 . 2009-02-11 06:41 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-04-20 08:57 . 2009-02-25 02:00 -------- d-----w c:\program files\Java
2009-04-20 00:03 . 2009-04-01 22:54 -------- d-----w c:\program files\Google
2009-04-18 21:52 . 2009-04-18 21:52 -------- d-----w c:\program files\vso
2009-04-18 21:44 . 2009-04-18 21:46 68608 ----a-w c:\windows\Internet Logs\xDBE.tmp
2009-04-18 21:44 . 2009-04-18 21:46 3340800 ----a-w c:\windows\Internet Logs\xDBF.tmp
2009-04-18 21:35 . 2009-04-18 21:37 3335680 ----a-w c:\windows\Internet Logs\xDBD.tmp
2009-04-18 21:35 . 2009-04-18 21:37 2895872 ----a-w c:\windows\Internet Logs\xDBC.tmp
2009-04-18 08:57 . 2009-04-18 08:55 -------- d-----w c:\program files\Common Files\Corel
2009-04-15 20:33 . 2009-03-21 06:05 268 ---ha-w C:\sqmdata18.sqm
2009-04-15 20:33 . 2009-03-21 06:05 244 ---ha-w C:\sqmnoopt18.sqm
2009-04-15 19:54 . 2009-04-15 19:54 -------- d-----w c:\program files\Common Files\Skype
2009-04-15 19:54 . 2009-04-15 19:53 -------- d-----r c:\program files\Skype
2009-04-14 04:46 . 2009-03-21 04:13 244 ---ha-w C:\sqmnoopt17.sqm
2009-04-14 04:46 . 2009-03-21 04:13 232 ---ha-w C:\sqmdata17.sqm
2009-04-14 04:46 . 2009-03-21 04:13 244 ---ha-w C:\sqmnoopt16.sqm
2009-04-14 04:46 . 2009-03-21 04:13 232 ---ha-w C:\sqmdata16.sqm
2009-04-11 17:02 . 2009-03-18 21:20 244 ---ha-w C:\sqmnoopt15.sqm
2009-04-11 17:02 . 2009-03-18 21:20 232 ---ha-w C:\sqmdata15.sqm
2009-04-11 00:49 . 2009-03-18 21:08 244 ---ha-w C:\sqmnoopt14.sqm
2009-04-11 00:49 . 2009-03-18 21:08 232 ---ha-w C:\sqmdata14.sqm
2009-04-11 00:46 . 2009-03-18 21:06 232 ---ha-w C:\sqmdata13.sqm
2009-04-11 00:46 . 2009-03-18 21:06 244 ---ha-w C:\sqmnoopt13.sqm
2009-04-09 03:18 . 2009-03-18 17:34 244 ---ha-w C:\sqmnoopt12.sqm
2009-04-09 03:18 . 2009-03-18 17:34 232 ---ha-w C:\sqmdata12.sqm
2009-04-09 03:13 . 2009-03-18 17:32 244 ---ha-w C:\sqmnoopt11.sqm
2009-04-09 03:13 . 2009-03-18 17:32 232 ---ha-w C:\sqmdata11.sqm
2009-04-09 03:08 . 2009-03-17 14:04 232 ---ha-w C:\sqmdata10.sqm
2009-04-09 03:08 . 2009-03-17 14:04 244 ---ha-w C:\sqmnoopt10.sqm
2009-04-06 02:33 . 2009-04-06 02:33 -------- d-----w c:\program files\VSTplugins
2009-04-05 04:00 . 2009-03-17 14:01 244 ---ha-w C:\sqmnoopt09.sqm
2009-04-05 04:00 . 2009-03-17 14:01 232 ---ha-w C:\sqmdata09.sqm
2009-04-04 21:55 . 2009-03-17 14:00 244 ---ha-w C:\sqmnoopt08.sqm
2009-04-04 21:55 . 2009-03-17 14:00 232 ---ha-w C:\sqmdata08.sqm
2009-04-03 07:54 . 2009-04-03 07:56 3200000 ----a-w c:\windows\Internet Logs\xDBB.tmp
2009-04-03 07:54 . 2009-04-03 07:56 2880000 ----a-w c:\windows\Internet Logs\xDBA.tmp
2009-03-30 18:34 . 2009-03-17 00:37 244 ---ha-w C:\sqmnoopt07.sqm
2009-03-30 18:34 . 2009-03-17 00:37 232 ---ha-w C:\sqmdata07.sqm
2009-03-30 18:30 . 2009-03-17 00:36 244 ---ha-w C:\sqmnoopt06.sqm
2009-03-30 18:30 . 2009-03-17 00:36 232 ---ha-w C:\sqmdata06.sqm
2009-03-30 18:25 . 2009-03-15 19:16 232 ---ha-w C:\sqmdata05.sqm
2009-03-30 18:25 . 2009-03-15 19:16 244 ---ha-w C:\sqmnoopt05.sqm
2009-03-30 01:52 . 2009-03-30 01:52 2243609 ----a-w c:\windows\Internet Logs\tvDebug.zip
2009-03-29 09:23 . 2009-02-26 11:04 -------- d-----w c:\documents and settings\Carson\Application Data\dvdcss
2009-03-27 22:16 . 2009-03-14 15:48 244 ---ha-w C:\sqmnoopt04.sqm
2009-03-27 22:16 . 2009-03-14 15:48 232 ---ha-w C:\sqmdata04.sqm
2009-03-27 18:38 . 2009-03-13 15:14 244 ---ha-w C:\sqmnoopt03.sqm
2009-03-27 18:38 . 2009-03-13 15:14 232 ---ha-w C:\sqmdata03.sqm
2009-03-25 04:46 . 2009-03-25 04:46 -------- d-----w c:\documents and settings\Carson\Application Data\TypingMaster7
2009-03-25 04:44 . 2009-03-25 04:44 -------- d-----w c:\program files\Common Files\Adobe
2009-03-24 06:49 . 2009-03-11 17:58 244 ---ha-w C:\sqmnoopt02.sqm
