BleepingComputer.com

BleepingComputer.com > Security > HijackThis Logs and Virus/Trojan/Spyware/Malware Removal

late_at_nine

May 13 2007, 10:45 AM

I've taken all of the steps advised by this website, but I still can't seem to get rid of these pop up ads (mainly winantivirus and fling.com, amongst others). Here are some things I've noticed:
Windows Defender had an error deleting "ClickSpring.PurityScan"
Spybot always seems to detect something like Smith.Fraud Toolbar
I had a program call Outerinfo installed on my computer (Hopefully it's gone now)
Adaware is and AVG antispyware are reporting no problems as of the last scans I did
Obviously something is still wrong, so here is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:34:10 AM, on 5/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Quicken\bagent.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\wamp\wampserver.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
c:\wamp\apache2\bin\Apache.exe
c:\wamp\mysql\bin\mysqld-nt.exe
C:\wamp\apache2\bin\Apache.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ogmwnmu.exe
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [w474e2ee.dll] RUNDLL32.EXE w474e2ee.dll,I2 00141d190474e2ee
O4 - HKLM\..\Run: [mssgdf] C:\WINDOWS\System32\mbopdh.exe reg_run
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\tclrhuot.dll",realset
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ipaie] C:\WINDOWS\System32\mbopdh.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: WampServer.lnk = C:\wamp\wampserver.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149810379350
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1149810641297
O18 - Filter: text/html - {624A3CDB-8C0A-4902-8480-191582C8498E} - (no file)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)

Thanks for any help you can give me!

RichieUK

May 13 2007, 11:25 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum late_at_nine

Download SmitfraudFix (by S!Ri), to your desktop.
Double click on Smitfraudfix.cmd
Select option #1 – Search, by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

********************************

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".

Please post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

********************************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

********************************

Now go to:
C:\Program Files\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.

late_at_nine

May 13 2007, 12:19 PM

here are those log files. A folder called QooBox has appeared in my C directory. It has many subfolders but no contents...
ALSO...I can no longer restore my active desktop...it says "Object doesnt support this action" in an error message for
file:///C:/Documents%20and%20Settings/Administrator/Application%20Data/Microsoft/Internet%20Explorer/Desktop.htt
This occured after Combofix restarted, I've restarted again with no change.

SmitFraudFix v2.181

Scan done at 12:38:38.37, Sun 05/13/2007
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08\hpqtra08.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903\BackWeb-137903.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray\sgtray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\keyboard1.dat FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Common Files\\profsyrt.html"
"SubscribedURL"=""
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\Windows Media Player\\kyzepepem.html"
"SubscribedURL"=""
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="C:\\Program Files\\MSN Gaming Zone\\howym.html"
"SubscribedURL"=""
"FriendlyName"=""

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 68.87.71.226
DNS Server Search Order: 68.87.73.242

HKLM\SYSTEM\CCS\Services\Tcpip\..\{4D2EA0CE-DB4F-4E7C-B082-C9103E95149E}: DhcpNameServer=68.87.71.226 68.87.73.242
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4D2EA0CE-DB4F-4E7C-B082-C9103E95149E}: DhcpNameServer=68.87.71.226 68.87.73.242
HKLM\SYSTEM\CS2\Services\Tcpip\..\{4D2EA0CE-DB4F-4E7C-B082-C9103E95149E}: DhcpNameServer=68.87.71.226 68.87.73.242
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.71.226 68.87.73.242
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.71.226 68.87.73.242
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.71.226 68.87.73.242

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

VundoFix V6.3.21

Checking Java version...

Scan started at 1:02:41 AM 5/13/2007

Listing files found while scanning....

C:\WINDOWS\system32\qqstv.bak1
C:\WINDOWS\system32\qqstv.ini
C:\WINDOWS\system32\vtsqq.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\qqstv.bak1
C:\WINDOWS\system32\qqstv.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\qqstv.ini
C:\WINDOWS\system32\qqstv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtsqq.dll
C:\WINDOWS\system32\vtsqq.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.21

Checking Java version...

Scan started at 12:40:34 PM 5/13/2007

Listing files found while scanning....

