Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help, Pop Ups, Ldcore.dll


  • Please log in to reply
9 replies to this topic

#1 AndWeWereDreaming

AndWeWereDreaming

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 27 July 2007 - 10:54 PM

Hello,

for the past 3 days i've been having a problem with pop ups and spybot keeps finding ldcore.dll and there's no way to delete it, I was hoping that someone would be able to help me get rid of it if possible.

here is the Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 11:52:47 PM, on 7/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Feebe\FeebeSecDisk\feebe_sd_srv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\svhost.exe
C:\WINDOWS\zhywtwfA.exe
C:\WINDOWS\g4356cbvy63.exe
C:\WINDOWS\csrss.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SecCenter\scprot4.exe
C:\Program Files\Jvpawpym\kqyakdoq.exe
C:\WINDOWS\keyacc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\retadpu77.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\QmVyZWEgQ29sbGVnZQ\command.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\haynesr\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livejournal.com/users/mourningritual/friends
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad/wpad.dat
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.berea.edu:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.berea.edu"); (C:\Documents and Settings\haynesr\Application Data\Mozilla\Profiles\default\7qjsh317.slt\prefs.js)
O3 - Toolbar: ALTAVISTA - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\PROGRA~1\DYNAMI~1\ALTAVI~1\ALTAVI~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [zhywtwfA] C:\WINDOWS\zhywtwfA.exe
O4 - HKLM\..\Run: [{ZN}] C:\WINDOWS\TISKY009.exe SKY009
O4 - HKLM\..\Run: [g4356cbvy63] C:\WINDOWS\g4356cbvy63
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\kgshwyyw.dll",forkonce
O4 - HKLM\..\Run: [csrss] C:\WINDOWS\csrss.exe
O4 - HKLM\..\Run: [enututub] rundll32.exe "C:\Program Files\udyxwfwp\wxwrajqr.dll",Init
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
O4 - HKLM\..\Run: [lduppbqs] C:\Program Files\Jweetlhy\lduppbqs.exe
O4 - HKLM\..\Run: [kqyakdoq] C:\Program Files\Jvpawpym\kqyakdoq.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Free People Search Agent] C:\Documents and Settings\haynesr\Desktop\FreePeopleSearchAgent_v1(2).exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\TISKY009.exe
O4 - Global Startup: KeyAccess.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://speedbar.ask.com/menusearch.html?p=4
O8 - Extra context menu item: AltaVista Search - file://C:\Program Files\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextSearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Translate - file://C:\Program Files\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextTranslation.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110376070784
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} (MediaControl Class) - http://entriq.vo.llnwd.net/o1/NBCUniversal..._2_2_Silent.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - http://entriq.vo.llnwd.net/o1/NBCUniversal...sal_1_0_0_7.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = berea.edu
O17 - HKLM\Software\..\Telephony: DomainName = berea.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = berea.edu
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: KATRACK.DLL c:\windows\system32\ldcore.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QmVyZWEgQ29sbGVnZQ\command.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Feebe Secure Disk Service (FeebeSecDiskSrv) - Feebe, Inc. - C:\Program Files\Feebe\FeebeSecDisk\feebe_sd_srv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 28 July 2007 - 05:25 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum AndWeWereDreaming :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.

------------------------------------------

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

-----------------------------------------

Please download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log.
Posted Image
Posted Image

#3 AndWeWereDreaming

AndWeWereDreaming
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 29 July 2007 - 01:12 PM

SD Fix

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found



Folder C:\Program Files\poolsv - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"D:\\SETUP.EXE"="D:\\SETUP.EXE:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1151036242\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1151036242\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\BearFlix\\bearflix.exe"="C:\\Program Files\\BearFlix\\bearflix.exe:*:Enabled:BearFlix"
"C:\\Program Files\\AIM\\AIM Pro\\aimpro.exe"="C:\\Program Files\\AIM\\AIM Pro\\aimpro.exe:*:Enabled:AIM Pro"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Last.fm\\LastFM.exe"="C:\\Program Files\\Last.fm\\LastFM.exe:*:Enabled:LastFM"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Ruckus Player\\Ruckus.exe"="C:\\Program Files\\Ruckus Player\\Ruckus.exe:*:Enabled:Ruckus"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\StreamCast\\Morpheus\\MorphEXE.exe"="C:\\Program Files\\StreamCast\\Morpheus\\MorphEXE.exe:*:Enabled:Morpheus"
"C:\\Program Files\\StreamCast\\Morpheus\\mldonkey\\mlnet.exe"="C:\\Program Files\\StreamCast\\Morpheus\\mldonkey\\mlnet.exe:*:Enabled:MLdonkey - multiuser P2P daemon"
"D:\\SETUP.EXE"="D:\\SETUP.EXE:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Ruckus Player\\Ruckus.exe"="C:\\Program Files\\Ruckus Player\\Ruckus.exe:*:Enabled:Ruckus"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"="C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Jukebox"

Remaining Files:
---------------


Files with Hidden Attributes:


Finished


Vundo Fix

VundoFix V6.5.6

Checking Java version...