2009-03-24 06:49 . 2009-03-11 17:58 232 ---ha-w C:\sqmdata02.sqm
2009-03-24 06:44 . 2009-03-10 05:04 244 ---ha-w C:\sqmnoopt01.sqm
2009-03-24 06:44 . 2009-03-10 05:04 232 ---ha-w C:\sqmdata01.sqm
2009-03-23 21:12 . 2009-03-23 21:12 135037 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_03_23_13_04_54_small.dmp.zip
2009-03-23 04:45 . 2009-02-11 07:48 -------- d-----w c:\documents and settings\Carson\Application Data\Roxio
2009-03-22 17:41 . 2009-02-23 19:20 232 ---ha-w C:\sqmdata00.sqm
2009-03-22 17:41 . 2009-02-23 19:20 244 ---ha-w C:\sqmnoopt00.sqm
2009-03-21 06:28 . 2009-03-21 06:28 244 ---ha-w C:\sqmnoopt19.sqm
2009-03-21 06:28 . 2009-03-21 06:28 232 ---ha-w C:\sqmdata19.sqm
2009-03-10 06:40 . 2009-03-10 06:40 -------- d-----w c:\documents and settings\Carson\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-03-09 12:19 . 2009-02-25 02:00 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 06:19 . 2009-02-11 07:00 27712 ----a-w c:\documents and settings\Carson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-05 00:56 . 2009-03-05 00:56 -------- d-----w c:\program files\Microsoft ActiveSync
2009-03-05 00:55 . 2009-03-05 00:14 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-04 21:52 . 2009-03-04 21:52 47360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2009-03-04 21:52 . 2009-03-04 21:52 47360 ----a-w c:\documents and settings\Carson\Application Data\pcouffin.sys
2009-03-01 06:16 . 2009-03-01 06:16 -------- d-----w c:\documents and settings\Carson\Application Data\ACD Systems
2009-03-01 06:13 . 2009-03-01 06:12 -------- d-----w c:\program files\Common Files\ACD Systems
2009-03-01 06:12 . 2009-03-01 06:12 -------- d-----w c:\documents and settings\All Users\Application Data\ACD Systems
2009-02-28 19:14 . 2009-02-11 06:16 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-02-28 12:38 . 2009-02-28 12:41 2703872 ----a-w c:\windows\Internet Logs\xDB3.tmp
2009-02-28 12:35 . 2009-02-28 12:41 1259008 ----a-w c:\windows\Internet Logs\xDB2.tmp
2009-02-23 00:21 . 2009-02-23 00:23 2853888 ----a-w c:\windows\Internet Logs\xDB9.tmp
2009-02-20 09:03 . 2009-02-20 09:06 2837504 ----a-w c:\windows\Internet Logs\xDB8.tmp
2009-02-20 09:03 . 2009-02-20 09:06 1031168 ----a-w c:\windows\Internet Logs\xDB7.tmp
2009-02-20 00:48 . 2009-02-20 00:48 129024 ----a-w c:\windows\system32\mndnwp.dll.vir
2009-02-20 00:48 . 2009-02-20 00:48 129024 ----a-w c:\windows\system32\ewgbjtvd.dll
2009-02-20 00:45 . 2009-02-20 00:45 72704 ----a-w c:\windows\system32\otbfoqif.dll.vir
2009-02-20 00:44 . 2009-02-20 00:44 302592 ----a-w c:\windows\system32\iifcCvvt.dll.vir
2009-02-19 19:25 . 2009-02-19 19:25 72704 ----a-w c:\windows\system32\kyrxjjgv.dll.vir
2009-02-19 19:22 . 2009-02-19 19:22 129024 ----a-w c:\windows\system32\pmzykc.dll.vir
2009-02-19 19:22 . 2009-02-19 19:22 129024 ----a-w c:\windows\system32\vrdpokqt.dll
2009-02-19 07:23 . 2009-02-19 07:23 129024 ----a-w c:\windows\system32\apdqjk.dll
2009-02-19 07:23 . 2009-02-19 07:23 129024 ----a-w c:\windows\system32\dnubxmop.dll
2009-02-18 17:44 . 2009-02-18 17:46 2802688 ----a-w c:\windows\Internet Logs\xDB6.tmp
2009-02-18 17:44 . 2009-02-18 17:46 2981888 ----a-w c:\windows\Internet Logs\xDB1.tmp
2009-02-18 11:24 . 2009-02-18 11:24 129024 ----a-w c:\windows\system32\hwadqn.dll
2009-02-18 11:24 . 2009-02-18 11:24 129024 ----a-w c:\windows\system32\xjhkfjwg.dll
2009-02-17 23:27 . 2009-02-17 23:28 129024 ----a-w c:\windows\system32\uymafz.dll
2009-02-17 23:27 . 2009-02-17 23:27 129024 ----a-w c:\windows\system32\pvubrcbb.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
2009-03-09 12:18 35840 ----a-w c:\program files\Java\jre6\bin\jp2ssv.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
