Jacee help with HJT Log Please

[jblade]

Hello Jacee and the rest of the gang here, let me start off by saying i need help!

here is my log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:16:16 PM, on 4/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
E:\Program Files\Azureus\Azureus.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Carson\Desktop\HiJackThis\HijackThis.exe
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "E:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - Global Startup: Azureus Vuze.lnk = E:\Program Files\Azureus\Azureus.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\System32\iassam32.dll
O20 - Winlogon Notify: qoMccYRj - qoMccYRj.dll (file missing)
O23 - Service: Google Update Service (gupdate1c9b31cd9abb7d3) (gupdate1c9b31cd9abb7d3) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 3749 bytes

i wont be able to get back until after work tonight so until then have a great day.

 

[Airbot]

Hi jblade and welcome to Sevenforums,

Just letting you know these are forums for Windows 7, not Windows XP.

 

[Chappy]

Hi Airbot

jblade is here on my invitation, he's a friend from another forum and needed Jacee's help.
Plus we may be able to talk him into trying 7 out...

 

[Airbot]

Ok Chapster..thanks for letting me know.

 

[Chappy]

Sorry about that rather vicious beating I had to give you there Airbot, but I had to do what I had to do...

Anyway, I don't see anything extremely nasty in there, we do have the two items I pointed out to him on the other board we frequent, but I wanted Jacee to apply her formidable skill-set to the task to make sure.

Welcome jblade, and maybe we can talk you into going from that ancient OS to the newest and what we believe will be MS's biggest jump forward since XP SP2.
We find that many who couldn't run Vista are able to run W7 with no major issues too, so maybe you can carve out a partition and give 7 a go.

 

[SqdnGuns]

Malwarebytes should take care of the two problems I see in that log.

O20 - AppInit_DLLs: C:\WINDOWS\System32\iassam32.dll
O20 - Winlogon Notify: qoMccYRj - qoMccYRj.dll (file missing)

 

[Chappy]

Hi sqdnguns

Both the same I saw, but he has run MBAM apparently and yet there they are still, although the Winlogn O20 entry shows File Missing.
I want Jacee to run thru with her other tools on this one as I think something may be lurking beneath the surface since he's having trouble running AV on the system too.

 

[SqdnGuns]

Have him try Dial-a-Fix, one of my former techs wrote this app when he was working for me.

http://wiki.lunarsoft.net/wiki/Dial-a-fix#Mirrors.2Fdownload_locations.2C_and_articles

Have him check the policies button, select unhide and then rescan.

An updated Spybot S&D will actully clean out remnants of items MBAM missed.

 

[Airbot]

Sorry about that rather vicious beating I had to give you there Airbot, but I had to do what I had to do...

lol....that's alright, I had to do what I had to do too.

 

[Jacee]

Hi jblade,
Download Combofix from the link below, and save it to your desktop.<--Important
Link 1
Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
Next: Disconnect from the internet. If you are on Cable or DSL, unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.


This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

• Double click combofix.exe and follow the prompts.
• When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Please be patient while the scan runs, at times it may appear to stall.
When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
After rebooting ensure your Security applications have been re-enabled.

In your next reply post:
ComboFix.txt
New HJT log taken after the above scan has run
***A guide and tutorial on "How to use Combofix" can be found here:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

[Chappy]

Hi Jacee

Your link to ComboFix doesn't have the closing tag, I'd edit it for you if I could..

 

[Jacee]

The link works for me as a direct download, hopefully it will work for jblade

 

[black dog]

The link works fine for me.

 

[ikilledkenny]

Use the Unlocker Assistant (made for XP) and have it kill the processes.

 

[Jacee]

Please let me help Chappy's friend without any other's chiming in. I'm doing this as a favor for him.

Thank you for understanding,
~ Jacee ~

 

[Chappy]

Thanx Jacee..

BTW, someone fixed the link for you I think, it used to show as {url=xxxxxx} and no closing /url tag but it's fine now.
I know jblade is at work and will get back on this when he's back.

 

[jblade]

ok jacee that sounded so easy i hope i didnt screw it up!