Scan started at 1:14:04 AM 7/29/2007

Listing files found while scanning....

C:\WINDOWS\system32\jkklm.dll
C:\WINDOWS\system32\mlkkj.bak1
C:\WINDOWS\system32\mlkkj.ini
C:\WINDOWS\system32\mlkkj.ini2
C:\WINDOWS\system32\mlkkj.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jkklm.dll
C:\WINDOWS\system32\jkklm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mlkkj.bak1
C:\WINDOWS\system32\mlkkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\mlkkj.ini
C:\WINDOWS\system32\mlkkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\mlkkj.ini2
C:\WINDOWS\system32\mlkkj.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\mlkkj.tmp
C:\WINDOWS\system32\mlkkj.tmp Has been deleted!

Performing Repairs to the registry.
Done!


Combo Fix
ComboFix 07-07-28.5 - "haynesr" 2007-07-29 2:03:56.1 [GMT -4:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
* Created a new restore point


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\mllmj.dll
C:\WINDOWS\system32\mwfsxqxc.dll
C:\WINDOWS\system32\xopdawes.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\myglobalsearch
C:\Program Files\myglobalsearch\bar\History\search
C:\Program Files\network monitor\netmon.exe
C:\Program Files\poolsv\is67969.exe
C:\Program Files\poolsv\svhost.exe
C:\Program Files\poolsv\WinAntiSpyware2007FreeInstall.exe
C:\Program Files\poolsv\wr-1-0000077.exe
C:\temp\tn3
C:\WINDOWS\b104.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\csrss.exe
C:\WINDOWS\dls0523pmw.exe
C:\WINDOWS\poolsv.exe
C:\WINDOWS\rau001978.exe
C:\WINDOWS\retadpu77.exe
C:\WINDOWS\svhost.exe
C:\WINDOWS\system32\appatc~1
C:\WINDOWS\system32\b06FdUe\b06FdUe1083.exe
C:\WINDOWS\system32\b10FdUe\b10FdUe1099.exe
C:\WINDOWS\system32\config\systemprofile\application data\.rdr.ini
C:\WINDOWS\system32\dnsersnd.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\T1\kmhp83122.exe
C:\WINDOWS\system32\T11\z553.exe
C:\WINDOWS\system32\T3\wr725.exe
C:\WINDOWS\system32\T5\tns2.exe
C:\WINDOWS\system32\T7
C:\WINDOWS\system32\T9\wb720.exe
C:\WINDOWS\system32\win
C:\WINDOWS\system32\wnsapii32.exe
C:\WINDOWS\TISKY009.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NET_AGENT
-------\Net Agent


((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-29 )))))))))))))))))))))))))))))))


