Help - Search - Members - Calendar
Full Version: Lots And Lots Of Problems
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive HijackThis Logs
fullofbull`
Jun 13 2007, 02:43 AM


Please help. Below is the HJT log.

Thanks

Logfile of HijackThis v1.99.1
Scan saved at 7:53:52 PM, on 6/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\webHancer\Programs\whagent.exe
C:\WINDOWS\retadpu1000272.exe
C:\WINDOWS\avp.exe
C:\Documents and Settings\All Users\Application Data\gtcfaxaz.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\DOCUME~1\ADMINI~1\MYDOCU~1\SSEMBL~1\dllhost.exe
C:\Program Files\Web Buying\v1.7.4\webbuying.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\smgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [licli] li.exe
O4 - HKLM\..\Run: [6781e40a.exe] C:\WINDOWS\System32\6781e40a.exe
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [Application Layer Gateway Service] C:\WINDOWS\System32\algs.exe
O4 - HKLM\..\Run: [rfaotlsA] C:\WINDOWS\rfaotlsA.exe
O4 - HKLM\..\Run: [{1C-CA-A2-2E-ZN}] c:\windows\system32\dwdsregt.exe CHD001
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [gtcfaxaz.exe] C:\Documents and Settings\All Users\Application Data\gtcfaxaz.exe
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [6781e40a.exe] C:\Documents and Settings\Administrator\Local Settings\Application Data\6781e40a.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [Ncao] "C:\DOCUME~1\ADMINI~1\MYDOCU~1\SSEMBL~1\dllhost.exe" -vt yazb
O4 - HKCU\..\Run: [Ljchl] C:\WINDOWS\system32\?icrosoft.NET\c?rss.exe
O4 - HKCU\..\Run: [Xfbbnh] C:\WINDOWS\??sembly\?serinit.exe
O4 - HKCU\..\Run: [Ultimate Cleaner.install] "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SNGJOHGV\ucleaner_uTFZV47G8K[1].exe" continue
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.7.4\webbuying.exe
O4 - Startup: TA_Start.lnk = ?
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\lwinondt.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\rfaotls.exe (file missing)

jurgenv
Jun 13 2007, 01:44 PM
* Please download LSPfix from here:
http://www.downloads.subratam.org/lspfix.zip
Unzip it to the desktop and run it. Check "I know what I'm doing", and then select each instance of "rlls.dll" in the left-hand panel and click >> to move it to the right-hand panel. Then click Finish to allow LSPfix to rebuild the LSP chain.

* Please remove these entries from Add/Remove Programs in the Control Panel(if present):
To do this, click 'Start' then 'Control Panel', then double-click on Add/Remove Programs.
webhancer
Web Buying

* Download OTMoveIt.exe from here and place it on your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

* Open OTMoveIt.exe.
In the left pane where it says: "Paste List of Files/Folders to be Moved", copy and paste next part:

C:\WINDOWS\System32\6781e40a.exe
C:\Program Files\webHancer
C:\WINDOWS\System32\algs.exe
C:\WINDOWS\rfaotlsA.exe
c:\windows\system32\dwdsregt.exe
C:\Documents and Settings\All Users\Application Data\gtcfaxaz.exe
c:\windows\system32\smgr.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\6781e40a.exe
C:\winstall.exe
C:\Program Files\Web Buying
C:\WINDOWS\system32\lwinondt.exe
c:\windows\system32\rlls.dll

Then click the MoveIt button below.
In case you get a "Bad Image" error, just click OK at the promt. It will move the file anyway.
When done, it will create a log (********_******.log -- * stands for date and time) in next folder: C:\_OTMoveIt\MovedFiles.
Copy and paste this log in your next reply.


* Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Keep the log, you must post it in your next reply.


1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply with a new hijackthis log and the log from OTMoveIt and SDfix.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
fullofbull`
Aug 21 2007, 02:15 AM
QUOTE(jurgenv @ Jun 13 2007, 08:44 AM) *
* Please download LSPfix from here:
http://www.downloads.subratam.org/lspfix.zip
Unzip it to the desktop and run it. Check "I know what I'm doing", and then select each instance of "rlls.dll" in the left-hand panel and click >> to move it to the right-hand panel. Then click Finish to allow LSPfix to rebuild the LSP chain.

* Please remove these entries from Add/Remove Programs in the Control Panel(if present):
To do this, click 'Start' then 'Control Panel', then double-click on Add/Remove Programs.
webhancer
Web Buying

* Download OTMoveIt.exe from here and place it on your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

* Open OTMoveIt.exe.
In the left pane where it says: "Paste List of Files/Folders to be Moved", copy and paste next part:

C:\WINDOWS\System32\6781e40a.exe
C:\Program Files\webHancer
C:\WINDOWS\System32\algs.exe
C:\WINDOWS\rfaotlsA.exe
c:\windows\system32\dwdsregt.exe
C:\Documents and Settings\All Users\Application Data\gtcfaxaz.exe
c:\windows\system32\smgr.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\6781e40a.exe
C:\winstall.exe
C:\Program Files\Web Buying
C:\WINDOWS\system32\lwinondt.exe
c:\windows\system32\rlls.dll

Then click the MoveIt button below.
In case you get a "Bad Image" error, just click OK at the promt. It will move the file anyway.
When done, it will create a log (********_******.log -- * stands for date and time) in next folder: C:\_OTMoveIt\MovedFiles.
Copy and paste this log in your next reply.
* Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Keep the log, you must post it in your next reply.
1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply with a new hijackthis log and the log from OTMoveIt and SDfix.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.



Jurgenv,

Thanks for reopening.

Here is the SDfix log

SDFix: Version 1.88

Run by Administrator on Sun 08/19/2007 at 09:57 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
core
MSDisk
Windows Overlay Components

ImagePath:
system32\drivers\core.sys
"C:\WINDOWS\System32\irdvxc.exe" /service
C:\WINDOWS\rfaotls.exe

core - Deleted
MSDisk - Deleted
Windows Overlay Components - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system32\.exe - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\AGENTSYN.EXE - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\HOSTLOOK.EXE - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\SVLOOK.EXE - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\SVPOWER.EXE - Deleted
C:\WINDOWS\SYSTEM32\ERASEM~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\ERASEM~2.EXE - Deleted
C:\WINDOWS\SYSTEM32\VISUU1X.EXE - Deleted
C:\WINDOWS\SYSTEM32\WINSPRM.EXE - Deleted
C:\WINDOWS\SYSTEM32\FDPB.EXE - Deleted
C:\WINDOWS\SYSTEM32\XXCOQ.EXE - Deleted
C:\WINDOWS\system32\eraseme_32715.exe - Deleted
C:\WINDOWS\system32\eraseme_67561.exe - Deleted
C:\antivir.exe - Deleted
C:\exo32.exe - Deleted
C:\WINDOWS\avp.exe - Deleted
C:\WINDOWS\retadpu1000106.exe - Deleted
C:\WINDOWS\retadpu1000272.exe - Deleted
C:\WINDOWS\smgr.exe - Deleted
C:\WINDOWS\system32\.exe - Deleted
C:\WINDOWS\system32\cookie.dat - Deleted
C:\WINDOWS\system32\dlh9jkd1q1.exe - Deleted
C:\WINDOWS\system32\dlh9jkd1q8.exe - Deleted
C:\WINDOWS\system32\drivers\core.cache.dsk - Deleted
C:\WINDOWS\system32\drivers\core.sys - Deleted
C:\WINDOWS\system32\helper.dll - Deleted
C:\WINDOWS\system32\i - Deleted
C:\WINDOWS\system32\ipv6monr.dll - Deleted
C:\WINDOWS\system32\ipv6mons.dll - Deleted
C:\WINDOWS\system32\o - Deleted
C:\WINDOWS\system32\ps.dat - Deleted
C:\WINDOWS\system32\setup_22745.exe - Deleted
C:\WINDOWS\system32\sysmon32.exe - Deleted
C:\WINDOWS\system32\sysmon32.exe - Deleted
C:\WINDOWS\system32\unsvchosts.lzma - Deleted
C:\WINDOWS\system32\vexga3me2.exe - Deleted
C:\WINDOWS\system32\vexga4me1.exe - Deleted
C:\WINDOWS\tcb.pmw - Deleted