ComboFix 09-04-25.06 - Carson 04/24/2009 23:52.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.382.221 [GMT -7:00]
Running from: c:\documents and settings\Carson\Desktop\ComboFix.exe
FW: ZoneAlarm Pro Firewall *disabled*
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Carson\Application Data\0200000073e65876579C.manifest
c:\documents and settings\Carson\Application Data\0200000073e65876579O.manifest
c:\documents and settings\Carson\Application Data\0200000073e65876579P.manifest
c:\documents and settings\Carson\Application Data\0200000073e65876579S.manifest
c:\documents and settings\Carson\Application Data\inst.exe
c:\windows\GnuHashes.ini
c:\windows\system32\GroupPolicy000.dat
c:\windows\system32\hQtsDcdd.ini
c:\windows\system32\hQtsDcdd.ini2
c:\windows\system32\JjQBJRqr.ini
c:\windows\system32\JjQBJRqr.ini2
c:\windows\system32\mcenspc.dll
c:\windows\system32\tvvCcfii.ini
c:\windows\system32\tvvCcfii.ini2
c:\windows\system32\waIlnUtv.ini
c:\windows\system32\waIlnUtv.ini2
D:\resycled
d:\resycled\boot.com
E:\resycled
e:\resycled\boot.com
.
((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-4-25 )))))))))))))))))))))))))))))))
.
2009-04-23 07:10 . 2004-08-04 12:00 28288 -c--a-w c:\windows\system32\dllcache\xjis.nls
2009-04-23 07:08 . 2004-08-04 12:00 4096 -c--a-w c:\windows\system32\dllcache\rpcref.dll
2009-04-23 07:07 . 2004-08-04 12:00 22016 -c--a-w c:\windows\system32\dllcache\logscrpt.dll
2009-04-23 07:06 . 2004-08-04 12:00 39936 -c--a-w c:\windows\system32\dllcache\hostmib.dll
2009-04-23 07:05 . 2004-08-04 12:00 66082 -c--a-w c:\windows\system32\dllcache\c_20838.nls
2009-04-23 07:04 . 2003-03-24 23:52 188494 -c--a-w c:\windows\system32\dllcache\fpcount.exe
2009-04-23 07:02 . 2009-04-23 07:02 488 ---ha-r c:\windows\system32\logonui.exe.manifest
2009-04-23 07:02 . 2009-04-23 07:02 749 ---ha-r c:\windows\WindowsShell.Manifest
2009-04-23 07:02 . 2009-04-23 07:02 749 ---ha-r c:\windows\system32\wuaucpl.cpl.manifest
2009-04-23 07:02 . 2009-04-23 07:02 749 ---ha-r c:\windows\system32\sapi.cpl.manifest
2009-04-23 07:02 . 2009-04-23 07:02 749 ---ha-r c:\windows\system32\nwc.cpl.manifest
2009-04-23 07:02 . 2009-04-23 07:02 749 ---ha-r c:\windows\system32\ncpa.cpl.manifest
2009-04-22 16:55 . 2009-04-22 16:55 374272 --sha-w c:\windows\system32\90.tmp
2009-04-21 20:54 . 2009-04-21 20:54 374272 --sha-w c:\windows\system32\79.tmp
2009-04-21 17:54 . 2009-04-23 01:25 -------- d-sh--w c:\windows\system32\NetworkService32
2009-04-21 00:54 . 2009-04-21 00:54 374272 --sha-w c:\windows\system32\55.tmp
2009-04-21 00:54 . 2009-04-21 00:54 615 ----a-w c:\windows\system32\6wkBX8Q.vbs
2009-04-18 21:52 . 2006-09-29 18:26 176165 ----a-w c:\windows\system32\drv23260.dll
2009-04-18 21:52 . 2006-09-29 18:25 208935 ----a-w c:\windows\system32\drv33260.dll
2009-04-18 21:52 . 2006-09-29 18:24 217127 ----a-w c:\windows\system32\drv43260.dll
2009-04-18 09:04 . 2009-04-20 04:00 -------- d-----w c:\documents and settings\Carson\Local Settings\Application Data\Corel
2009-04-18 09:03 . 2009-04-20 04:06 2828 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-04-18 09:03 . 2009-04-20 03:51 88 --sha-r c:\windows\system32\480696C863.sys
2009-04-18 09:02 . 2009-04-18 09:03 -------- d-----w c:\documents and settings\Carson\Application Data\Corel
2009-04-18 09:01 . 2009-04-18 09:01 -------- d-----w c:\documents and settings\All Users\Application Data\Corel