2007-07-29 01:57 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-29 01:14 <DIR> d-------- C:\VundoFix Backups
2007-07-29 00:47 2,675 ---hs---- C:\WINDOWS\system32\lctinmbb.ini2
2007-07-29 00:46 126,016 --a------ C:\WINDOWS\system32\bbmnitcl.dll
2007-07-29 00:08 <DIR> d-------- C:\DOCUME~1\HAYNES~1.001\APPLIC~1\Real
2007-07-28 22:30 <DIR> d-------- C:\WINDOWS\ERUNT
2007-07-28 22:28 1,048,576 --ah----- C:\DOCUME~1\HAYNES~1.001\NTUSER.DAT
2007-07-28 22:28 <DIR> d---s---- C:\DOCUME~1\HAYNES~1.001\UserData
2007-07-28 22:28 <DIR> d-------- C:\DOCUME~1\HAYNES~1.001\WINDOWS
2007-07-28 22:28 <DIR> d-------- C:\DOCUME~1\HAYNES~1.001\APPLIC~1\FileMaker
2007-07-28 22:28 <DIR> d-------- C:\DOCUME~1\HAYNES~1.001\.javaws
2007-07-28 04:18 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-07-28 04:07 <DIR> d-------- C:\f46c64f5b9ae996d7fa9756196
2007-07-28 03:46 <DIR> d-------- C:\52e90673d670664035338d
2007-07-28 03:01 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-07-28 03:01 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-07-28 03:01 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-07-28 03:01 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-07-28 03:01 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-07-28 03:00 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-07-28 02:59 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-07-28 02:54 <DIR> d-------- C:\Program Files\Sygate
2007-07-28 02:14 15 --a------ C:\WINDOWS\system32\getfile.dat
2007-07-27 23:35 <DIR> d-------- C:\DOCUME~1\haynesr\Program Files
2007-07-27 23:28 <DIR> d--hs---- C:\WINDOWS\QmVyZWEgQ29sbGVnZQ
2007-07-27 06:30 <DIR> d-------- C:\!KillBox
2007-07-27 06:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-27 06:13 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-27 00:49 <DIR> d-------- C:\Program Files\Ttdtxmms
2007-07-27 00:49 <DIR> d-------- C:\Program Files\Jvpawpym
2007-07-27 00:48 9,769 --a------ C:\WINDOWS\iijuc0578.exe
2007-07-26 17:31 4,789 --a------ C:\WINDOWS\system32\k.dat
2007-07-26 17:31 18,432 --a------ C:\WINDOWS\system32\wnupdate.exe
2007-07-26 17:31 <DIR> d-------- C:\WINDOWS\system32\betpdcow
2007-07-26 17:31 <DIR> d-------- C:\Program Files\SecCenter
2007-07-26 17:31 <DIR> d-------- C:\Program Files\Ldbkonlp
2007-07-26 17:31 <DIR> d-------- C:\Program Files\Jweetlhy
2007-07-26 17:30 <DIR> d-------- C:\Program Files\udyxwfwp
2007-07-26 03:10 66,624 --a------ C:\WINDOWS\system32\ubxkbvik.dll
2007-07-26 03:07 4,672 --a------ C:\WINDOWS\system32\yjmqrfms.exe
2007-07-26 03:05 66,112 --a------ C:\WINDOWS\system32\inrffxsk.exe
2007-07-26 03:05 4,672 --a------ C:\WINDOWS\system32\oqygfttk.exe
2007-07-26 00:20 19,968 --a------ C:\WINDOWS\system32\winzoa32.dll
2007-07-26 00:17 9,769 --a------ C:\WINDOWS\mtwxt0578.exe
2007-07-25 06:24 <DIR> d-------- C:\DOCUME~1\haynesr\APPLIC~1\??stem
2007-07-25 06:22 1,086,352 -r-hs---- C:\WINDOWS\zhywtwfA.exe
2007-07-25 06:21 54,784 --a------ C:\WINDOWS\zhywtwf.exe
2007-07-25 06:21 31,254 --a------ C:\WINDOWS\system32\pmnonol.dll
2007-07-25 06:21 31,254 --a------ C:\WINDOWS\system32\mljklkh.dll
2007-07-25 06:21 <DIR> d-------- C:\Temp\0c2
2007-07-25 06:20 <DIR> d-------- C:\Temp\brr
2007-07-25 06:20 <DIR> d-------- C:\Temp
2007-07-11 21:54 <DIR> d-------- C:\DOCUME~1\haynesr\APPLIC~1\Creative
2007-07-11 21:38 41,984 --------- C:\WINDOWS\Ctregrun.exe
2007-07-11 21:36 24,576 --------- C:\WINDOWS\system32\msxml3a.dll
2007-07-11 21:36 <DIR> d-------- C:\Program Files\Audible
2007-07-11 21:28 44,032 --------- C:\WINDOWS\system32\CTSVCCDA.EXE
2007-07-11 21:28 25,088 --------- C:\WINDOWS\system32\CTSVCCTL.EXE
2007-07-11 21:28 <DIR> d--h----- C:\Program Files\Creative Installation Information
2007-07-11 21:28 <DIR> d-------- C:\Program Files\Common Files\Creative
2007-07-11 21:21 <DIR> d-------- C:\Program Files\Creative
2007-07-06 15:40 192,512 --a------ C:\WINDOWS\g4356cbvy63.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-28 02:22 137 --a------ C:\Program Files\INSTALL.LOG
2007-07-28 02:17 73728 --a------ C:\WINDOWS\system32\sockspy.dll
2007-07-28 02:16 77824 --a------ C:\WINDOWS\system32\xcomm.dll
2007-07-27 06:20 --------- d-------- C:\Program Files\Lavasoft
2007-07-26 00:22 --------- d-------- C:\Program Files\MSN Gaming Zone
2007-07-25 06:24 --------- d-------- C:\Program Files\Windows NT
2007-07-11 21:38 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-10 20:33 --------- d-------- C:\Program Files\Last.fm
2007-07-03 11:58 --------- d-------- C:\Program Files\Winamp
2007-06-25 09:54 53248 --a------ C:\WINDOWS\uni_eh44.exe
2007-06-25 09:53 53248 --a------ C:\WINDOWS\uninst1014.exe
2007-06-13 11:01 --------- d-------- C:\Program Files\Yahoo!
2007-06-10 00:03 --------- d-------- C:\Program Files\AIM6
2007-06-08 17:47 5120 --a------ C:\WINDOWS\system32\NSIS.Library.RegTool.v2.{1B8CEA72-735E-4BE1-91A9-AC07ECA223AA}.exe
2007-06-04 15:18 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-01 03:26 --------- d-------- C:\Program Files\Bonjour
2007-06-01 03:18 --------- d-------- C:\Program Files\Berea College
2007-05-13 02:04 15134 --a--c--- C:\WINDOWS\mozver.dat
2005-08-02 20:46:54 187,904 --sha-w C:\WINDOWS\QmVyZWEgQ29sbGVnZQ\asappsrv.dll
2005-08-02 20:58:38 293,888 --sha-w C:\WINDOWS\QmVyZWEgQ29sbGVnZQ\command.exe
2005-07-29 20:24:26 472 --sha-r C:\WINDOWS\QmVyZWEgQ29sbGVnZQ\kApVtqH0kZ6Pv3pBtk.vbs