Removing Temp Files...

ADS Check:

Checking C:\WINDOWS
C:\WINDOWS
No streams found.

Checking C:\WINDOWS\system32
C:\WINDOWS\system32
No streams found.

Checking C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Listing Files with Hidden Attributes:

C:\WINDOWS\system32\gebcd.dll
C:\WINDOWS\system32\vtsqo.dll
C:\Documents and Settings\Administrator\My Documents\?ssembly\dllhost.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1658OinAdmin.exe
C:\Program Files\Common Files\Yazzle1658OinUninstaller.exe
C:\WINDOWS\??sembly\?serinit.exe

Listing User Accounts:


Administrator Guest HelpAssistant
SUPPORT_388945a0


Finished


Combofixlog

ComboFix 07-08-17.2 - "Administrator" 2007-08-20 21:08:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.59 [GMT -4:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ADMINI~1\APPLIC~1.\dobe~1
C:\DOCUME~1\ADMINI~1\APPLIC~1.\ecurit~1
C:\DOCUME~1\ADMINI~1\APPLIC~1.\Ultimate Fixer
C:\DOCUME~1\ADMINI~1\APPLIC~1\.rdr.ini
C:\DOCUME~1\ADMINI~1\APPLIC~1\privprotect.exe
C:\DOCUME~1\ADMINI~1\Desktop\internet.lnk
C:\DOCUME~1\ADMINI~1\MYDOCU~1.\asembl~1
C:\DOCUME~1\ADMINI~1\MYDOCU~1.\ssembl~1
C:\DOCUME~1\ADMINI~1\MYDOCU~1.\ssembl~1\dllhost.exe
C:\DOCUME~1\ADMINI~1\MYDOCU~1.\ssembl~1\SSEMBL~1\ctxad-540.0000
C:\DOCUME~1\ADMINI~1\MYDOCU~1.\ssembl~1\SSEMBL~1\ctxad-540.0001
C:\DOCUME~1\ADMINI~1\MYDOCU~1.\ssembl~1\SSEMBL~1\ctxad-540.0002
C:\DOCUME~1\ADMINI~1\MYDOCU~1.\ssembl~1\SSEMBL~1\ctxad-540.0003
C:\DOCUME~1\ADMINI~1\MYDOCU~1.\ssembl~1\SSEMBL~1\ctxad-540.0004
C:\DOCUME~1\ADMINI~1\MYDOCU~1.\ssembl~1\SSEMBL~1\ctxad-552.0000
C:\DOCUME~1\ADMINI~1\MYDOCU~1.\ssembl~1\SSEMBL~1\ctxad-552.0001
C:\DOCUME~1\ADMINI~1\MYDOCU~1.\ssembl~1\SSEMBL~1\ctxad-552.0002
C:\DOCUME~1\ADMINI~1\MYDOCU~1.\ssembl~1\SSEMBL~1\ctxad-552.0003
C:\DOCUME~1\ADMINI~1\MYDOCU~1.\ssembl~1\SSEMBL~1\ctxad-552.0004
C:\DOCUME~1\ADMINI~1\STARTM~1\Programs.\Outerinfo
C:\DOCUME~1\ADMINI~1\STARTM~1\Programs.\Outerinfo\Terms.lnk
C:\DOCUME~1\ADMINI~1\STARTM~1\Programs.\Outerinfo\Uninstall.lnk
C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup.\TA_Start.lnk
C:\Program Files\Common Files\{34B1C~1
C:\Program Files\Common Files\{34B1C~1\Bar888.dll
C:\Program Files\Common Files\{34B1C~1\Bar888.dll.lzma
C:\Program Files\Common Files\{34B1C~1\toolbardll.lzma
C:\Program Files\Common Files\{34B1C~1\UnInstall.exe
C:\Program Files\Common Files\{E4B1C~1
C:\Program Files\Common Files\crosof~1
C:\Program Files\Common Files\drivecleaner free
C:\Program Files\Common Files\mbols~1
C:\Program Files\Common Files\sstem~1
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1658OinAdmin.exe
C:\Program Files\Common Files\Yazzle1658OinUninstaller.exe
C:\Program Files\folder.js\
C:\Program Files\ini.ini\
C:\Program Files\myglobalsearch
C:\Program Files\myglobalsearch\bar\1.bin\M9FFXTBR.JAR
C:\Program Files\myglobalsearch\bar\1.bin\M9NTSTBR.JAR
C:\Program Files\myglobalsearch\bar\Cache0738C1
C:\Program Files\myglobalsearch\bar\Cache07509E
C:\Program Files\myglobalsearch\bar\Cache075D12.bin
C:\Program Files\myglobalsearch\bar\Cache0773C6.bin
C:\Program Files\myglobalsearch\bar\Cache\files.ini
C:\Program Files\myglobalsearch\bar\History\search
C:\Program Files\myglobalsearch\bar\Settings\prevcfg.htm
C:\Program Files\outerinfo
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\Windows NT\lazupojo.dll
C:\Program Files\Windows NT\projydica.html
C:\tempb9
C:\tempb9\tmpTF.log
C:\temp\tn3
C:\WINDOWS\2023.exe
C:\WINDOWS\crosof~1.net
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\curity~1
C:\WINDOWS\itpb_4.exe
C:\WINDOWS\offun.exe
C:\WINDOWS\ppatch~1
C:\WINDOWS\rau001978.exe
C:\WINDOWS\sembly~1
C:\WINDOWS\sembly~1\?serinit.exe
C:\WINDOWS\system32\awtttst.dll
C:\WINDOWS\system32\dcbeg.bak1
C:\WINDOWS\system32\dcbeg.ini
C:\WINDOWS\system32\dnsersnd.dll
C:\WINDOWS\system32\gebcd.dll
C:\WINDOWS\system32\icroso~1.net
C:\WINDOWS\system32\ldpackage.dll
C:\WINDOWS\system32\model.dat
C:\WINDOWS\system32\oqstv.ini
C:\WINDOWS\system32\oqyx.dll
C:\WINDOWS\system32\pukvqhkm.dll
C:\WINDOWS\system32\rlxf.dll
C:\WINDOWS\system32\silc_dll.dll
C:\WINDOWS\system32\smbols~1
C:\WINDOWS\system32\T1
C:\WINDOWS\system32\T1\am52.exe
C:\WINDOWS\system32\T2
C:\WINDOWS\system32\T2\am67.exe
C:\WINDOWS\system32\T4
C:\WINDOWS\system32\T4\amst5.exe
C:\WINDOWS\system32\T6
C:\WINDOWS\system32\T6\amwr.exe
C:\WINDOWS\system32\T7
C:\WINDOWS\system32\vtsqo.dll
C:\WINDOWS\system32\winhld32.dll
C:\WINDOWS\system32\winsys64.exe
C:\WINDOWS\system32\wnsapisv32.exe
C:\WINDOWS\system32\wnsapitr.exe
C:\WINDOWS\system32\ystem~1
C:\WINDOWS\uninstall_nmon.vbs