C:\WINDOWS\system32\cfhkj.bak1
C:\WINDOWS\system32\cfhkj.bak2
C:\WINDOWS\system32\cfhkj.ini
C:\WINDOWS\system32\jkhfc.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\cfhkj.bak1
C:\WINDOWS\system32\cfhkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\cfhkj.bak2
C:\WINDOWS\system32\cfhkj.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\cfhkj.ini
C:\WINDOWS\system32\cfhkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkhfc.dll
C:\WINDOWS\system32\jkhfc.dll Has been deleted!

Performing Repairs to the registry.
Done!

"Administrator" - 2007-05-13 11:53:36 Service Pack 2
ComboFix 07-05.13.V - Running from: "C:\Documents and Settings\Administrator\Desktop\"

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))

No infected Qoologic files found. Reg entries were fixed

(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\ofxsgsbr.dll
C:\WINDOWS\system32\tclrhuot.dll
C:\WINDOWS\system32\tjutvkbt.dll
C:\WINDOWS\system32\touhrlct.ini
C:\WINDOWS\system32\cbxxwuu.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\keyboard1.dat
C:\Program Files\Common Files\profsyrt.html
C:\Program Files\outerinfo\Terms.rtf
C:\Temp\17O7\tmpTF.log
C:\Program Files\outerinfo
C:\Program Files\windows
C:\WINDOWS\system32\smpi1
C:\Temp\17O7
C:\Temp\tn3
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\Program Files\Common Files\RACLE~1
C:\qoobox\purity\C\WINDOWS\system32\ASEMBL~1

((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS

((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-13 ))))))))))))))))))))))))))))))))))

