Thanks Belahzur
Unfortunately between yesterday and today my friend let someone access the internet and reinfect the computer. the OTMoveIT log was posted before that happened. But i did use Hijackthis to remove some files that i thought that looked infected from the last time. In addition i ran Malwarebytes deleted a few things as well. then ran DDS obtained a log from that and then ran OTMoveIt and my above post was the result. But with the new info from you i will run it again with the \":files\" attribute.
Below i have posted the results from each program except for OTMoveIT Malwarebytes i forgot to get that one i will try to get this one. My friend does not live that close. I\'m just trying to help him out.
------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:16:20 PM, on 2/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Safe mode
Running processes:
C:\\WINDOWS\\System32\\smss.exe
C:\\WINDOWS\\system32\\winlogon.exe
C:\\WINDOWS\\system32\\services.exe
C:\\WINDOWS\\system32\\lsass.exe
C:\\WINDOWS\\system32\\svchost.exe
C:\\WINDOWS\\system32\\svchost.exe
C:\\WINDOWS\\Explorer.EXE
C:\\WINDOWS\\system32\\ctfmon.exe
C:\\Program Files\\Malwarebytes\' Anti-Malware\\mbam.exe
F:\\HiJackThis.exe
R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\\program files\\google\\googletoolbar1.dll
O4 - HKLM\\..\\Run: [VTTimer] VTTimer.exe
O4 - HKLM\\..\\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\\..\\Run: [Sunkist2k] C:\\Program Files\\Multimedia Card Reader\\shwicon2k.exe
O4 - HKLM\\..\\Run: [nod32kui] \"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE
O4 - HKLM\\..\\Run: [SunJavaUpdateSched] \"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\"
O4 - HKLM\\..\\Run: [Google Desktop Search] \"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup
O4 - HKLM\\..\\Run: [QuickTime Task] \"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime
O4 - HKLM\\..\\Run: [HP Software Update] \"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd.exe\"
O4 - HKLM\\..\\Run: [HP Component Manager] \"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\"
O4 - HKLM\\..\\Run: [avast!] C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe
O4 - HKLM\\..\\RunOnce: [Malwarebytes Anti-Malware (reboot)] \"C:\\Program Files\\Malwarebytes\' Anti-Malware\\mbam.exe\" /runcleanupscript
O4 - HKCU\\..\\Run: [MSMSGS] \"C:\\Program Files\\Messenger\\msmsgs.exe\" /background
O4 - HKCU\\..\\Run: [swg] C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe
O4 - HKCU\\..\\Run: [ctfmon.exe] C:\\WINDOWS\\system32\\ctfmon.exe
O4 - HKCU\\..\\Run: [qr5v6k46i8bdy] C:\\DOCUME~1\\orville\\LOCALS~1\\Temp\\jc3dj9oqleln.exe
O4 - Global Startup: WinCinema Manager.lnk = C:\\Program Files\\Sandisk\\Common\\Bin\\WinCinemaMgr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\\Program Files\\RALINK\\Common\\RaUI.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\\Program Files\\Messenger\\msmsgs.exe
O9 - Extra \'Tools\' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\\Program Files\\Messenger\\msmsgs.exe
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) -
http://www.creative.com/su2/CTL_V02002/ocx/15033/CTPID.cabO18 - Filter hijack: text/html - {cc6e3e31-2bd8-48c7-86fb-7f5302833add} - C:\\WINDOWS\\system32\\mst122.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\\Program Files\\Alwil Software\\Avast4\\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\\Program Files\\Alwil Software\\Avast4\\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\\Program Files\\Alwil Software\\Avast4\\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\\Program Files\\Alwil Software\\Avast4\\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\\WINDOWS\\system32\\CTsvcCDA.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\\Program Files\\Google\\Common\\Google Updater\\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\\Program Files\\Eset\\nod32krn.exe
--
End of file - 4267 bytes
-----------------------------
DDS (Ver_09-02-01.01) - NTFSx86 MINIMAL
Run by orville at 19:21:44.22 on Wed 02/18/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.282 [GMT -5:00]
AV: avast! antivirus 4.7.942 [VPS 090218-0] *On-access scanning enabled* (Updated)
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Outdated)
============== Running Processes ===============
C:\\WINDOWS\\system32\\svchost -k DcomLaunch
svchost.exe
C:\\WINDOWS\\system32\\svchost.exe -k netsvcs
C:\\WINDOWS\\Explorer.EXE
C:\\WINDOWS\\system32\\ctfmon.exe
F:\\dds.scr
============== Pseudo HJT Report ===============
uStart Page =
hxxp://www.google.com/uSearch Page =
hxxp://www.google.comuSearch Bar =
hxxp://www.google.com/ieuSearchMigratedDefaultURL =
hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant =
hxxp://www.google.com/ieuSearchURL,(Default) =
hxxp://www.google.com/search?q=%smSearchAssistant =
hxxp://www.google.com/ieTB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\\program files\\google\\googletoolbar1.dll
uRun: [MSMSGS] \"c:\\program files\\messenger\\msmsgs.exe\" /background
uRun: [swg] c:\\program files\\google\\googletoolbarnotifier\\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\\windows\\system32\\ctfmon.exe
uRun: [qr5v6k46i8bdy] c:\\docume~1\\orville\\locals~1\\temp\\jc3dj9oqleln.exe
mRun: [VTTimer] VTTimer.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [Sunkist2k] c:\\program files\\multimedia card reader\\shwicon2k.exe
mRun: [nod32kui] \"c:\\program files\\eset\\nod32kui.exe\" /WAITSERVICE
mRun: [SunJavaUpdateSched] \"c:\\program files\\java\\jre1.6.0_01\\bin\\jusched.exe\"
mRun: [Google Desktop Search] \"c:\\program files\\google\\google desktop search\\GoogleDesktop.exe\" /startup
mRun: [QuickTime Task] \"c:\\program files\\quicktime\\qttask.exe\" -atboottime
mRun: [HP Software Update] \"c:\\program files\\hp\\hp software update\\HPWuSchd.exe\"
mRun: [HP Component Manager] \"c:\\program files\\hp\\hpcoretech\\hpcmpmgr.exe\"
mRun: [avast!] c:\\progra~1\\alwils~1\\avast4\\ashDisp.exe
mRunOnce: [Malwarebytes Anti-Malware (reboot)] \"c:\\program files\\malwarebytes\' anti-malware\\mbam.exe\" /runcleanupscript
StartupFolder: c:\\docume~1\\alluse~1\\startm~1\\programs\\startup\\wincin~1.lnk - c:\\program files\\sandisk\\common\\bin\\WinCinemaMgr.exe
StartupFolder: c:\\docume~1\\alluse~1\\startm~1\\programs\\startup\\hpdigi~1.lnk - c:\\program files\\hp\\digital imaging\\bin\\hpqtra08.exe
StartupFolder: c:\\docume~1\\alluse~1\\startm~1\\programs\\startup\\kodake~1.lnk - c:\\program files\\kodak\\kodak easyshare software\\bin\\EasyShare.exe
StartupFolder: c:\\docume~1\\alluse~1\\startm~1\\programs\\startup\\ralink~1.lnk - c:\\program files\\ralink\\common\\RaUI.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\\program files\\messenger\\msmsgs.exe
LSP: c:\\windows\\system32\\imon.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} -
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cabDPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} -
hxxp://www.creative.com/su2/CTL_V02002/ocx/15033/CTPID.cabFilter: text/html - {cc6e3e31-2bd8-48c7-86fb-7f5302833add} - c:\\windows\\system32\\mst122.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\\program files\\hp\\hpcoretech\\comp\\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\\windows\\system32\\WPDShServiceObj.dll
============= SERVICES / DRIVERS ===============
S1 nod32drv;nod32drv;c:\\windows\\system32\\drivers\\nod32drv.sys [2007-6-12 15424]
S2 avast! Antivirus;avast! Antivirus;c:\\program files\\alwil software\\avast4\\ashServ.exe [2009-2-16 132736]
S2 NOD32krn;NOD32 Kernel Service;c:\\program files\\eset\\nod32krn.exe [2007-6-12 552064]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\\program files\\alwil software\\avast4\\ashMaiSv.exe [2009-2-16 255616]
S3 avast! Web Scanner;avast! Web Scanner;c:\\program files\\alwil software\\avast4\\ashWebSv.exe [2009-2-16 370304]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\\program files\\google\\google desktop search\\GoogleDesktop.exe [2007-11-12 29744]
=============== Created Last 30 ================
2009-02-16 21:41 --d----- c:\\docume~1\\orville\\applic~1\\Malwarebytes
2009-02-16 21:41 15,504 a------- c:\\windows\\system32\\drivers\\mbam.sys
2009-02-16 21:41 38,496 a------- c:\\windows\\system32\\drivers\\mbamswissarmy.sys
2009-02-16 21:41 --d----- c:\\program files\\Malwarebytes\' Anti-Malware
2009-02-16 21:41 --d----- c:\\docume~1\\alluse~1\\applic~1\\Malwarebytes
2009-02-16 18:18 --d----- c:\\windows\\pss
2009-02-11 19:37 120 ---sh--- c:\\windows\\system32\\tmwtsrno.ini
2009-02-11 19:26 120 ---sh--- c:\\windows\\system32\\oyiimiuc.ini
2009-02-09 16:52 120 ---sh--- c:\\windows\\system32\\qknpocao.ini
2009-01-26 20:02 --dsh--- c:\\windows\\system32\\twain32
2009-01-26 20:01 1,530,740 ---sh--- c:\\windows\\system32\\eqiyhkpu.ini
2009-01-24 20:45 136,704 a------- c:\\windows\\efeyiqopacajuhi.dll
2009-01-24 19:15 1,526,355 ---sh--- c:\\windows\\system32\\ykjesidk.ini
2009-01-23 18:56 1,435,294 ---sh--- c:\\windows\\system32\\jfvlwsds.ini
2009-01-21 17:37 1,435,294 ---sh--- c:\\windows\\system32\\wlnmfxkf.ini
2009-01-20 17:29 1,435,294 ---sh--- c:\\windows\\system32\\evvfbyik.ini
2009-01-20 17:27 129,024 a------- c:\\windows\\system32\\vfoebn.dll
2009-01-20 17:27 129,024 a------- c:\\windows\\system32\\cxqnnbbu.dll
==================== Find3M ====================
============= FINISH: 19:22:04.79 ===============
Last edited by Zorx on 19th February 2009, 1:32 am; edited 1 time in total