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NET_AGENT
-------\cmdService
-------\Net Agent


((((((((((((((((((((((((( Files Created from 2007-07-21 to 2007-08-21 )))))))))))))))))))))))))))))))


2007-08-20 21:06 51,200 --a------ C:\WINDOWS\nircmd.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-20 21:10 --------- d-------- C:\Program Files\Windows NT
2007-06-12 16:24 60 --a------ C:\Program Files\ini.ini
2007-06-12 08:18 3022 --a------ C:\WINDOWS\smqoycok.exe
2007-06-12 08:13 14390 --a------ C:\sysxrax.exe
2007-06-11 19:13 63488 --a------ C:\WINDOWS\web\wcxnjhhj.exe
2007-06-11 19:13 63488 --a------ C:\WINDOWS\rerkkktj.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\ssenjzlj.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\stlvetct.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\stlvetct.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\stlvetct.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\stlvetct.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\hshlnlhk.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\hnvcxhls.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System_OEM\xksjekrx.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System_OEM\wwsjnbnq.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System_OEM\twxelwsc.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System_OEM\tnzhlhnr.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System_OEM\jbblqqrl.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\UpdateCtr\zccewkkb.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\UpdateCtr\zcbjntbt.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\UpdateCtr\xttblnnn.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\UpdateCtr\cnvjlbvb.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\UpdateCtr\blbelbbj.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\sysinfo\zkjckqle.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\sysinfo\wrsnrelv.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\sysinfo\rbjsrhhj.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\sysinfo\qkjneslh.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\sysinfo\kqwlwbxw.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\sysinfo\jlcehbkq.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\sysinfo\bttlteqt.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\sysinfo\bbekwlrs.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\tehxeecc.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\srljkjhs.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Server\wqqnvzet.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Server\sbsbzljh.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Server\llehtbzr.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Server\jkvvjhhx.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Server\ehvhlqhw.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Common\vlewejke.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Common\rrjhbcnh.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Common\ctrbnkts.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Client\wxklxbbh.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Client\wnjeletk.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Client\nkbshxqh.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Client\lscrknnq.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Client\jthchjjx.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Client\jrwbtbsl.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Common\wccnwsnz.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Common\rjewkstw.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Common\krbbjtbw.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\bxtxjsbv.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\rc\khhtevqk.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\panels\kqxqncte.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\panels\ekjekxll.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\NetDiag\tlwqjnbh.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\NetDiag\tekstkzw.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\errors\brlkcjst.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\ErrMsg\xjlnrbel.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\DVDUpgrd\jkenjtvv.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\DFS\rllhnlsq.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\DFS\lzkknrkt.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\DFS\lthtlnwk.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\CompatCtr\ttnejjkl.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\CompatCtr\kshsbten.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\CompatCtr\csclcbtn.exe
2007-06-11 19:12 63488 --a--c--- C:\WINDOWS\pchealth\HelpCtr\System\CompatCtr\chlrtebt.exe
2007-06-11 19:11 63488 --a--c--- C:\WINDOWS\help\tsbjbtvn.exe
2007-06-11 19:11 63488 --a--c--- C:\WINDOWS\help\Tours\WindowsMediaPlayer\Cnt\tjnbzhbh.exe
2007-06-11 19:11 63488 --a--c--- C:\WINDOWS\help\Tours\WindowsMediaPlayer\Audio\lllknblj.exe
2007-06-11 19:11 63488 --a--c--- C:\WINDOWS\help\Tours\htmlTour\ztssweeh.exe
2007-06-11 19:11 63488 --a--c--- C:\WINDOWS\help\Tours\htmlTour\zbcwlstj.exe
2007-06-11 19:11 63488 --a--c--- C:\WINDOWS\help\Tours\htmlTour\xslbknlk.exe
2007-06-11 19:11 63488 --a--c--- C:\WINDOWS\help\Tours\htmlTour\wwvjntek.exe
2007-06-11 19:11 63488 --a--c--- C:\WINDOWS\help\Tours\htmlTour\trsecbvb.exe
2007-06-11 19:11 63488 --a--c--- C:\WINDOWS\help\Tours\htmlTour\tjxhsker.exe
2007-06-11 19:11 63488 --a--c--- C:\WINDOWS\help\Tours\htmlTour\skersqzb.exe
2007-06-11 19:11 63488 --a--c--- C:\WINDOWS\help\Tours\htmlTour\rzjnrbeb.exe
2007-06-11 19:11 63488 --a--c--- C:\WINDOWS\help\Tours\htmlTour\rqkjqjqb.exe
2007-06-11 19:11 63488 --a--c--- C:\WINDOWS\help\Tours\htmlTour\rbnesqvr.exe
2007-06-11 19:11 63488 --a--c--- C:\WINDOWS\help\Tours\htmlTour\qejnhetj.exe
2007-06-11 19:11 63488 --a--c--- C:\WINDOWS\help\Tours\htmlTour\nleqhveh.exe
2007-06-11 19:11 63488 --a--c--- C:\WINDOWS\help\Tours\htmlTour\njnrhctz.exe
2007-06-11 19:11 63488 --a--c--- C:\WINDOWS\help\Tours\htmlTour\lwnssrtv.exe
2007-06-11 19:11 63488 --a--c--- C:\WINDOWS\help\Tours\htmlTour\lrhwxcwk.exe
2007-06-11 19:11 63488 --a--c--- C:\WINDOWS\help\Tours\htmlTour\lhhjrkjk.exe
2007-06-11 19:11 63488 --a--c--- C:\WINDOWS\help\Tours\htmlTour\lbsbbjlx.exe
2007-06-11 19:11 63488 --a--c--- C:\WINDOWS\help\Tours\htmlTour\kzkzkjkb.exe
2007-06-11 19:11 63488 --a--c--- C:\WINDOWS\help\Tours\htmlTour\kzerbzks.exe
2007-06-11 19:11 63488 --a--c--- C:\WINDOWS\help\Tours\htmlTour\kxkzvszq.exe
2007-06-11 19:11 63488 --a--c--- C:\WINDOWS\help\Tours\htmlTour\knwbcncs.exe
2007-06-11 19:11 63488 --a--c--- C:\WINDOWS\help\Tours\htmlTour\klbvejnk.exe
2007-06-11 19:11 63488 --a--c--- C:\WINDOWS\help\Tours\htmlTour\hjhecvkh.exe
2007-06-11 19:11 63488 --a--c--- C:\WINDOWS\help\Tours\htmlTour\ewrlklcs.exe
2007-06-11 19:11 63488 --a--c--- C:\WINDOWS\help\Tours\htmlTour\ekwlsjzj.exe
2007-06-11 19:11 63488 --a--c--- C:\WINDOWS\help\Tours\htmlTour\cxjclkkc.exe
2007-06-11 19:11 63488 --a--c--- C:\WINDOWS\help\Tours\htmlTour\blkkzrtt.exe
2007-06-11 19:11 63488 --a--c--- C:\WINDOWS\help\jjlenkbt.exe
2007-06-11 19:11 63488 --a--c--- C:\WINDOWS\help\jbnshhqj.exe
2007-06-11 19:11 63488 --a--c--- C:\WINDOWS\help\hwexrtne.exe
2007-06-11 19:11 63488 --a--c--- C:\WINDOWS\help\bzehxvnz.exe
2005-07-29 21:24:26 472 -csha-r C:\WINDOWS\QmFyYiBIb3BraW5z\kAIVs21Kva1OuqcW.vbs