2007-05-13 12:38 4,540 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-13 11:50 1,465,712 ---hs---- C:\WINDOWS\system32\yycdd.bak1
2007-05-13 11:49 262,708 ---hs---- C:\WINDOWS\system32\mljji.dll
2007-05-13 11:49 262,708 ---hs---- C:\WINDOWS\system32\ddcyy.dll
2007-05-13 03:17 1,893,383 --a------ C:\Program Files\stinger.exe
2007-05-13 01:56 <DIR> d-------- C:\DOCUME~1\ADMINI~1\.housecall6.6
2007-05-13 01:14 6,006,832 --a------ C:\Program Files\Firefox Setup 2.0.0.3.exe
2007-05-13 01:02 <DIR> d-------- C:\VundoFix Backups
2007-05-12 15:53 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-12 15:52 11,470,608 --a------ C:\Program Files\avgas-setup-7.5.0.50.exe
2007-05-12 15:37 <DIR> d-------- C:\Program Files\Windows Defender
2007-05-12 12:12 <DIR> d-------- C:\WINDOWS\system32\SBO
2007-04-26 03:16 <DIR> d-------- C:\Program Files\AnalogX
2007-04-26 02:22 <DIR> d-------- C:\Program Files\u-he
2007-04-26 02:22 <DIR> d-------- C:\Program Files\Celemony
2007-04-26 00:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-04-26 00:48 <DIR> d-------- C:\Program Files\Bonjour
2007-04-26 00:38 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-04-25 23:39 13,030,686 --a------ C:\Program Files\MelodyneDemo.3.1.Setup.exe
2007-04-22 13:47 1,205,365 --a------ C:\Program Files\wrar37b7.exe
2007-04-22 13:47 <DIR> d-------- C:\Program Files\Total Annihilation
2007-04-22 13:47 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\WinRAR
2007-04-20 23:48 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-04-20 23:48 115,880 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-04-20 23:47 6,718,976 --a------ C:\Program Files\winamp533_full_emusic-7plus.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-12 18:00:34 -------- d-----w C:\Program Files\Windows NT
2007-04-28 00:37:12 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\U3
2007-04-26 22:23:10 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Digidesign
2007-04-26 09:31:54 -------- d-----w C:\Program Files\Digidesign
2007-04-26 08:46:30 -------- d-----w C:\Program Files\Winamp
2007-04-26 07:22:44 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-03-29 07:19:23 -------- d-----w C:\Program Files\Sibelius Software
2007-03-29 07:19:03 -------- d-----w C:\Program Files\Sibelius 3
2007-03-24 16:10:18 -------- d-----w C:\Program Files\QuickTime
2007-03-22 18:45:30 -------- d-----w C:\Program Files\DSemu
2007-03-22 01:54:16 77,312 ----a-w C:\WINDOWS\system32\TWAIN_32.DLL
2007-03-22 01:54:16 69,632 ----a-w C:\WINDOWS\system32\TWUNK_32.EXE
2007-03-22 01:54:16 48,560 ----a-w C:\WINDOWS\system32\TWUNK_16.EXE
2007-03-21 18:37:16 -------- d-----w C:\Program Files\Shadow Warrior XP
2007-03-21 17:43:52 -------- d-----w C:\Program Files\AIM
2007-03-21 17:43:45 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Aim
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-07 00:29:14 -------- d-----w C:\Program Files\ZSNES
2007-02-10 01:25:04 10 ----a-w C:\WINDOWS\popcinfo.dat
2007-02-07 23:51:35 51 ----a-w C:\WINDOWS\system32\FsmSaver.dat
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{19735B73-8AAA-4D34-A1A1-C943532239C6}=C:\WINDOWS\system32\ddcyy.dll [2007-05-13 11:49]
{357AC8A3-900E-46DB-8BBE-42C6CF9CAAAB}=C:\Program Files\Common Files\lavug.dll []
{37BDF44D-16F8-6D22-AB3B-1CE34DE2FFB9}=C:\WINDOWS\system32\yhn.dll []
{46593D12-763D-449E-8A0C-4CC2D8672A5f}=C:\WINDOWS\system32\tdqejtoj.dll []
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 00:04]
{53B288A8-8506-47EF-883E-33C86CC0CEF9}=C:\Program Files\Windows NT\hokemozyk.dll []
{8C48A969-EE81-4B14-9CDB-1104F55F0E41}=C:\WINDOWS\system32\jkhfc.dll []
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-19 23:55]
{C9096BA3-4A66-4C5F-B8DC-6DB20DE5A753}=C:\WINDOWS\system32\vtsqq.dll []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"CamMonitor"="c:\\Program Files\\HP\\Digital Imaging\\Unload\\hpqcmon.exe"
"HPHUPD05"="c:\\Program Files\\HP\\{45B6180B-DCAB-4093-8EE8-6164457517F0}\\hphupd05.exe"
"HPHmon05"="C:\\WINDOWS\\System32\\hphmon05.exe"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"ATIModeChange"="Ati2mdxx.exe"
"LTMSG"="LTMSG.exe 7"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Sunkist2k"="C:\\Program Files\\Multimedia Card Reader\\shwicon2k.exe"
"Reminder"="\"C:\\Windows\\Creator\\Remind_XP.exe\""
"DigidesignMMERefresh"="C:\\Program Files\\Digidesign\\Drivers\\MMERefresh.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"w474e2ee.dll"="RUNDLL32.EXE w474e2ee.dll,I2 00141d190474e2ee"
"WUSB54Gv4"="C:\\Program Files\\Linksys Wireless-G USB Wireless Network Monitor\\InvokeSvc3.exe"
"AlcxMonitor"="ALCXMNTR.EXE"
"tgcmd"="C:\\Program Files\\Support.com\\bin\\tgcmd.exe /server /startmonitor /deaf"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-04 02:56]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-10-03 00:19]
"CamMonitor"="c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 10:23]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" []
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-23 05:55]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-11-04 01:36]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-12-17 03:10]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 00:42]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-05 03:24 C:\WINDOWS\system32\Ati2mdxx.exe])
"LTMSG"="LTMSG.exe" [])
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-08-12 21:10]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-08-14 19:11]
"Reminder"="C:\Windows\Creator\Remind_XP.exe" [2003-06-17 21:13]
"DigidesignMMERefresh"="C:\Program Files\Digidesign\Drivers\MMERefresh.exe" [2005-04-12 01:28]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50]
"w474e2ee.dll"="w474e2ee.dll" [])
"WUSB54Gv4"="C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe" [2004-04-19 08:19]
"AlcxMonitor"="ALCXMNTR.EXE" [])
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2006-06-02 15:09]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"="" [])
"BackupNotify"="c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" [2003-06-23 00:25]
"Aim6"="" [])
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-01-31 22:31]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"RecordNow!"=""
"BackupNotify"="c:\\Program Files\\HP\\Digital Imaging\\bin\\backupnotify.exe"
"Aim6"=""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\AdobeUpdater]
@=""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ C:\Program Files\Common Files\profsyrt.html