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{12aa0346-1c39-4bdb-be6a-70d14177adb0}]
C:\WINDOWS\system32\imajwkx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{374C388E-A944-F9BB-4F13-8F8DBD2CD0CD}]
C:\WINDOWS\system32\dyku.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A3A228A-41E5-47AA-BD0D-2DD6D4F5E04C}]
2007-06-18 14:59 163840 --a------ C:\Program Files\MSN Gaming Zone\hokem3.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6F2C9C90-529E-8145-2E89-06A7789C150D}]
2007-07-27 00:49 102400 --a------ C:\Program Files\Ttdtxmms\vzfiakbk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{941508F8-CCD9-44E0-AC29-4F1E141373F7}]
2007-07-25 06:21 31254 --a------ C:\WINDOWS\system32\pmnonol.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9BA9C201-DA76-40DA-A9AA-73619E4AC557}]
C:\WINDOWS\system32\jkklm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E3F6F05A-4704-4C0B-804E-DA60E1D7B09E}]
2007-06-14 07:54 163840 --a------ C:\Program Files\MSN Gaming Zone\hokem83122.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 12:33]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-03 17:38]
"TkBellExe"="realsched.exe" []
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" []
"enututub"="C:\Program Files\udyxwfwp\wxwrajqr.dll" [2007-07-26 17:30]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"TSClientMSIUninstaller"=cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
KeyAccess.lnk - C:\WINDOWS\keyacc32.exe [2001-12-01 14:00:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{941508F8-CCD9-44E0-AC29-4F1E141373F7}"= C:\WINDOWS\system32\pmnonol.dll [2007-07-25 06:21 31254]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnonol]
pmnonol.dll 2007-07-25 06:21 31254 C:\WINDOWS\system32\pmnonol.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll KATRACK.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=domain_browser.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

R0 PzWDM;PzWDM;C:\WINDOWS\system32\Drivers\PzWDM.sys
R0 Teefer;Teefer for NT;C:\WINDOWS\system32\Drivers\Teefer.sys
R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\system32\drivers\Cdr4_xp.sys
R1 Cdralw2k;Cdralw2k;C:\WINDOWS\system32\drivers\Cdralw2k.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R1 wpsdrvnt;wpsdrvnt;\??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys
R2 FeebeSecDiskDriver;Feebe Secure Disk Driver;\??\C:\WINDOWS\system32\drivers\feebe_sd_disk.sys
R2 FeebeSecDiskSrv;Feebe Secure Disk Service;C:\Program Files\Feebe\FeebeSecDisk\feebe_sd_srv.exe
R2 wg3n;SyGate for NT, wg3n;C:\WINDOWS\system32\Drivers\wg3n.sys
R2 wg4n;SyGate for NT, wg4n;C:\WINDOWS\system32\Drivers\wg4n.sys
R2 wg5n;SyGate for NT, wg5n;C:\WINDOWS\system32\Drivers\wg5n.sys
R2 wg6n;SyGate for NT, wg6n;C:\WINDOWS\system32\Drivers\wg6n.sys
R3 BDRsDrv;BDRsDrv;\??\C:\Program Files\Softwin\BitDefender9\bdrsdrv.sys
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys
R3 HSFHWICH;HSFHWICH;C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 ROOTMODEM;Microsoft Legacy Modem Driver;C:\WINDOWS\system32\Drivers\RootMdm.sys
R3 tbhsd;Tunebite High-Speed Dubbing;C:\WINDOWS\system32\drivers\tbhsd.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 EraserUtilDrv10500;EraserUtilDrv10500;\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10500.sys
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
S3 UIUSys;Conexant Setup API;C:\WINDOWS\system32\drivers\UIUSys.sys
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S3 WmaCDriverV32;WmaCDriverV32;C:\WINDOWS\system32\drivers\WmaCDriverV32.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc


Contents of the 'Scheduled Tasks' folder
2007-07-29 05:16:11 C:\WINDOWS\Tasks\{11EF8333-3B99-40F3-9AD3-56F8FAFD9474}_BEREA.EDU_haynesr.job - C:\WINDOWS\system32\mobsync.exe
2007-07-28 07:16:57 C:\WINDOWS\Tasks\{4CFCCC61-7FBF-4A7A-8A0C-2C6F9BBFD06D}_BEREA.EDU_haynesr.job - C:\WINDOWS\system32\mobsync.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-29 02:34:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:000001e9

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-29 2:46:20 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-29 02:45

--- E O F ---


Hijack This
Logfile of HijackThis v1.99.1
Scan saved at 3:09:08 AM, on 7/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Feebe\FeebeSecDisk\feebe_sd_srv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Softwin\BitDefender9\bdnagent.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
c:\program files\softwin\bitdefender9\bdmcon.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\Documents and Settings\haynesr.00114348542A\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.berea.edu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.berea.edu:8080
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.berea.edu";); (C:\Documents and Settings\haynesr\Application Data\Mozilla\Profiles\default\7qjsh317.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {12aa0346-1c39-4bdb-be6a-70d14177adb0} - C:\WINDOWS\system32\imajwkx.dll (file missing)
O2 - BHO: (no name) - {374C388E-A944-F9BB-4F13-8F8DBD2CD0CD} - C:\WINDOWS\system32\dyku.dll (file missing)
O2 - BHO: ALTAVISTA - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\PROGRA~1\DYNAMI~1\ALTAVI~1\ALTAVI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6A3A228A-41E5-47AA-BD0D-2DD6D4F5E04C} - C:\Program Files\MSN Gaming Zone\hokem3.dll
O2 - BHO: (no name) - {6F2C9C90-529E-8145-2E89-06A7789C150D} - C:\Program Files\Ttdtxmms\vzfiakbk.dll
O2 - BHO: (no name) - {941508F8-CCD9-44E0-AC29-4F1E141373F7} - C:\WINDOWS\system32\pmnonol.dll
O2 - BHO: (no name) - {9BA9C201-DA76-40DA-A9AA-73619E4AC557} - C:\WINDOWS\system32\jkklm.dll (file missing)
O2 - BHO: (no name) - {E3F6F05A-4704-4C0B-804E-DA60E1D7B09E} - C:\Program Files\MSN Gaming Zone\hokem83122.dll
O3 - Toolbar: ALTAVISTA - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\PROGRA~1\DYNAMI~1\ALTAVI~1\ALTAVI~1.DLL
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [enututub] rundll32.exe "C:\Program Files\udyxwfwp\wxwrajqr.dll",Init
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] "c:\program files\softwin\bitdefender9\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "c:\program files\softwin\bitdefender9\bdswitch.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: KeyAccess.lnk = ?
O8 - Extra context menu item: AltaVista Search - file://C:\Program Files\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextSearch.htm
O8 - Extra context menu item: Translate - file://C:\Program Files\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextTranslation.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110376070784
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - http://entriq.vo.llnwd.net/o1/NBCUniversal...sal_1_0_0_7.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = berea.edu
O17 - HKLM\Software\..\Telephony: DomainName = berea.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = berea.edu
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: pmnonol - C:\WINDOWS\SYSTEM32\pmnonol.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Feebe Secure Disk Service (FeebeSecDiskSrv) - Feebe, Inc. - C:\Program Files\Feebe\FeebeSecDisk\feebe_sd_srv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"D:\\SETUP.EXE"="D:\\SETUP.EXE:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1151036242\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1151036242\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\BearFlix\\bearflix.exe"="C:\\Program Files\\BearFlix\\bearflix.exe:*:Enabled:BearFlix"
"C:\\Program Files\\AIM\\AIM Pro\\aimpro.exe"="C:\\Program Files\\AIM\\AIM Pro\\aimpro.exe:*:Enabled:AIM Pro"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Last.fm\\LastFM.exe"="C:\\Program Files\\Last.fm\\LastFM.exe:*:Enabled:LastFM"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Ruckus Player\\Ruckus.exe"="C:\\Program Files\\Ruckus Player\\Ruckus.exe:*:Enabled:Ruckus"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\StreamCast\\Morpheus\\MorphEXE.exe"="C:\\Program Files\\StreamCast\\Morpheus\\MorphEXE.exe:*:Enabled:Morpheus"
"C:\\Program Files\\StreamCast\\Morpheus\\mldonkey\\mlnet.exe"="C:\\Program Files\\StreamCast\\Morpheus\\mldonkey\\mlnet.exe:*:Enabled:MLdonkey - multiuser P2P daemon"
"D:\\SETUP.EXE"="D:\\SETUP.EXE:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Ruckus Player\\Ruckus.exe"="C:\\Program Files\\Ruckus Player\\Ruckus.exe:*:Enabled:Ruckus"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"="C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Jukebox"