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-08-20 19:55]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-08-20 19:51]
"LMPDPSRV"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE" [2002-07-11 18:31]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe" [2004-09-15 06:48]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 11:46]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 12:38]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 13:55]
"licli"="li.exe" []
"6781e40a.exe"="C:\WINDOWS\System32\6781e40a.exe" []
"rfaotlsA"="C:\WINDOWS\rfaotlsA.exe" []
"{1C-CA-A2-2E-ZN}"="c:\windows\system32\dwdsregt.exe" []
"gtcfaxaz.exe"="C:\Documents and Settings\All Users\Application Data\gtcfaxaz.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 18:08]
"6781e40a.exe"="C:\Documents and Settings\Administrator\Local Settings\Application Data\6781e40a.exe" []
"Ncao"="C:\DOCUME~1\ADMINI~1\MYDOCU~1\SSEMBL~1\dllhost.exe" []
"Ljchl"="C:\WINDOWS\system32\?icrosoft.NET\c?rss.exe" []
"Xfbbnh"="C:\WINDOWS\??sembly\?serinit.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Lexmark X125 Settings Utility.lnk - C:\Program Files\Lexmark X125\LEX125SU.exe [2005-12-10 13:15:07]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
Source= C:\Program Files\Windows NT\projydica.html
FriendlyName=

S2 DgiVecp;DgiVecp;\??\C:\WINDOWS\System32\Drivers\DgiVecp.sys


Contents of the 'Scheduled Tasks' folder
2007-06-12 12:13:38 C:\WINDOWS\Tasks\At1.job - C:\WINDOWS\System328Hq4n3X.exe
2007-06-12 13:00:05 C:\WINDOWS\Tasks\At10.job
2007-06-12 14:00:13 C:\WINDOWS\Tasks\At11.job - C:\WINDOWS\System328Hq4n3X.exe
2007-06-12 15:00:08 C:\WINDOWS\Tasks\At12.job - C:\WINDOWS\System328Hq4n3X.exe
2007-06-12 16:00:07 C:\WINDOWS\Tasks\At13.job - C:\WINDOWS\System328Hq4n3X.exe
2007-06-12 17:00:07 C:\WINDOWS\Tasks\At14.job - C:\WINDOWS\System328Hq4n3X.exe
2007-06-12 18:00:09 C:\WINDOWS\Tasks\At15.job - C:\WINDOWS\System328Hq4n3X.exe
2007-06-12 12:13:38 C:\WINDOWS\Tasks\At16.job - C:\WINDOWS\System328Hq4n3X.exe
2007-06-12 12:13:38 C:\WINDOWS\Tasks\At17.job - C:\WINDOWS\System328Hq4n3X.exe
2007-06-12 21:00:01 C:\WINDOWS\Tasks\At18.job - C:\WINDOWS\System328Hq4n3X.exe
2007-06-12 22:00:00 C:\WINDOWS\Tasks\At19.job - C:\WINDOWS\System328Hq4n3X.exe
2007-06-12 12:13:38 C:\WINDOWS\Tasks\At2.job - C:\WINDOWS\System328Hq4n3X.exe
2007-06-12 12:13:38 C:\WINDOWS\Tasks\At20.job - C:\WINDOWS\System328Hq4n3X.exe
2007-06-13 00:00:08 C:\WINDOWS\Tasks\At21.job - C:\WINDOWS\System328Hq4n3X.exe
2007-06-12 12:13:39 C:\WINDOWS\Tasks\At22.job - C:\WINDOWS\System328Hq4n3X.exe
2007-06-12 12:13:39 C:\WINDOWS\Tasks\At23.job
2007-06-12 12:13:39 C:\WINDOWS\Tasks\At24.job - C:\WINDOWS\System328Hq4n3X.exe
2007-06-12 12:13:39 C:\WINDOWS\Tasks\At3.job - C:\WINDOWS\System328Hq4n3X.exe
2007-06-12 12:13:39 C:\WINDOWS\Tasks\At4.job - C:\WINDOWS\System328Hq4n3X.exe
2007-06-12 12:13:39 C:\WINDOWS\Tasks\At5.job - C:\WINDOWS\System328Hq4n3X.exe
2007-06-12 12:13:39 C:\WINDOWS\Tasks\At6.job - C:\WINDOWS\System328Hq4n3X.exe
2007-06-12 12:13:39 C:\WINDOWS\Tasks\At7.job - C:\WINDOWS\System328Hq4n3X.exe
2007-06-12 12:13:39 C:\WINDOWS\Tasks\At8.job
2007-06-12 12:13:39 C:\WINDOWS\Tasks\At9.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-20 21:13:15
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-20 21:14:14 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-20 21:14

--- E O F ---

OTMOVEIT log

C:\WINDOWS\System32\6781e40a.exe moved successfully.
File/Folder C:\Program Files\webHancer not found.
File/Folder C:\WINDOWS\System32\algs.exe not found.
File/Folder C:\WINDOWS\rfaotisA.exe not found.
File/Folder c:\windows\system32\dwdsregt.exe not found.
C:\Documents and Settings\All Users\Application Data\gtcfaxaz.exe moved successfully.
File/Folder c:\windows\system32\smgr.exe not found.
C:\Documents and Settings\Administrator\Local Settings\Application Data\6781e40a.exe moved successfully.
File/Folder C:\winstall.exe not found.
File/Folder C:\Program Files\Web Buying not found.
File/Folder C:\WINDOWS\System32\lwinondt.exe not found.
File/Folder c:\windows\system32\rlls.dll not found.

Created on 08/19/2007 21:46:30

Things seem to be running much better. I will attach a new HJT log in another reply.