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source REG_SZ C:\Program Files\Windows Media Player\kyzepepem.html

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source REG_SZ C:\Program Files\MSN Gaming Zone\howym.html

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 09:13]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcyy

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
HTTPFilter HTTPFilter\0\0
DcomLaunch DcomLaunch\0TermService\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command D:\Info.exe folder.htt 480 480
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_GTNDIS5

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\WebReg 20050513165948.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-13 12:06:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 2007-05-13 12:08:46 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-13 12:08

Logfile of HijackThis v1.99.1
Scan saved at 12:12:12 PM, on 5/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
c:\wamp\apache2\bin\Apache.exe
c:\wamp\mysql\bin\mysqld-nt.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\wamp\apache2\bin\Apache.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Quicken\bagent.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08\hpqtra08.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\abc.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: (no name) - {19735B73-8AAA-4D34-A1A1-C943532239C6} - C:\WINDOWS\system32\ddcyy.dll
O2 - BHO: 0 - {357AC8A3-900E-46DB-8BBE-42C6CF9CAAAB} - C:\Program Files\Common Files\lavug.dll (file missing)
O2 - BHO: (no name) - {37BDF44D-16F8-6D22-AB3B-1CE34DE2FFB9} - C:\WINDOWS\system32\yhn.dll (file missing)
O2 - BHO: (no name) - {46593D12-763D-449E-8A0C-4CC2D8672A5f} - C:\WINDOWS\system32\tdqejtoj.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53B288A8-8506-47EF-883E-33C86CC0CEF9} - C:\Program Files\Windows NT\hokemozyk.dll (file missing)
O2 - BHO: (no name) - {8C48A969-EE81-4B14-9CDB-1104F55F0E41} - C:\WINDOWS\system32\jkhfc.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {C9096BA3-4A66-4C5F-B8DC-6DB20DE5A753} - C:\WINDOWS\system32\vtsqq.dll (file missing)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [w474e2ee.dll] RUNDLL32.EXE w474e2ee.dll,I2 00141d190474e2ee
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\hgqtgfqk.dll",realset
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: WampServer.lnk = C:\wamp\wampserver.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149810379350
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1149810641297
O20 - Winlogon Notify: ddcyy - C:\WINDOWS\system32\ddcyy.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)

RichieUK

May 13 2007, 01:01 PM

QUOTE

A folder called QooBox has appeared in my C directory. It has many subfolders but no contents...

Don't touch that folder just yet,it belongs to Combofix.

********************************

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Double click on Smitfraudfix.cmd
Select #2 and hit Enter to delete the infected files.
You will be prompted: 'Do you want to clean the registry?' answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): 'Replace infected file ?' answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process.
The report can be found at the root of the system drive, usually at C:\rapport.txt

Post the smitfraudfix report into your next reply.

********************************

Download Killbox by Option^Explicit:
http://download.bleepingcomputer.com/spyware/KillBox.zip
Save it to your desktop.
Please double-click Killbox.exe to run it.
Select: 'Delete on Reboot'.
Then Click on the 'All Files' button.
Please copy ALL the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\ddcyy.dll
C:\WINDOWS\system32\hgqtgfqk.dll
C:\WINDOWS\system32\yycdd.bak1
C:\WINDOWS\system32\mljji.dll

Return to Killbox,go to the File menu,and choose 'Paste from Clipboard'.
Click the red-and-white Delete File button.
Click 'Yes' at the 'Delete on Reboot' prompt.
Click OK at any 'PendingFileRenameOperations' prompt.
If your computer does not restart automatically,please restart it manually.

After rebooting, open up Killbox again.
Click 'File'>'Logs'>'Actions History Log'.
Post this log in your next reply.