Remaining Files:
---------------


Files with Hidden Attributes:


Finished

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 29 July 2007 - 03:48 PM

Copy and paste ALL the following blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\lctinmbb.ini2
C:\WINDOWS\system32\bbmnitcl.dll
C:\WINDOWS\system32\pmnonol.dll
C:\WINDOWS\system32\mljklkh.dll
C:\WINDOWS\system32\wnupdate.exe
C:\WINDOWS\system32\ubxkbvik.dll
C:\WINDOWS\system32\yjmqrfms.exe
C:\WINDOWS\system32\inrffxsk.exe
C:\WINDOWS\system32\oqygfttk.exe
C:\WINDOWS\system32\winzoa32.dll
C:\Program Files\MSN Gaming Zone\hokem3.dll
C:\Program Files\MSN Gaming Zone\hokem83122.dll
C:\WINDOWS\mtwxt0578.exe
C:\WINDOWS\iijuc0578.exe
C:\WINDOWS\zhywtwfA.exe
C:\WINDOWS\zhywtwf.exe

Folder::
C:\Temp\0c2
C:\Temp\brr
C:\Program Files\Ttdtxmms
C:\Program Files\Jvpawpym
C:\Program Files\Ldbkonlp
C:\Program Files\Jweetlhy
C:\Program Files\udyxwfwp
C:\WINDOWS\QmVyZWEgQ29sbGVnZQ
C:\WINDOWS\system32\betpdcow

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{12aa0346-1c39-4bdb-be6a-70d14177adb0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6F2C9C90-529E-8145-2E89-06A7789C150D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A3A228A-41E5-47AA-BD0D-2DD6D4F5E04C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{941508F8-CCD9-44E0-AC29-4F1E141373F7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9BA9C201-DA76-40DA-A9AA-73619E4AC557}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E3F6F05A-4704-4C0B-804E-DA60E1D7B09E}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"enututub"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{941508F8-CCD9-44E0-AC29-4F1E141373F7}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnonol]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.

Edited by RichieUK, 29 July 2007 - 04:41 PM.

Posted Image
Posted Image

#5 AndWeWereDreaming

AndWeWereDreaming
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 29 July 2007 - 11:33 PM