Thanks

FOB









fullofbull`
Aug 21 2007, 02:25 AM
Jurgenv,


Here is the new HJT log,

Logfile of HijackThis v1.99.1
Scan saved at 9:30:34 PM, on 8/20/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [licli] li.exe
O4 - HKLM\..\Run: [6781e40a.exe] C:\WINDOWS\System32\6781e40a.exe
O4 - HKLM\..\Run: [rfaotlsA] C:\WINDOWS\rfaotlsA.exe
O4 - HKLM\..\Run: [{1C-CA-A2-2E-ZN}] c:\windows\system32\dwdsregt.exe CHD001
O4 - HKLM\..\Run: [gtcfaxaz.exe] C:\Documents and Settings\All Users\Application Data\gtcfaxaz.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [6781e40a.exe] C:\Documents and Settings\Administrator\Local Settings\Application Data\6781e40a.exe
O4 - HKCU\..\Run: [Ncao] "C:\DOCUME~1\ADMINI~1\MYDOCU~1\SSEMBL~1\dllhost.exe" -vt yazb
O4 - HKCU\..\Run: [Ljchl] C:\WINDOWS\system32\?icrosoft.NET\c?rss.exe
O4 - HKCU\..\Run: [Xfbbnh] C:\WINDOWS\??sembly\?serinit.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


thanks again!!!!!!!!!!!!

FOB

fullofbull`
Aug 21 2007, 02:48 AM
Jurgenv,

One other thing. Seems to be running pretty well, except I get an occasional message saying I should download registry cleaner. Do you think this is bogus?

FOB
jurgenv
Aug 21 2007, 12:34 PM
Now move this with OTMoveIt:


C:\WINDOWS\smqoycok.exe
C:\sysxrax.exe
C:\WINDOWS\web\wcxnjhhj.exe
C:\WINDOWS\rerkkktj.exe
C:\WINDOWS\pchealth\HelpCtr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\ssenjzlj.exe
C:\WINDOWS\pchealth\HelpCtr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\stlvetct.exe
C:\WINDOWS\pchealth\HelpCtr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\stlvetct.exe
C:\WINDOWS\pchealth\HelpCtr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\stlvetct.exe
C:\WINDOWS\pchealth\HelpCtr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\stlvetct.exe
C:\WINDOWS\pchealth\HelpCtr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\hshlnlhk.exe
C:\WINDOWS\pchealth\HelpCtr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\hnvcxhls.exe
C:\WINDOWS\pchealth\HelpCtr\System_OEM\xksjekrx.exe
C:\WINDOWS\pchealth\HelpCtr\System_OEM\wwsjnbnq.exe
C:\WINDOWS\pchealth\HelpCtr\System_OEM\twxelwsc.exe
C:\WINDOWS\pchealth\HelpCtr\System_OEM\tnzhlhnr.exe
C:\WINDOWS\pchealth\HelpCtr\System_OEM\jbblqqrl.exe
C:\WINDOWS\pchealth\HelpCtr\System\UpdateCtr\zccewkkb.exe
C:\WINDOWS\pchealth\HelpCtr\System\UpdateCtr\zcbjntbt.exe
C:\WINDOWS\pchealth\HelpCtr\System\UpdateCtr\xttblnnn.exe
C:\WINDOWS\pchealth\HelpCtr\System\UpdateCtr\cnvjlbvb.exe
C:\WINDOWS\pchealth\HelpCtr\System\UpdateCtr\blbelbbj.exe
C:\WINDOWS\pchealth\HelpCtr\System\sysinfo\zkjckqle.exe
C:\WINDOWS\pchealth\HelpCtr\System\sysinfo\wrsnrelv.exe
C:\WINDOWS\pchealth\HelpCtr\System\sysinfo\rbjsrhhj.exe
C:\WINDOWS\pchealth\HelpCtr\System\sysinfo\qkjneslh.exe
C:\WINDOWS\pchealth\HelpCtr\System\sysinfo\kqwlwbxw.exe
C:\WINDOWS\pchealth\HelpCtr\System\sysinfo\jlcehbkq.exe
C:\WINDOWS\pchealth\HelpCtr\System\sysinfo\bttlteqt.exe
C:\WINDOWS\pchealth\HelpCtr\System\sysinfo\bbekwlrs.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\tehxeecc.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\srljkjhs.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Server\wqqnvzet.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Server\sbsbzljh.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Server\llehtbzr.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Server\jkvvjhhx.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Server\ehvhlqhw.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Common\vlewejke.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Common\rrjhbcnh.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Common\ctrbnkts.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Client\wxklxbbh.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Client\wnjeletk.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Client\nkbshxqh.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Client\lscrknnq.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Client\jthchjjx.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Client\jrwbtbsl.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Common\wccnwsnz.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Common\rjewkstw.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Common\krbbjtbw.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\bxtxjsbv.exe
C:\WINDOWS\pchealth\HelpCtr\System\rc\khhtevqk.exe
C:\WINDOWS\pchealth\HelpCtr\System\panels\kqxqncte.exe
C:\WINDOWS\pchealth\HelpCtr\System\panels\ekjekxll.exe
C:\WINDOWS\pchealth\HelpCtr\System\NetDiag\tlwqjnbh.exe
C:\WINDOWS\pchealth\HelpCtr\System\NetDiag\tekstkzw.exe
C:\WINDOWS\pchealth\HelpCtr\System\errors\brlkcjst.exe
C:\WINDOWS\pchealth\HelpCtr\System\ErrMsg\xjlnrbel.exe
C:\WINDOWS\pchealth\HelpCtr\System\DVDUpgrd\jkenjtvv.exe
C:\WINDOWS\pchealth\HelpCtr\System\DFS\rllhnlsq.exe
C:\WINDOWS\pchealth\HelpCtr\System\DFS\lzkknrkt.exe
C:\WINDOWS\pchealth\HelpCtr\System\DFS\lthtlnwk.exe
C:\WINDOWS\pchealth\HelpCtr\System\CompatCtr\ttnejjkl.exe
C:\WINDOWS\pchealth\HelpCtr\System\CompatCtr\kshsbten.exe
C:\WINDOWS\pchealth\HelpCtr\System\CompatCtr\csclcbtn.exe
C:\WINDOWS\pchealth\HelpCtr\System\CompatCtr\chlrtebt.exe
C:\WINDOWS\help\tsbjbtvn.exe
C:\WINDOWS\help\Tours\WindowsMediaPlayer\Cnt\tjnbzhbh.exe
C:\WINDOWS\help\Tours\WindowsMediaPlayer\Audio\lllknblj.exe
C:\WINDOWS\help\Tours\htmlTour\ztssweeh.exe
C:\WINDOWS\help\Tours\htmlTour\zbcwlstj.exe
C:\WINDOWS\help\Tours\htmlTour\xslbknlk.exe
C:\WINDOWS\help\Tours\htmlTour\wwvjntek.exe
C:\WINDOWS\help\Tours\htmlTour\trsecbvb.exe
C:\WINDOWS\help\Tours\htmlTour\tjxhsker.exe
C:\WINDOWS\help\Tours\htmlTour\skersqzb.exe
C:\WINDOWS\help\Tours\htmlTour\rzjnrbeb.exe
C:\WINDOWS\help\Tours\htmlTour\rqkjqjqb.exe
C:\WINDOWS\help\Tours\htmlTour\rbnesqvr.exe
C:\WINDOWS\help\Tours\htmlTour\qejnhetj.exe
C:\WINDOWS\help\Tours\htmlTour\nleqhveh.exe
C:\WINDOWS\help\Tours\htmlTour\njnrhctz.exe
C:\WINDOWS\help\Tours\htmlTour\lwnssrtv.exe
C:\WINDOWS\help\Tours\htmlTour\lrhwxcwk.exe
C:\WINDOWS\help\Tours\htmlTour\lhhjrkjk.exe
C:\WINDOWS\help\Tours\htmlTour\lbsbbjlx.exe
C:\WINDOWS\help\Tours\htmlTour\kzkzkjkb.exe
C:\WINDOWS\help\Tours\htmlTour\kzerbzks.exe
C:\WINDOWS\help\Tours\htmlTour\kxkzvszq.exe
C:\WINDOWS\help\Tours\htmlTour\knwbcncs.exe
C:\WINDOWS\help\Tours\htmlTour\klbvejnk.exe
C:\WINDOWS\help\Tours\htmlTour\hjhecvkh.exe
C:\WINDOWS\help\Tours\htmlTour\ewrlklcs.exe
C:\WINDOWS\help\Tours\htmlTour\ekwlsjzj.exe
C:\WINDOWS\help\Tours\htmlTour\cxjclkkc.exe
C:\WINDOWS\help\Tours\htmlTour\blkkzrtt.exe
C:\WINDOWS\help\jjlenkbt.exe
C:\WINDOWS\help\jbnshhqj.exe
C:\WINDOWS\help\hwexrtne.exe
C:\WINDOWS\help\bzehxvnz.exe
C:\WINDOWS\QmFyYiBIb3BraW5z
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job