*******************************

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following [If still present], by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

O2 - BHO: (no name) - {19735B73-8AAA-4D34-A1A1-C943532239C6} - C:\WINDOWS\system32\ddcyy.dll
O2 - BHO: 0 - {357AC8A3-900E-46DB-8BBE-42C6CF9CAAAB} - C:\Program Files\Common Files\lavug.dll (file missing)
O2 - BHO: (no name) - {37BDF44D-16F8-6D22-AB3B-1CE34DE2FFB9} - C:\WINDOWS\system32\yhn.dll (file missing)
O2 - BHO: (no name) - {46593D12-763D-449E-8A0C-4CC2D8672A5f} - C:\WINDOWS\system32\tdqejtoj.dll (file missing)
O2 - BHO: (no name) - {53B288A8-8506-47EF-883E-33C86CC0CEF9} - C:\Program Files\Windows NT\hokemozyk.dll (file missing)
O2 - BHO: (no name) - {8C48A969-EE81-4B14-9CDB-1104F55F0E41} - C:\WINDOWS\system32\jkhfc.dll (file missing)
O2 - BHO: (no name) - {C9096BA3-4A66-4C5F-B8DC-6DB20DE5A753} - C:\WINDOWS\system32\vtsqq.dll (file missing)
O4 - HKLM\..\Run: [w474e2ee.dll] RUNDLL32.EXE w474e2ee.dll,I2 00141d190474e2ee
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\hgqtgfqk.dll",realset
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O20 - Winlogon Notify: ddcyy - C:\WINDOWS\system32\ddcyy.dll

Exit Hijackthis.

Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

Post the AVG Anti Spyware report and a new Hijackthis log into your next reply.
Let me know how your pc is running now please.

late_at_nine

May 13 2007, 10:43 PM

Ok I did all of these things, but I'm still getting pop ups...here are the logs:

SmitFraudFix v2.181

Scan done at 14:04:54.62, Sun 05/13/2007
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{4D2EA0CE-DB4F-4E7C-B082-C9103E95149E}: DhcpNameServer=68.87.71.226 68.87.73.242
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4D2EA0CE-DB4F-4E7C-B082-C9103E95149E}: DhcpNameServer=68.87.71.226 68.87.73.242
HKLM\SYSTEM\CS2\Services\Tcpip\..\{4D2EA0CE-DB4F-4E7C-B082-C9103E95149E}: DhcpNameServer=68.87.71.226 68.87.73.242
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.71.226 68.87.73.242
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.71.226 68.87.73.242
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.71.226 68.87.73.242

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

box version 2.0.0.648
Running on Windows XP as Administrator(Administrator)
was started @ Sunday, May 13, 2007, 2:11 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\ddcyy.dll

# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\hgqtgfqk.dll

# 3 [Delete on Reboot]
Path = C:\WINDOWS\system32\yycdd.bak1

# 4 [Delete on Reboot]
Path = C:\WINDOWS\system32\mljji.dll

PendingFileRenameOperations Registry Data has been Removed by External Process! @ 2:13:51 PM
Killbox Closed(Exit) @ 2:14:15 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Administrator(Administrator)
was started @ Sunday, May 13, 2007, 2:16 PM

Killbox Closed(Exit) @ 2:17:21 PM
__________________________________________________

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:17:00 PM 5/13/2007

+ Scan result:

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP700\A0040811.dll -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP700\A0040813.exe -> Adware.ZQuest : Cleaned.
C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP700\A0040804.exe -> Downloader.Agent.bls : Cleaned.
C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP700\A0040805.exe -> Downloader.Agent.bls : Cleaned.
C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP700\A0040806.exe -> Downloader.Agent.bls : Cleaned.
C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP700\A0040803.exe -> Downloader.PurityScan.af : Cleaned.
C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP700\A0040802.dll -> Hijacker.StartPage : Cleaned.
C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP700\A0040801.exe -> Logger.Delf.ncs : Cleaned.
C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP700\A0040779.sys -> Rootkit.Agent.eq : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@heavycom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@stats.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.10:C:\Program Files\support.com\backup\co\cookies.txt\17026_573fcfac8_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning.
:mozilla.11:C:\Program Files\support.com\backup\co\cookies.txt\17026_573fcfac8_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning.
:mozilla.8:C:\Program Files\support.com\backup\co\cookies.txt\17026_573fcfac8_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning.
:mozilla.9:C:\Program Files\support.com\backup\co\cookies.txt\17026_573fcfac8_/cookies.txt -> TrackingCookie.Advertising : Error during cleaning.
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.7:C:\Program Files\support.com\backup\co\cookies.txt\17026_573fcfac8_/cookies.txt -> TrackingCookie.Doubleclick : Error during cleaning.
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.50:C:\Program Files\support.com\backup\co\cookies.txt\17026_573fcfac8_/cookies.txt -> TrackingCookie.Falkag : Error during cleaning.
C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.94:C:\Program Files\support.com\backup\co\cookies.txt\17026_573fcfac8_/cookies.txt -> TrackingCookie.Imrworldwide : Error during cleaning.
:mozilla.95:C:\Program Files\support.com\backup\co\cookies.txt\17026_573fcfac8_/cookies.txt -> TrackingCookie.Imrworldwide : Error during cleaning.
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.185:C:\Program Files\support.com\backup\co\cookies.txt\17026_573fcfac8_/cookies.txt -> TrackingCookie.Paypal : Error during cleaning.
C:\Documents and Settings\Administrator\Cookies\administrator@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.44:C:\Program Files\support.com\backup\co\cookies.txt\17026_573fcfac8_/cookies.txt -> TrackingCookie.Realmedia : Error during cleaning.
:mozilla.45:C:\Program Files\support.com\backup\co\cookies.txt\17026_573fcfac8_/cookies.txt -> TrackingCookie.Realmedia : Error during cleaning.
:mozilla.46:C:\Program Files\support.com\backup\co\cookies.txt\17026_573fcfac8_/cookies.txt -> TrackingCookie.Realmedia : Error during cleaning.
:mozilla.47:C:\Program Files\support.com\backup\co\cookies.txt\17026_573fcfac8_/cookies.txt -> TrackingCookie.Realmedia : Error during cleaning.
:mozilla.48:C:\Program Files\support.com\backup\co\cookies.txt\17026_573fcfac8_/cookies.txt -> TrackingCookie.Realmedia : Error during cleaning.
C:\Documents and Settings\Administrator\Cookies\administrator@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.154:C:\Program Files\support.com\backup\co\cookies.txt\17026_573fcfac8_/cookies.txt -> TrackingCookie.Webtrends : Error during cleaning.
:mozilla.54:C:\Program Files\support.com\backup\co\cookies.txt\17026_573fcfac8_/cookies.txt -> TrackingCookie.Yieldmanager : Error during cleaning.
C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP700\A0040808.exe -> Trojan.Small : Cleaned.

::Report end

RichieUK

May 14 2007, 02:47 AM

Double click on combofix.exe again and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply,also post a new Hijackthis log please.

late_at_nine

May 14 2007, 10:31 AM

"Administrator" - 2007-05-14 10:17:02 Service Pack 2
ComboFix 07-05.13.V - Running from: "C:\Documents and Settings\Administrator\Desktop\"

(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\hgqtgfqk.dll
C:\WINDOWS\system32\kqfgtqgh.ini

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\Program Files\Common Files\RACLE~1
C:\qoobox\purity\C\WINDOWS\system32\ASEMBL~1

((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-14 ))))))))))))))))))))))))))))))))))