2009-04-18 08:43 . 2009-04-18 08:43 -------- d-----w c:\documents and settings\Carson\Application Data\InstallShield
2009-04-15 19:57 . 2009-04-15 19:57 56 ---ha-w c:\windows\system32\ezsidmv.dat
2009-04-15 19:57 . 2009-04-21 21:24 -------- d-----w c:\documents and settings\Carson\Application Data\skypePM
2009-04-15 19:54 . 2009-04-21 21:24 -------- d-----w c:\documents and settings\Carson\Application Data\Skype
2009-04-15 19:53 . 2009-04-15 19:54 -------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-04-06 02:32 . 2009-04-06 02:32 -------- d-----w c:\documents and settings\Carson\Application Data\Publish Providers
2009-04-06 02:30 . 2009-04-06 02:30 -------- d-----w c:\documents and settings\Carson\Local Settings\Application Data\Sony
2009-04-06 02:30 . 2009-04-06 02:30 -------- d-----w c:\documents and settings\Carson\Application Data\Sony
2009-04-06 00:56 . 2009-04-06 02:29 34 ----a-w c:\windows\cdplayer.ini
2009-04-02 23:40 . 2009-04-02 23:40 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-04-01 22:54 . 2009-04-01 22:54 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-04-01 22:54 . 2009-04-18 21:50 -------- d-----w c:\documents and settings\Carson\Local Settings\Application Data\Google
2009-04-01 06:52 . 2009-04-01 06:51 353808 ----a-w c:\windows\sysguard.exe.vir
2009-03-31 04:19 . 2009-03-31 04:19 -------- d-----w c:\documents and settings\Carson\Local Settings\Application Data\WinAVI
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-25 07:03 . 2009-02-11 06:56 -------- d-----w c:\documents and settings\Carson\Application Data\Azureus
2009-04-24 23:30 . 2009-03-04 21:53 -------- d-----w c:\documents and settings\All Users\Application Data\Vso
2009-04-24 11:43 . 2009-02-11 08:27 -------- d-----w c:\documents and settings\Carson\Application Data\Vso
2009-04-24 09:04 . 2009-03-13 09:34 -------- d-----w c:\documents and settings\Carson\Application Data\Any Video Converter Professional
2009-04-24 06:33 . 2009-02-20 00:14 -------- d-----w c:\program files\Trojan Remover
2009-04-23 07:40 . 2009-02-11 06:46 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-23 07:00 . 2009-02-11 06:12 22720 ----a-w c:\windows\system32\emptyregdb.dat
2009-04-23 01:23 . 2009-04-23 01:24 2075136 ----a-w c:\windows\Internet Logs\xDB10.tmp
2009-04-22 22:22 . 2009-02-25 02:02 -------- d-----w c:\documents and settings\Carson\Application Data\LimeWire
2009-04-20 19:27 . 2009-02-11 06:41 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-04-20 08:57 . 2009-02-25 02:00 -------- d-----w c:\program files\Java
2009-04-20 00:03 . 2009-04-01 22:54 -------- d-----w c:\program files\Google
2009-04-18 21:52 . 2009-04-18 21:52 -------- d-----w c:\program files\vso
2009-04-18 21:44 . 2009-04-18 21:46 68608 ----a-w c:\windows\Internet Logs\xDBE.tmp
2009-04-18 21:44 . 2009-04-18 21:46 3340800 ----a-w c:\windows\Internet Logs\xDBF.tmp
2009-04-18 21:35 . 2009-04-18 21:37 3335680 ----a-w c:\windows\Internet Logs\xDBD.tmp
2009-04-18 21:35 . 2009-04-18 21:37 2895872 ----a-w c:\windows\Internet Logs\xDBC.tmp
2009-04-18 08:57 . 2009-04-18 08:55 -------- d-----w c:\program files\Common Files\Corel
2009-04-15 20:33 . 2009-03-21 06:05 268 ---ha-w C:\sqmdata18.sqm
2009-04-15 20:33 . 2009-03-21 06:05 244 ---ha-w C:\sqmnoopt18.sqm
2009-04-15 19:54 . 2009-04-15 19:54 -------- d-----w c:\program files\Common Files\Skype