Post the report of it here with a new log from combofix.
fullofbull`
Aug 22 2007, 11:31 PM
QUOTE(jurgenv @ Aug 21 2007, 07:34 AM) *
Now move this with OTMoveIt:
C:\WINDOWS\smqoycok.exe
C:\sysxrax.exe
C:\WINDOWS\web\wcxnjhhj.exe
C:\WINDOWS\rerkkktj.exe
C:\WINDOWS\pchealth\HelpCtr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\ssenjzlj.exe
C:\WINDOWS\pchealth\HelpCtr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\stlvetct.exe
C:\WINDOWS\pchealth\HelpCtr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\stlvetct.exe
C:\WINDOWS\pchealth\HelpCtr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\stlvetct.exe
C:\WINDOWS\pchealth\HelpCtr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\stlvetct.exe
C:\WINDOWS\pchealth\HelpCtr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\hshlnlhk.exe
C:\WINDOWS\pchealth\HelpCtr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\hnvcxhls.exe
C:\WINDOWS\pchealth\HelpCtr\System_OEM\xksjekrx.exe
C:\WINDOWS\pchealth\HelpCtr\System_OEM\wwsjnbnq.exe
C:\WINDOWS\pchealth\HelpCtr\System_OEM\twxelwsc.exe
C:\WINDOWS\pchealth\HelpCtr\System_OEM\tnzhlhnr.exe
C:\WINDOWS\pchealth\HelpCtr\System_OEM\jbblqqrl.exe
C:\WINDOWS\pchealth\HelpCtr\System\UpdateCtr\zccewkkb.exe
C:\WINDOWS\pchealth\HelpCtr\System\UpdateCtr\zcbjntbt.exe
C:\WINDOWS\pchealth\HelpCtr\System\UpdateCtr\xttblnnn.exe
C:\WINDOWS\pchealth\HelpCtr\System\UpdateCtr\cnvjlbvb.exe
C:\WINDOWS\pchealth\HelpCtr\System\UpdateCtr\blbelbbj.exe
C:\WINDOWS\pchealth\HelpCtr\System\sysinfo\zkjckqle.exe
C:\WINDOWS\pchealth\HelpCtr\System\sysinfo\wrsnrelv.exe
C:\WINDOWS\pchealth\HelpCtr\System\sysinfo\rbjsrhhj.exe
C:\WINDOWS\pchealth\HelpCtr\System\sysinfo\qkjneslh.exe
C:\WINDOWS\pchealth\HelpCtr\System\sysinfo\kqwlwbxw.exe
C:\WINDOWS\pchealth\HelpCtr\System\sysinfo\jlcehbkq.exe
C:\WINDOWS\pchealth\HelpCtr\System\sysinfo\bttlteqt.exe
C:\WINDOWS\pchealth\HelpCtr\System\sysinfo\bbekwlrs.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\tehxeecc.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\srljkjhs.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Server\wqqnvzet.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Server\sbsbzljh.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Server\llehtbzr.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Server\jkvvjhhx.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Server\ehvhlqhw.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Common\vlewejke.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Common\rrjhbcnh.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Common\ctrbnkts.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Client\wxklxbbh.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Client\wnjeletk.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Client\nkbshxqh.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Client\lscrknnq.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Client\jthchjjx.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Client\jrwbtbsl.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Common\wccnwsnz.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Common\rjewkstw.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Common\krbbjtbw.exe
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\bxtxjsbv.exe
C:\WINDOWS\pchealth\HelpCtr\System\rc\khhtevqk.exe
C:\WINDOWS\pchealth\HelpCtr\System\panels\kqxqncte.exe
C:\WINDOWS\pchealth\HelpCtr\System\panels\ekjekxll.exe
C:\WINDOWS\pchealth\HelpCtr\System\NetDiag\tlwqjnbh.exe
C:\WINDOWS\pchealth\HelpCtr\System\NetDiag\tekstkzw.exe
C:\WINDOWS\pchealth\HelpCtr\System\errors\brlkcjst.exe
C:\WINDOWS\pchealth\HelpCtr\System\ErrMsg\xjlnrbel.exe
C:\WINDOWS\pchealth\HelpCtr\System\DVDUpgrd\jkenjtvv.exe
C:\WINDOWS\pchealth\HelpCtr\System\DFS\rllhnlsq.exe
C:\WINDOWS\pchealth\HelpCtr\System\DFS\lzkknrkt.exe
C:\WINDOWS\pchealth\HelpCtr\System\DFS\lthtlnwk.exe
C:\WINDOWS\pchealth\HelpCtr\System\CompatCtr\ttnejjkl.exe
C:\WINDOWS\pchealth\HelpCtr\System\CompatCtr\kshsbten.exe
C:\WINDOWS\pchealth\HelpCtr\System\CompatCtr\csclcbtn.exe
C:\WINDOWS\pchealth\HelpCtr\System\CompatCtr\chlrtebt.exe
C:\WINDOWS\help\tsbjbtvn.exe
C:\WINDOWS\help\Tours\WindowsMediaPlayer\Cnt\tjnbzhbh.exe
C:\WINDOWS\help\Tours\WindowsMediaPlayer\Audio\lllknblj.exe
C:\WINDOWS\help\Tours\htmlTour\ztssweeh.exe
C:\WINDOWS\help\Tours\htmlTour\zbcwlstj.exe
C:\WINDOWS\help\Tours\htmlTour\xslbknlk.exe
C:\WINDOWS\help\Tours\htmlTour\wwvjntek.exe
C:\WINDOWS\help\Tours\htmlTour\trsecbvb.exe
C:\WINDOWS\help\Tours\htmlTour\tjxhsker.exe
C:\WINDOWS\help\Tours\htmlTour\skersqzb.exe
C:\WINDOWS\help\Tours\htmlTour\rzjnrbeb.exe
C:\WINDOWS\help\Tours\htmlTour\rqkjqjqb.exe
C:\WINDOWS\help\Tours\htmlTour\rbnesqvr.exe
C:\WINDOWS\help\Tours\htmlTour\qejnhetj.exe
C:\WINDOWS\help\Tours\htmlTour\nleqhveh.exe
C:\WINDOWS\help\Tours\htmlTour\njnrhctz.exe
C:\WINDOWS\help\Tours\htmlTour\lwnssrtv.exe
C:\WINDOWS\help\Tours\htmlTour\lrhwxcwk.exe
C:\WINDOWS\help\Tours\htmlTour\lhhjrkjk.exe
C:\WINDOWS\help\Tours\htmlTour\lbsbbjlx.exe
C:\WINDOWS\help\Tours\htmlTour\kzkzkjkb.exe
C:\WINDOWS\help\Tours\htmlTour\kzerbzks.exe
C:\WINDOWS\help\Tours\htmlTour\kxkzvszq.exe
C:\WINDOWS\help\Tours\htmlTour\knwbcncs.exe
C:\WINDOWS\help\Tours\htmlTour\klbvejnk.exe
C:\WINDOWS\help\Tours\htmlTour\hjhecvkh.exe
C:\WINDOWS\help\Tours\htmlTour\ewrlklcs.exe
C:\WINDOWS\help\Tours\htmlTour\ekwlsjzj.exe
C:\WINDOWS\help\Tours\htmlTour\cxjclkkc.exe
C:\WINDOWS\help\Tours\htmlTour\blkkzrtt.exe
C:\WINDOWS\help\jjlenkbt.exe
C:\WINDOWS\help\jbnshhqj.exe
C:\WINDOWS\help\hwexrtne.exe
C:\WINDOWS\help\bzehxvnz.exe
C:\WINDOWS\QmFyYiBIb3BraW5z
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job