2007-05-13 14:11 <DIR> d-------- C:\!KillBox
2007-05-13 12:38 4,076 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-13 12:08 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-13 11:50 1,465,712 --------- C:\WINDOWS\system32\yycdd.bak1
2007-05-13 11:49 262,708 --------- C:\WINDOWS\system32\mljji.dll
2007-05-13 11:49 262,708 --------- C:\WINDOWS\system32\ddcyy.dll
2007-05-13 03:17 1,893,383 --a------ C:\Program Files\stinger.exe
2007-05-13 01:56 <DIR> d-------- C:\DOCUME~1\ADMINI~1\.housecall6.6
2007-05-13 01:14 6,006,832 --a------ C:\Program Files\Firefox Setup 2.0.0.3.exe
2007-05-13 01:02 <DIR> d-------- C:\VundoFix Backups
2007-05-12 15:53 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-12 15:52 11,470,608 --a------ C:\Program Files\avgas-setup-7.5.0.50.exe
2007-05-12 15:37 <DIR> d-------- C:\Program Files\Windows Defender
2007-05-12 12:12 <DIR> d-------- C:\WINDOWS\system32\SBO
2007-04-26 03:16 <DIR> d-------- C:\Program Files\AnalogX
2007-04-26 02:22 <DIR> d-------- C:\Program Files\u-he
2007-04-26 02:22 <DIR> d-------- C:\Program Files\Celemony
2007-04-26 00:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-04-26 00:48 <DIR> d-------- C:\Program Files\Bonjour
2007-04-26 00:38 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-04-25 23:39 13,030,686 --a------ C:\Program Files\MelodyneDemo.3.1.Setup.exe
2007-04-22 13:47 1,205,365 --a------ C:\Program Files\wrar37b7.exe
2007-04-22 13:47 <DIR> d-------- C:\Program Files\Total Annihilation
2007-04-22 13:47 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\WinRAR
2007-04-20 23:48 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-04-20 23:48 115,880 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-04-20 23:47 6,718,976 --a------ C:\Program Files\winamp533_full_emusic-7plus.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-14 03:30:01 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\U3
2007-05-12 18:00:34 -------- d-----w C:\Program Files\Windows NT
2007-04-26 22:23:10 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Digidesign
2007-04-26 09:31:54 -------- d-----w C:\Program Files\Digidesign
2007-04-26 08:46:30 -------- d-----w C:\Program Files\Winamp
2007-04-26 07:22:44 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-03-29 07:19:23 -------- d-----w C:\Program Files\Sibelius Software
2007-03-29 07:19:03 -------- d-----w C:\Program Files\Sibelius 3
2007-03-24 16:10:18 -------- d-----w C:\Program Files\QuickTime
2007-03-22 18:45:30 -------- d-----w C:\Program Files\DSemu
2007-03-22 01:54:16 77,312 ----a-w C:\WINDOWS\system32\TWAIN_32.DLL
2007-03-22 01:54:16 69,632 ----a-w C:\WINDOWS\system32\TWUNK_32.EXE
2007-03-22 01:54:16 48,560 ----a-w C:\WINDOWS\system32\TWUNK_16.EXE
2007-03-21 18:37:16 -------- d-----w C:\Program Files\Shadow Warrior XP
2007-03-21 17:43:52 -------- d-----w C:\Program Files\AIM
2007-03-21 17:43:45 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Aim
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-07 00:29:14 -------- d-----w C:\Program Files\ZSNES
2007-02-10 01:25:04 10 ----a-w C:\WINDOWS\popcinfo.dat
2007-02-07 23:51:35 51 ----a-w C:\WINDOWS\system32\FsmSaver.dat
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 00:04]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-19 23:55]
{CD66C0A1-43FB-4B3E-A6EA-127CBD98F9EA}=C:\WINDOWS\system32\ddcyy.dll [2007-05-13 11:49]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"CamMonitor"="c:\\Program Files\\HP\\Digital Imaging\\Unload\\hpqcmon.exe"
"HPHUPD05"="c:\\Program Files\\HP\\{45B6180B-DCAB-4093-8EE8-6164457517F0}\\hphupd05.exe"
"HPHmon05"="C:\\WINDOWS\\System32\\hphmon05.exe"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"ATIModeChange"="Ati2mdxx.exe"
"LTMSG"="LTMSG.exe 7"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Sunkist2k"="C:\\Program Files\\Multimedia Card Reader\\shwicon2k.exe"
"Reminder"="\"C:\\Windows\\Creator\\Remind_XP.exe\""
"DigidesignMMERefresh"="C:\\Program Files\\Digidesign\\Drivers\\MMERefresh.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"WUSB54Gv4"="C:\\Program Files\\Linksys Wireless-G USB Wireless Network Monitor\\InvokeSvc3.exe"
"tgcmd"="C:\\Program Files\\Support.com\\bin\\tgcmd.exe /server /startmonitor /deaf"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-04 02:56]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-10-03 00:19]
"CamMonitor"="c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 10:23]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" []
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-23 05:55]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-11-04 01:36]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-12-17 03:10]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 00:42]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-05 03:24 C:\WINDOWS\system32\Ati2mdxx.exe])
"LTMSG"="LTMSG.exe" [])
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-08-12 21:10]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-08-14 19:11]
"Reminder"="C:\Windows\Creator\Remind_XP.exe" [2003-06-17 21:13]
"DigidesignMMERefresh"="C:\Program Files\Digidesign\Drivers\MMERefresh.exe" [2005-04-12 01:28]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50]
"WUSB54Gv4"="C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe" [2004-04-19 08:19]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2006-06-02 15:09]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"="" [])
"BackupNotify"="c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" [2003-06-23 00:25]
"Aim6"="" [])
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-01-31 22:31]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"RecordNow!"=""
"BackupNotify"="c:\\Program Files\\HP\\Digital Imaging\\bin\\backupnotify.exe"
"Aim6"=""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\AdobeUpdater]
@=""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ C:\Program Files\MSN Gaming Zone\howym.html