2009-04-15 19:54 . 2009-04-15 19:53 -------- d-----r c:\program files\Skype
2009-04-14 04:46 . 2009-03-21 04:13 244 ---ha-w C:\sqmnoopt17.sqm
2009-04-14 04:46 . 2009-03-21 04:13 232 ---ha-w C:\sqmdata17.sqm
2009-04-14 04:46 . 2009-03-21 04:13 244 ---ha-w C:\sqmnoopt16.sqm
2009-04-14 04:46 . 2009-03-21 04:13 232 ---ha-w C:\sqmdata16.sqm
2009-04-11 17:02 . 2009-03-18 21:20 244 ---ha-w C:\sqmnoopt15.sqm
2009-04-11 17:02 . 2009-03-18 21:20 232 ---ha-w C:\sqmdata15.sqm
2009-04-11 00:49 . 2009-03-18 21:08 244 ---ha-w C:\sqmnoopt14.sqm
2009-04-11 00:49 . 2009-03-18 21:08 232 ---ha-w C:\sqmdata14.sqm
2009-04-11 00:46 . 2009-03-18 21:06 232 ---ha-w C:\sqmdata13.sqm
2009-04-11 00:46 . 2009-03-18 21:06 244 ---ha-w C:\sqmnoopt13.sqm
2009-04-09 03:18 . 2009-03-18 17:34 244 ---ha-w C:\sqmnoopt12.sqm
2009-04-09 03:18 . 2009-03-18 17:34 232 ---ha-w C:\sqmdata12.sqm
2009-04-09 03:13 . 2009-03-18 17:32 244 ---ha-w C:\sqmnoopt11.sqm
2009-04-09 03:13 . 2009-03-18 17:32 232 ---ha-w C:\sqmdata11.sqm
2009-04-09 03:08 . 2009-03-17 14:04 232 ---ha-w C:\sqmdata10.sqm
2009-04-09 03:08 . 2009-03-17 14:04 244 ---ha-w C:\sqmnoopt10.sqm
2009-04-06 02:33 . 2009-04-06 02:33 -------- d-----w c:\program files\VSTplugins
2009-04-05 04:00 . 2009-03-17 14:01 244 ---ha-w C:\sqmnoopt09.sqm
2009-04-05 04:00 . 2009-03-17 14:01 232 ---ha-w C:\sqmdata09.sqm
2009-04-04 21:55 . 2009-03-17 14:00 244 ---ha-w C:\sqmnoopt08.sqm
2009-04-04 21:55 . 2009-03-17 14:00 232 ---ha-w C:\sqmdata08.sqm
2009-04-03 07:54 . 2009-04-03 07:56 3200000 ----a-w c:\windows\Internet Logs\xDBB.tmp
2009-04-03 07:54 . 2009-04-03 07:56 2880000 ----a-w c:\windows\Internet Logs\xDBA.tmp
2009-03-30 18:34 . 2009-03-17 00:37 244 ---ha-w C:\sqmnoopt07.sqm
2009-03-30 18:34 . 2009-03-17 00:37 232 ---ha-w C:\sqmdata07.sqm
2009-03-30 18:30 . 2009-03-17 00:36 244 ---ha-w C:\sqmnoopt06.sqm
2009-03-30 18:30 . 2009-03-17 00:36 232 ---ha-w C:\sqmdata06.sqm
2009-03-30 18:25 . 2009-03-15 19:16 232 ---ha-w C:\sqmdata05.sqm
2009-03-30 18:25 . 2009-03-15 19:16 244 ---ha-w C:\sqmnoopt05.sqm
2009-03-30 01:52 . 2009-03-30 01:52 2243609 ----a-w c:\windows\Internet Logs\tvDebug.zip
2009-03-29 09:23 . 2009-02-26 11:04 -------- d-----w c:\documents and settings\Carson\Application Data\dvdcss
2009-03-27 22:16 . 2009-03-14 15:48 244 ---ha-w C:\sqmnoopt04.sqm
2009-03-27 22:16 . 2009-03-14 15:48 232 ---ha-w C:\sqmdata04.sqm
2009-03-27 18:38 . 2009-03-13 15:14 244 ---ha-w C:\sqmnoopt03.sqm
2009-03-27 18:38 . 2009-03-13 15:14 232 ---ha-w C:\sqmdata03.sqm
2009-03-25 04:46 . 2009-03-25 04:46 -------- d-----w c:\documents and settings\Carson\Application Data\TypingMaster7
2009-03-25 04:44 . 2009-03-25 04:44 -------- d-----w c:\program files\Common Files\Adobe
2009-03-24 06:49 . 2009-03-11 17:58 244 ---ha-w C:\sqmnoopt02.sqm
2009-03-24 06:49 . 2009-03-11 17:58 232 ---ha-w C:\sqmdata02.sqm
2009-03-24 06:44 . 2009-03-10 05:04 244 ---ha-w C:\sqmnoopt01.sqm
2009-03-24 06:44 . 2009-03-10 05:04 232 ---ha-w C:\sqmdata01.sqm
2009-03-23 21:12 . 2009-03-23 21:12 135037 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_03_23_13_04_54_small.dmp.zip
2009-03-23 04:45 . 2009-02-11 07:48 -------- d-----w c:\documents and settings\Carson\Application Data\Roxio
2009-03-22 17:41 . 2009-02-23 19:20 232 ---ha-w C:\sqmdata00.sqm
2009-03-22 17:41 . 2009-02-23 19:20 244 ---ha-w C:\sqmnoopt00.sqm
2009-03-21 06:28 . 2009-03-21 06:28 244 ---ha-w C:\sqmnoopt19.sqm