Post the report of it here with a new log from combofix.




Jurgenv,

Moveit log:
C:\WINDOWS\smqoycok.exe moved successfully.
C:\sysxrax.exe moved successfully.
C:\WINDOWS\web\wcxnjhhj.exe moved successfully.
C:\WINDOWS\rerkkktj.exe moved successfully.
File move failed. C:\WINDOWS\pchealth\HelpCtr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\ssenjzlj.exe scheduled to be moved on reboot.
File move failed. C:\WINDOWS\pchealth\HelpCtr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\stlvetct.exe scheduled to be moved on reboot.
File move failed. C:\WINDOWS\pchealth\HelpCtr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\stlvetct.exe scheduled to be moved on reboot.
File move failed. C:\WINDOWS\pchealth\HelpCtr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\stlvetct.exe scheduled to be moved on reboot.
File move failed. C:\WINDOWS\pchealth\HelpCtr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\stlvetct.exe scheduled to be moved on reboot.
File move failed. C:\WINDOWS\pchealth\HelpCtr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\hshlnlhk.exe scheduled to be moved on reboot.
File move failed. C:\WINDOWS\pchealth\HelpCtr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\hnvcxhls.exe scheduled to be moved on reboot.
C:\WINDOWS\pchealth\HelpCtr\System_OEM\xksjekrx.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System_OEM\wwsjnbnq.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System_OEM\twxelwsc.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System_OEM\tnzhlhnr.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System_OEM\jbblqqrl.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\UpdateCtr\zccewkkb.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\UpdateCtr\zcbjntbt.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\UpdateCtr\xttblnnn.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\UpdateCtr\cnvjlbvb.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\UpdateCtr\blbelbbj.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\sysinfo\zkjckqle.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\sysinfo\wrsnrelv.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\sysinfo\rbjsrhhj.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\sysinfo\qkjneslh.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\sysinfo\kqwlwbxw.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\sysinfo\jlcehbkq.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\sysinfo\bttlteqt.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\sysinfo\bbekwlrs.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\tehxeecc.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\srljkjhs.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Server\wqqnvzet.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Server\sbsbzljh.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Server\llehtbzr.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Server\jkvvjhhx.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Server\ehvhlqhw.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Common\vlewejke.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Common\rrjhbcnh.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Common\ctrbnkts.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Client\wxklxbbh.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Client\wnjeletk.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Client\nkbshxqh.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Client\lscrknnq.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Client\jthchjjx.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Interaction\Client\jrwbtbsl.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Common\wccnwsnz.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Common\rjewkstw.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\Common\krbbjtbw.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\Remote Assistance\bxtxjsbv.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\rc\khhtevqk.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\panels\kqxqncte.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\panels\ekjekxll.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\NetDiag\tlwqjnbh.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\NetDiag\tekstkzw.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\errors\brlkcjst.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\ErrMsg\xjlnrbel.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\DVDUpgrd\jkenjtvv.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\DFS\rllhnlsq.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\DFS\lzkknrkt.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\DFS\lthtlnwk.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\CompatCtr\ttnejjkl.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\CompatCtr\kshsbten.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\CompatCtr\csclcbtn.exe moved successfully.
C:\WINDOWS\pchealth\HelpCtr\System\CompatCtr\chlrtebt.exe moved successfully.
C:\WINDOWS\help\tsbjbtvn.exe moved successfully.
C:\WINDOWS\help\Tours\WindowsMediaPlayer\Cnt\tjnbzhbh.exe moved successfully.
C:\WINDOWS\help\Tours\WindowsMediaPlayer\Audio\lllknblj.exe moved successfully.
C:\WINDOWS\help\Tours\htmlTour\ztssweeh.exe moved successfully.
C:\WINDOWS\help\Tours\htmlTour\zbcwlstj.exe moved successfully.
C:\WINDOWS\help\Tours\htmlTour\xslbknlk.exe moved successfully.
C:\WINDOWS\help\Tours\htmlTour\wwvjntek.exe moved successfully.
C:\WINDOWS\help\Tours\htmlTour\trsecbvb.exe moved successfully.
C:\WINDOWS\help\Tours\htmlTour\tjxhsker.exe moved successfully.
C:\WINDOWS\help\Tours\htmlTour\skersqzb.exe moved successfully.
C:\WINDOWS\help\Tours\htmlTour\rzjnrbeb.exe moved successfully.
C:\WINDOWS\help\Tours\htmlTour\rqkjqjqb.exe moved successfully.
C:\WINDOWS\help\Tours\htmlTour\rbnesqvr.exe moved successfully.
C:\WINDOWS\help\Tours\htmlTour\qejnhetj.exe moved successfully.
C:\WINDOWS\help\Tours\htmlTour\nleqhveh.exe moved successfully.
C:\WINDOWS\help\Tours\htmlTour\njnrhctz.exe moved successfully.
C:\WINDOWS\help\Tours\htmlTour\lwnssrtv.exe moved successfully.
C:\WINDOWS\help\Tours\htmlTour\lrhwxcwk.exe moved successfully.
C:\WINDOWS\help\Tours\htmlTour\lhhjrkjk.exe moved successfully.
C:\WINDOWS\help\Tours\htmlTour\lbsbbjlx.exe moved successfully.
C:\WINDOWS\help\Tours\htmlTour\kzkzkjkb.exe moved successfully.
C:\WINDOWS\help\Tours\htmlTour\kzerbzks.exe moved successfully.
C:\WINDOWS\help\Tours\htmlTour\kxkzvszq.exe moved successfully.
C:\WINDOWS\help\Tours\htmlTour\knwbcncs.exe moved successfully.
C:\WINDOWS\help\Tours\htmlTour\klbvejnk.exe moved successfully.
C:\WINDOWS\help\Tours\htmlTour\hjhecvkh.exe moved successfully.
C:\WINDOWS\help\Tours\htmlTour\ewrlklcs.exe moved successfully.
C:\WINDOWS\help\Tours\htmlTour\ekwlsjzj.exe moved successfully.
C:\WINDOWS\help\Tours\htmlTour\cxjclkkc.exe moved successfully.
C:\WINDOWS\help\Tours\htmlTour\blkkzrtt.exe moved successfully.
C:\WINDOWS\help\jjlenkbt.exe moved successfully.
C:\WINDOWS\help\jbnshhqj.exe moved successfully.
C:\WINDOWS\help\hwexrtne.exe moved successfully.
C:\WINDOWS\help\bzehxvnz.exe moved successfully.
C:\WINDOWS\QmFyYiBIb3BraW5z moved successfully.
C:\WINDOWS\Tasks\At1.job moved successfully.
C:\WINDOWS\Tasks\At2.job moved successfully.
C:\WINDOWS\Tasks\At3.job moved successfully.
C:\WINDOWS\Tasks\At4.job moved successfully.
C:\WINDOWS\Tasks\At5.job moved successfully.
C:\WINDOWS\Tasks\At6.job moved successfully.
C:\WINDOWS\Tasks\At7.job moved successfully.
C:\WINDOWS\Tasks\At8.job moved successfully.
C:\WINDOWS\Tasks\At9.job moved successfully.
C:\WINDOWS\Tasks\At10.job moved successfully.
C:\WINDOWS\Tasks\At11.job moved successfully.
C:\WINDOWS\Tasks\At12.job moved successfully.
C:\WINDOWS\Tasks\At13.job moved successfully.
C:\WINDOWS\Tasks\At14.job moved successfully.
C:\WINDOWS\Tasks\At15.job moved successfully.
C:\WINDOWS\Tasks\At16.job moved successfully.
C:\WINDOWS\Tasks\At17.job moved successfully.
C:\WINDOWS\Tasks\At18.job moved successfully.
C:\WINDOWS\Tasks\At19.job moved successfully.
C:\WINDOWS\Tasks\At20.job moved successfully.
C:\WINDOWS\Tasks\At21.job moved successfully.
C:\WINDOWS\Tasks\At22.job moved successfully.
C:\WINDOWS\Tasks\At23.job moved successfully.
C:\WINDOWS\Tasks\At24.job moved successfully.