Combo Fix
ComboFix 07-07-28.5 - "haynesr" 2007-07-30 0:04:39.2 [GMT -4:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
Command switches used :: C:\Documents and Settings\haynesr.00114348542A\Desktop\CFScript.txt
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Jvpawpym
C:\Program Files\Jvpawpym\kqyakdoq.exe
C:\Program Files\Jweetlhy
C:\Program Files\Jweetlhy\lduppbqs.exe
C:\Program Files\Ldbkonlp
C:\Program Files\Ldbkonlp\rxzzqhez.dll
C:\Program Files\MSN Gaming Zone\hokem3.dll
C:\Program Files\MSN Gaming Zone\hokem83122.dll
C:\Program Files\Ttdtxmms
C:\Program Files\Ttdtxmms\vzfiakbk.dll
C:\Program Files\udyxwfwp
C:\Program Files\udyxwfwp\wxwrajqr.dll
C:\Temp\0c2
C:\Temp\0c2\tmpFF.log
C:\Temp\brr
C:\Temp\brr\tmpZTF.log
C:\WINDOWS\iijuc0578.exe
C:\WINDOWS\mtwxt0578.exe
C:\WINDOWS\QmVyZWEgQ29sbGVnZQ\asappsrv.dll
C:\WINDOWS\QmVyZWEgQ29sbGVnZQ\command.exe
C:\WINDOWS\QmVyZWEgQ29sbGVnZQ\kApVtqH0kZ6Pv3pBtk.vbs
C:\WINDOWS\system32\bbmnitcl.dll
C:\WINDOWS\system32\betpdcow
C:\WINDOWS\system32\betpdcow\betpdcow1.exe
C:\WINDOWS\system32\betpdcow\betpdcow2.exe
C:\WINDOWS\system32\betpdcow\betpdcow3.exe
C:\WINDOWS\system32\betpdcow\bg1.gif
C:\WINDOWS\system32\betpdcow\bgtop.gif
C:\WINDOWS\system32\betpdcow\bottom1.gif
C:\WINDOWS\system32\betpdcow\essentials.gif
C:\WINDOWS\system32\betpdcow\icon1.ico
C:\WINDOWS\system32\betpdcow\install1.gif
C:\WINDOWS\system32\betpdcow\left1.gif
C:\WINDOWS\system32\betpdcow\li.gif
C:\WINDOWS\system32\betpdcow\logo.gif
C:\WINDOWS\system32\betpdcow\main.htm
C:\WINDOWS\system32\betpdcow\mainframe.htm
C:\WINDOWS\system32\betpdcow\reinstall1.gif
C:\WINDOWS\system32\betpdcow\right1.gif
C:\WINDOWS\system32\betpdcow\s1.htm
C:\WINDOWS\system32\betpdcow\s2.htm
C:\WINDOWS\system32\betpdcow\s3.htm
C:\WINDOWS\system32\betpdcow\SMTop1.gif
C:\WINDOWS\system32\betpdcow\SMTop2.gif
C:\WINDOWS\system32\betpdcow\SMTop3.gif
C:\WINDOWS\system32\betpdcow\SMTop4.gif
C:\WINDOWS\system32\betpdcow\soft1_off.gif
C:\WINDOWS\system32\betpdcow\soft1_off_ext.gif
C:\WINDOWS\system32\betpdcow\soft1_on.gif
C:\WINDOWS\system32\betpdcow\soft1_on_ext.gif
C:\WINDOWS\system32\betpdcow\soft2_off.gif
C:\WINDOWS\system32\betpdcow\soft2_off_ext.gif
C:\WINDOWS\system32\betpdcow\soft2_on.gif
C:\WINDOWS\system32\betpdcow\soft2_on_ext.gif
C:\WINDOWS\system32\betpdcow\soft3_off.gif
C:\WINDOWS\system32\betpdcow\soft3_off_ext.gif
C:\WINDOWS\system32\betpdcow\soft3_on.gif
C:\WINDOWS\system32\betpdcow\soft3_on_ext.gif
C:\WINDOWS\system32\betpdcow\softbottom_off.gif
C:\WINDOWS\system32\betpdcow\softbottom_on.gif
C:\WINDOWS\system32\betpdcow\softleft_off.gif
C:\WINDOWS\system32\betpdcow\softleft_on.gif
C:\WINDOWS\system32\betpdcow\top1.gif
C:\WINDOWS\system32\betpdcow\top2.gif
C:\WINDOWS\system32\betpdcow\turnoff1.gif
C:\WINDOWS\system32\betpdcow\turnon1.gif
C:\WINDOWS\system32\inrffxsk.exe
C:\WINDOWS\system32\lctinmbb.ini2
C:\WINDOWS\system32\mljklkh.dll
C:\WINDOWS\system32\oqygfttk.exe
C:\WINDOWS\system32\pmnonol.dll
C:\WINDOWS\system32\ubxkbvik.dll
C:\WINDOWS\system32\winzoa32.dll
C:\WINDOWS\system32\wnupdate.exe
C:\WINDOWS\system32\yjmqrfms.exe
C:\WINDOWS\zhywtwf.exe
C:\WINDOWS\zhywtwfA.exe


((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-30 )))))))))))))))))))))))))))))))