2009-03-09 12:18 73728 ----a-w c:\program files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="e:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-02-15 1214856]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Azureus Vuze.lnk - e:\program files\Azureus\Azureus.exe [2008-12-13 254976]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\iassam32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"e:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 gupdate1c9b31cd9abb7d3;Google Update Service (gupdate1c9b31cd9abb7d3);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-01 133104]
R3 laguna;laguna;c:\windows\system32\DRIVERS\cl546xm.sys [2001-08-17 248064]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-02-11 337800]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2160b7f0-2fac-11de-a2ba-00b0d0925717}]
\Shell\AutoRun\command - G:\rcaeasyrip_setup.exe
\Shell\install\command - G:\rcaeasyrip_setup.exe
\Shell\usermanualEnglish\command - G:\rcaeasyrip_setup.exe /pdf_English
\Shell\usermanualFrench\command - G:\rcaeasyrip_setup.exe /pdf_French
\Shell\usermanualSpanish\command - G:\rcaeasyrip_setup.exe /pdf_Spanish
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cefb84d9-0626-11de-a290-00b0d0925717}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com g:
\Shell\Open\command - g:\resycled\boot.com g:
.
Contents of the 'Scheduled Tasks' folder
2009-04-25 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-01 22:54]
.
- - - - ORPHANS REMOVED - - - -
SharedTaskScheduler-{8C7461EF-2B13-11d2-BE35-3078302C2030} - %SystemRoot%\system32\browseui.dll
ShellExecuteHooks-{AEB6717E-7E19-11d0-97EE-00C04FD91972} - shell32.dll
SSODL-CDBurn-{fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\system32\SHELL32.dll
SSODL-WebCheck-{E6FB5E20-DE35-11CF-9C87-00AA005127ED} - %SystemRoot%\system32\webcheck.dll
Notify-qoMccYRj - qoMccYRj.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: {{FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\Messenger\msmsgs.exe
IE: {{92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\MICROS~1\OFFICE11\REFIEBAR.DLL
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - c:\windows\system32\urlmon.dll
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - c:\windows\system32\urlmon.dll
Filter: lzdhtml - {8f6b0360-b80d-11d0-a9b3-006097942311} - c:\windows\system32\urlmon.dll
Handler: http\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: http\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: https\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: https\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: ipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - c:\windows\system32\itss.dll
Handler: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - c:\windows\system32\itss.dll
Handler: msdaipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: msdaipp\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\COMMON~1\Skype\SKYPE4~1.DLL
Handler: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - c:\windows\system32\msvidctl.dll
Name-Space Handler: mk\* - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - c:\windows\system32\itss.dll
FF - ProfilePath - c:\documents and settings\Carson\Application Data\Mozilla\Firefox\Profiles\4xisy04g.default\
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-25 00:02
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PSIService.exe
c:\windows\system32\ZoneLabs\vsmon.exe
.
**************************************************************************
.
Completion time: 2009-04-25 0:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-25 07:06
Pre-Run: 3,610,501,120 bytes free
Post-Run: 4,154,814,464 bytes free
279