2009-03-21 06:28 . 2009-03-21 06:28 232 ---ha-w C:\sqmdata19.sqm
2009-03-10 06:40 . 2009-03-10 06:40 -------- d-----w c:\documents and settings\Carson\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-03-09 12:19 . 2009-02-25 02:00 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 06:19 . 2009-02-11 07:00 27712 ----a-w c:\documents and settings\Carson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-05 00:56 . 2009-03-05 00:56 -------- d-----w c:\program files\Microsoft ActiveSync
2009-03-05 00:55 . 2009-03-05 00:14 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-04 21:52 . 2009-03-04 21:52 47360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2009-03-04 21:52 . 2009-03-04 21:52 47360 ----a-w c:\documents and settings\Carson\Application Data\pcouffin.sys
2009-03-01 06:16 . 2009-03-01 06:16 -------- d-----w c:\documents and settings\Carson\Application Data\ACD Systems
2009-03-01 06:13 . 2009-03-01 06:12 -------- d-----w c:\program files\Common Files\ACD Systems
2009-03-01 06:12 . 2009-03-01 06:12 -------- d-----w c:\documents and settings\All Users\Application Data\ACD Systems
2009-02-28 19:14 . 2009-02-11 06:16 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-02-28 12:38 . 2009-02-28 12:41 2703872 ----a-w c:\windows\Internet Logs\xDB3.tmp
2009-02-28 12:35 . 2009-02-28 12:41 1259008 ----a-w c:\windows\Internet Logs\xDB2.tmp
2009-02-23 00:21 . 2009-02-23 00:23 2853888 ----a-w c:\windows\Internet Logs\xDB9.tmp
2009-02-20 09:03 . 2009-02-20 09:06 2837504 ----a-w c:\windows\Internet Logs\xDB8.tmp
2009-02-20 09:03 . 2009-02-20 09:06 1031168 ----a-w c:\windows\Internet Logs\xDB7.tmp
2009-02-20 00:48 . 2009-02-20 00:48 129024 ----a-w c:\windows\system32\mndnwp.dll.vir
2009-02-20 00:48 . 2009-02-20 00:48 129024 ----a-w c:\windows\system32\ewgbjtvd.dll
2009-02-20 00:45 . 2009-02-20 00:45 72704 ----a-w c:\windows\system32\otbfoqif.dll.vir
2009-02-20 00:44 . 2009-02-20 00:44 302592 ----a-w c:\windows\system32\iifcCvvt.dll.vir
2009-02-19 19:25 . 2009-02-19 19:25 72704 ----a-w c:\windows\system32\kyrxjjgv.dll.vir
2009-02-19 19:22 . 2009-02-19 19:22 129024 ----a-w c:\windows\system32\pmzykc.dll.vir
2009-02-19 19:22 . 2009-02-19 19:22 129024 ----a-w c:\windows\system32\vrdpokqt.dll
2009-02-19 07:23 . 2009-02-19 07:23 129024 ----a-w c:\windows\system32\apdqjk.dll
2009-02-19 07:23 . 2009-02-19 07:23 129024 ----a-w c:\windows\system32\dnubxmop.dll
2009-02-18 17:44 . 2009-02-18 17:46 2802688 ----a-w c:\windows\Internet Logs\xDB6.tmp
2009-02-18 17:44 . 2009-02-18 17:46 2981888 ----a-w c:\windows\Internet Logs\xDB1.tmp
2009-02-18 11:24 . 2009-02-18 11:24 129024 ----a-w c:\windows\system32\hwadqn.dll
2009-02-18 11:24 . 2009-02-18 11:24 129024 ----a-w c:\windows\system32\xjhkfjwg.dll
2009-02-17 23:27 . 2009-02-17 23:28 129024 ----a-w c:\windows\system32\uymafz.dll
2009-02-17 23:27 . 2009-02-17 23:27 129024 ----a-w c:\windows\system32\pvubrcbb.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
2009-03-09 12:18 35840 ----a-w c:\program files\Java\jre6\bin\jp2ssv.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
2009-03-09 12:18 73728 ----a-w c:\program files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="e:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-02-15 1214856]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Azureus Vuze.lnk - e:\program files\Azureus\Azureus.exe [2008-12-13 254976]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\iassam32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"e:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 gupdate1c9b31cd9abb7d3;Google Update Service (gupdate1c9b31cd9abb7d3);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-01 133104]