Created on 08/22/2007 18:34:23


Combofix log:

ComboFix 07-08-17.2 - "JIM" 2007-08-22 18:39:57.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.61 [GMT -4:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\folder.js\
C:\Program Files\ini.ini\


((((((((((((((((((((((((( Files Created from 2007-07-22 to 2007-08-22 )))))))))))))))))))))))))))))))


2007-08-22 18:29 <DIR> d---s---- C:\DOCUME~1\JIM\UserData
2007-08-22 18:28 786,432 --ah----- C:\DOCUME~1\JIM\NTUSER.DAT
2007-08-20 22:30 <DIR> d---s---- C:\DOCUME~1\BARB\UserData
2007-08-20 22:10 786,432 --ah----- C:\DOCUME~1\BARB\NTUSER.DAT
2007-08-20 21:06 51,200 --a------ C:\WINDOWS\nircmd.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-20 21:37 --------- d-------- C:\Program Files\Messenger
2007-08-20 21:10 --------- d-------- C:\Program Files\Windows NT
2007-06-12 16:24 60 --a--c--- C:\Program Files\ini.ini
2007-05-30 22:43 20522 --a--c--- C:\WINDOWS\system32\lkclm.exe
2007-05-30 22:31 20522 --a--c--- C:\WINDOWS\system32\mufetq.exe
2007-04-30 11:06 142 --a--c--- C:\Program Files\page.html
2007-01-29 06:41 2121 --a--c--- C:\Program Files\folder.js
2006-12-02 21:05 2522 --a--c--- C:\Program Files\func.js
2006-11-25 03:57 482 --a--c--- C:\Program Files\Del.js
2006-06-08 03:02 2048 --a--c--- C:\Program Files\func.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-08-20 19:55]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-08-20 19:51]
"LMPDPSRV"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE" [2002-07-11 18:31]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe" [2004-09-15 06:48]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 11:46]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 12:38]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 13:55]
"licli"="li.exe" []
"6781e40a.exe"="C:\WINDOWS\System32\6781e40a.exe" []
"rfaotlsA"="C:\WINDOWS\rfaotlsA.exe" []
"{1C-CA-A2-2E-ZN}"="c:\windows\system32\dwdsregt.exe" []
"gtcfaxaz.exe"="C:\Documents and Settings\All Users\Application Data\gtcfaxaz.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Lexmark X125 Settings Utility.lnk - C:\Program Files\Lexmark X125\LEX125SU.exe [2005-12-10 13:15:07]

S2 DgiVecp;DgiVecp;\??\C:\WINDOWS\System32\Drivers\DgiVecp.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-22 18:40:48
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-22 18:41:17
C:\ComboFix-quarantined-files.txt ... 2007-08-22 18:41
C:\ComboFix2.txt ... 2007-08-20 21:14

--- E O F ---


Thanks

Fullofbull



jurgenv
Aug 22 2007, 11:43 PM
* Now move the following with OTMoveIt:

C:\Program Files\ini.ini
C:\WINDOWS\system32\lkclm.exe
C:\WINDOWS\system32\mufetq.exe
C:\Program Files\page.html
C:\Program Files\folder.js
C:\Program Files\func.js
C:\Program Files\Del.js
C:\Documents and Settings\All Users\Application Data\gtcfaxaz.exe
C:\Program Files\func.exe
c:\windows\system32\dwdsregt.exe
C:\WINDOWS\rfaotlsA.exe
C:\WINDOWS\System32\6781e40a.exe
C:\WINDOWS\system32\li.exe

* After that, post the log of OTMoveIt here with a new log from hijackthis and combofix.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.