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 09:13]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcyy

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
HTTPFilter HTTPFilter\0\0
DcomLaunch DcomLaunch\0TermService\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command D:\Info.exe folder.htt 480 480
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_GTNDIS5

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\WebReg 20050513165948.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-14 10:22:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 2007-05-14 10:23:06
C:\ComboFix-quarantined-files.txt ... 2007-05-14 10:23
C:\ComboFix2.txt ... 2007-05-13 12:08

Logfile of HijackThis v1.99.1
Scan saved at 10:26:00 AM, on 5/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\wamp\wampserver.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
c:\wamp\apache2\bin\Apache.exe
c:\wamp\mysql\bin\mysqld-nt.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\wamp\apache2\bin\Apache.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08\hpqtra08.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray\sgtray.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903\BackWeb-137903.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\abc.bat.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {CD66C0A1-43FB-4B3E-A6EA-127CBD98F9EA} - C:\WINDOWS\system32\ddcyy.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: WampServer.lnk = C:\wamp\wampserver.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149810379350
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1149810641297
O20 - Winlogon Notify: ddcyy - C:\WINDOWS\system32\ddcyy.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)

RichieUK

May 14 2007, 10:38 AM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

QUOTE

Files to delete:
C:\WINDOWS\system32\yycdd.bak1
C:\WINDOWS\system32\mljji.dll
C:\WINDOWS\system32\ddcyy.dll

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.
Also post a new Hijackthis log please.

late_at_nine

May 14 2007, 11:02 AM

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\axefegwo

*******************

Script file located at: \??\C:\WINDOWS\mvfssuei.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\yycdd.bak1 deleted successfully.
File C:\WINDOWS\system32\mljji.dll deleted successfully.
File C:\WINDOWS\system32\ddcyy.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Logfile of HijackThis v1.99.1
Scan saved at 10:58:05 AM, on 5/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\wamp\wampserver.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
c:\wamp\apache2\bin\Apache.exe
c:\wamp\mysql\bin\mysqld-nt.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\wamp\apache2\bin\Apache.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray\sgtray.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903\BackWeb-137903.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\abc.bat.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {D2D4B41B-A70C-42E9-9121-4203E4646B90} - C:\WINDOWS\system32\ddcyy.dll (file missing)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: WampServer.lnk = C:\wamp\wampserver.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149810379350
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1149810641297
O20 - Winlogon Notify: ddcyy - C:\WINDOWS\system32\ddcyy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)

RichieUK

May 14 2007, 11:29 AM

First disable Windows Defender's real-time protection,as it may interfere.
* Open Microsoft Windows Defender. Click Start>All Programs>Windows Defender.
* Click on 'Tools'>'Options'.
* Under 'Real-time protection options', unselect the 'Turn on real-time protection' check box
* Click 'Save'.

**********************

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {D2D4B41B-A70C-42E9-9121-4203E4646B90} - C:\WINDOWS\system32\ddcyy.dll (file missing)
O20 - Winlogon Notify: ddcyy - C:\WINDOWS\system32\ddcyy.dll (file missing)
Exit Hijackthis.

**********************

It seems you've no virus protection installed.
Download\install one of the following freeware options from the choice below.
Once installed update its definitions and then run a full system virus scan.

AVG7 Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_446a965.exe

Avast! 4 Home Edition:
http://files.avast.com/iavs4pro/setupeng.exe

Active Virus Shield
There's a nice setup tutorial Here:
http://www.activevirusshield.com/antivirus/freeav/

**********************

Your log is clean

If all's ok,please do the following:

Find and delete:
C:\QooBox
C:\VundoFix Backups

Make sure Windows Defender is now enabled.

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

Please Note:
Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u1'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.