New HJT log taken after the above scan has run

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:02 AM, on 4/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Azureus\Azureus.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Carson\Desktop\HiJackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "E:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - Global Startup: Azureus Vuze.lnk = E:\Program Files\Azureus\Azureus.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\System32\iassam32.dll
O23 - Service: Google Update Service (gupdate1c9b31cd9abb7d3) (gupdate1c9b31cd9abb7d3) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 4006 bytes

I know I have some weird stuff going on here, whenever i paste a file or move a file msiexec.exe window appears and i have to cancel it twice before my file is moved.

Let me take the time out to thank you chappy, jacee, and the rest of this community for allowing me to present my problems. peace!

brummyfan · 25 Apr 2009

Jacee said:

Please let me help Chappy's friend without any other's chiming in. I'm doing this as a favor for him.

Thank you for understanding,
~ Jacee ~ :)

Jacee,could you please stop insulting other members in this forum,if you don't like others taking part please carry on with your personal messages to the original poster. Thank you.

Jacee · 25 Apr 2009

I don't see an anti-virus program running on this machine. Please download either
Avast (free version)
Download FREE antivirus software - avast! Home Edition
or
Avira Antivirus
Avira AntiVir Personal - FREE Antivirus

Which ever one you choose, be sure to update it once installed.

Next, download Malwarebytes' Anti-Malware to your desktop
|MG| Malwarebytes Anti-Malware 1.36

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. Copy and Paste that log into your next reply.

Chappy · 25 Apr 2009

brummyfan said:

Jacee,could you please stop insulting other members in this forum,if you don't like others taking part please carry on with your personal messages to the original poster. Thank you.

Thanx for your concern about our members but she's simply stating a point that needs pointing out. The following is simply an explanation and NOT intended as anything else.

I asked her for her help for my friend from another forum because she's by far the most skilled HJT person on this and many other forums, and it does get confusing for the OP when too many people try and get them to try a bunch of different ideas. Trained professionals like Jacee (and myself) have a very specific workflow that needs to be followed to achieve the desired results and when the OP is sidetracked, some of these items may be missed and the end result is delayed or changed.

On all forums using trained HJT specialists, once an analyzer begins working with the OP then no others are allowed to post into it to avoid such situations from occurring and keeping the flow on track. It's easy to see by Jacee's tags that she's well versed in this field, and basically we need our members to recognize the fact that she does this professionally and needs to keep things on a very specific track in order to achieve the results the OP needs.

We don't do PM help either, that doesn't give other members the benefit to learn from this by watching a Pro at work, and it also could inspire some members to want to learn just how this is done, so it stays on the board. We simply ask that others watch and learn and try not to interfere with the process please.

While killing the offending processes would seem enough to do the job, it's more complicated than that, and trained analyzers realize this from years of hard work. Malware writers are using very complicated techniques and changing strategies daily and these analyzers have to stay on top of these and the tools needed to find deeply embedded and hidden objects.

So in closing, if Jacee comes off as a bit heavy when asking others to Please not interfere with her work, she's earned the right to do so (as we can easily see) and should respect the fact that she's the best we have at this, and try to learn from her years of experience.

Thank You