R3 laguna;laguna;c:\windows\system32\DRIVERS\cl546xm.sys [2001-08-17 248064]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-02-11 337800]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2160b7f0-2fac-11de-a2ba-00b0d0925717}]
\Shell\AutoRun\command - G:\rcaeasyrip_setup.exe
\Shell\install\command - G:\rcaeasyrip_setup.exe
\Shell\usermanualEnglish\command - G:\rcaeasyrip_setup.exe /pdf_English
\Shell\usermanualFrench\command - G:\rcaeasyrip_setup.exe /pdf_French
\Shell\usermanualSpanish\command - G:\rcaeasyrip_setup.exe /pdf_Spanish
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cefb84d9-0626-11de-a290-00b0d0925717}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com g:
\Shell\Open\command - g:\resycled\boot.com g:
.
Contents of the 'Scheduled Tasks' folder
2009-04-25 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-01 22:54]
.
- - - - ORPHANS REMOVED - - - -
SharedTaskScheduler-{8C7461EF-2B13-11d2-BE35-3078302C2030} - %SystemRoot%\system32\browseui.dll
ShellExecuteHooks-{AEB6717E-7E19-11d0-97EE-00C04FD91972} - shell32.dll
SSODL-CDBurn-{fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\system32\SHELL32.dll
SSODL-WebCheck-{E6FB5E20-DE35-11CF-9C87-00AA005127ED} - %SystemRoot%\system32\webcheck.dll
Notify-qoMccYRj - qoMccYRj.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: {{FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\Messenger\msmsgs.exe
IE: {{92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\MICROS~1\OFFICE11\REFIEBAR.DLL
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - c:\windows\system32\urlmon.dll
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - c:\windows\system32\urlmon.dll
Filter: lzdhtml - {8f6b0360-b80d-11d0-a9b3-006097942311} - c:\windows\system32\urlmon.dll
Handler: http\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: http\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: https\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: https\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: ipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - c:\windows\system32\itss.dll
Handler: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - c:\windows\system32\itss.dll
Handler: msdaipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: msdaipp\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\COMMON~1\Skype\SKYPE4~1.DLL
Handler: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - c:\windows\system32\msvidctl.dll
Name-Space Handler: mk\* - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - c:\windows\system32\itss.dll
FF - ProfilePath - c:\documents and settings\Carson\Application Data\Mozilla\Firefox\Profiles\4xisy04g.default\
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-25 00:02
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PSIService.exe
c:\windows\system32\ZoneLabs\vsmon.exe
.
**************************************************************************
.
Completion time: 2009-04-25 0:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-25 07:06
Pre-Run: 3,610,501,120 bytes free
Post-Run: 4,154,814,464 bytes free
279


New HJT log taken after the above scan has run

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:02 AM, on 4/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Azureus\Azureus.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Carson\Desktop\HiJackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "E:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - Global Startup: Azureus Vuze.lnk = E:\Program Files\Azureus\Azureus.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\System32\iassam32.dll
O23 - Service: Google Update Service (gupdate1c9b31cd9abb7d3) (gupdate1c9b31cd9abb7d3) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 4006 bytes

I know I have some weird stuff going on here, whenever i paste a file or move a file msiexec.exe window appears and i have to cancel it twice before my file is moved.

Let me take the time out to thank you chappy, jacee, and the rest of this community for allowing me to present my problems. peace!

 

[brummyfan]

Please let me help Chappy's friend without any other's chiming in. I'm doing this as a favor for him.

Thank you for understanding,
~ Jacee ~

Jacee,could you please stop insulting other members in this forum,if you don't like others taking part please carry on with your personal messages to the original poster. Thank you.

 

[Jacee]

I don't see an anti-virus program running on this machine. Please download either
Avast (free version)
Download FREE antivirus software - avast! Home Edition
or
Avira Antivirus
Avira AntiVir Personal - FREE Antivirus

Which ever one you choose, be sure to update it once installed.

Next, download Malwarebytes' Anti-Malware to your desktop
|MG| Malwarebytes Anti-Malware 1.36

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. Copy and Paste that log into your next reply.

 

[Chappy]

Jacee,could you please stop insulting other members in this forum,if you don't like others taking part please carry on with your personal messages to the original poster. Thank you.

Thanx for your concern about our members but she's simply stating a point that needs pointing out. The following is simply an explanation and NOT intended as anything else.

I asked her for her help for my friend from another forum because she's by far the most skilled HJT person on this and many other forums, and it does get confusing for the OP when too many people try and get them to try a bunch of different ideas. Trained professionals like Jacee (and myself) have a very specific workflow that needs to be followed to achieve the desired results and when the OP is sidetracked, some of these items may be missed and the end result is delayed or changed.

On all forums using trained HJT specialists, once an analyzer begins working with the OP then no others are allowed to post into it to avoid such situations from occurring and keeping the flow on track. It's easy to see by Jacee's tags that she's well versed in this field, and basically we need our members to recognize the fact that she does this professionally and needs to keep things on a very specific track in order to achieve the results the OP needs.

We don't do PM help either, that doesn't give other members the benefit to learn from this by watching a Pro at work, and it also could inspire some members to want to learn just how this is done, so it stays on the board. We simply ask that others watch and learn and try not to interfere with the process please.

While killing the offending processes would seem enough to do the job, it's more complicated than that, and trained analyzers realize this from years of hard work. Malware writers are using very complicated techniques and changing strategies daily and these analyzers have to stay on top of these and the tools needed to find deeply embedded and hidden objects.

So in closing, if Jacee comes off as a bit heavy when asking others to Please not interfere with her work, she's earned the right to do so (as we can easily see) and should respect the fact that she's the best we have at this, and try to learn from her years of experience.

Thank You