2007-07-29 15:31 <DIR> d-------- C:\WINDOWS\system32\csaedtdh
2007-07-29 01:57 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-29 01:14 <DIR> d-------- C:\VundoFix Backups
2007-07-29 00:08 <DIR> d-------- C:\DOCUME~1\HAYNES~1.001\APPLIC~1\Real
2007-07-28 22:30 <DIR> d-------- C:\WINDOWS\ERUNT
2007-07-28 22:28 1,835,008 --ah----- C:\DOCUME~1\HAYNES~1.001\NTUSER.DAT
2007-07-28 22:28 <DIR> d---s---- C:\DOCUME~1\HAYNES~1.001\UserData
2007-07-28 22:28 <DIR> d-------- C:\DOCUME~1\HAYNES~1.001\WINDOWS
2007-07-28 22:28 <DIR> d-------- C:\DOCUME~1\HAYNES~1.001\APPLIC~1\FileMaker
2007-07-28 22:28 <DIR> d-------- C:\DOCUME~1\HAYNES~1.001\.javaws
2007-07-28 04:18 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-07-28 04:07 <DIR> d-------- C:\f46c64f5b9ae996d7fa9756196
2007-07-28 03:46 <DIR> d-------- C:\52e90673d670664035338d
2007-07-28 03:01 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-07-28 03:01 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-07-28 03:01 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-07-28 03:01 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-07-28 03:01 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-07-28 03:00 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-07-28 02:59 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-07-28 02:54 <DIR> d-------- C:\Program Files\Sygate
2007-07-28 02:14 15 --a------ C:\WINDOWS\system32\getfile.dat
2007-07-27 23:35 <DIR> d-------- C:\DOCUME~1\haynesr\Program Files
2007-07-27 06:30 <DIR> d-------- C:\!KillBox
2007-07-27 06:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-27 06:13 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-26 17:31 4,789 --a------ C:\WINDOWS\system32\k.dat
2007-07-26 17:31 <DIR> d-------- C:\Program Files\SecCenter
2007-07-25 06:24 <DIR> d-------- C:\DOCUME~1\haynesr\APPLIC~1\??stem
2007-07-25 06:20 <DIR> d-------- C:\Temp
2007-07-11 21:54 <DIR> d-------- C:\DOCUME~1\haynesr\APPLIC~1\Creative
2007-07-11 21:38 41,984 --------- C:\WINDOWS\Ctregrun.exe
2007-07-11 21:36 24,576 --------- C:\WINDOWS\system32\msxml3a.dll
2007-07-11 21:36 <DIR> d-------- C:\Program Files\Audible
2007-07-11 21:28 44,032 --------- C:\WINDOWS\system32\CTSVCCDA.EXE
2007-07-11 21:28 25,088 --------- C:\WINDOWS\system32\CTSVCCTL.EXE
2007-07-11 21:28 <DIR> d--h----- C:\Program Files\Creative Installation Information
2007-07-11 21:28 <DIR> d-------- C:\Program Files\Common Files\Creative
2007-07-11 21:21 <DIR> d-------- C:\Program Files\Creative
2007-07-06 15:40 192,512 --a------ C:\WINDOWS\g4356cbvy63.exe
2007-06-25 09:54 53,248 --a------ C:\WINDOWS\uni_eh44.exe
2007-06-25 09:53 53,248 --a------ C:\WINDOWS\uninst1014.exe
2007-06-17 18:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Power Tab Software
2007-06-08 17:47 5,120 --a------ C:\WINDOWS\system32\NSIS.Library.RegTool.v2.{1B8CEA72-735E-4BE1-91A9-AC07ECA223AA}.exe
2007-06-04 15:18 9,344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8,320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6,272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-30 00:21 --------- d-------- C:\Program Files\MSN Gaming Zone
2007-07-28 02:22 137 --a------ C:\Program Files\INSTALL.LOG
2007-07-28 02:17 73728 --a------ C:\WINDOWS\system32\sockspy.dll
2007-07-28 02:16 77824 --a------ C:\WINDOWS\system32\xcomm.dll
2007-07-27 06:20 --------- d-------- C:\Program Files\Lavasoft
2007-07-25 06:24 --------- d-------- C:\Program Files\Windows NT
2007-07-11 21:38 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-10 20:33 --------- d-------- C:\Program Files\Last.fm
2007-07-03 11:58 --------- d-------- C:\Program Files\Winamp
2007-06-13 11:01 --------- d-------- C:\Program Files\Yahoo!
2007-06-10 00:03 --------- d-------- C:\Program Files\AIM6
2007-06-01 03:26 --------- d-------- C:\Program Files\Bonjour
2007-06-01 03:18 --------- d-------- C:\Program Files\Berea College
2007-05-13 02:04 15134 --a--c--- C:\WINDOWS\mozver.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{374C388E-A944-F9BB-4F13-8F8DBD2CD0CD}]
C:\WINDOWS\system32\dyku.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 12:33]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-03 17:38]
"TkBellExe"="realsched.exe" []
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" []
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"TSClientMSIUninstaller"=cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
KeyAccess.lnk - C:\WINDOWS\keyacc32.exe [2001-12-01 14:00:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=KATRACK.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=domain_browser.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

R0 PzWDM;PzWDM;C:\WINDOWS\system32\Drivers\PzWDM.sys
R0 Teefer;Teefer for NT;C:\WINDOWS\system32\Drivers\Teefer.sys
R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\system32\drivers\Cdr4_xp.sys
R1 Cdralw2k;Cdralw2k;C:\WINDOWS\system32\drivers\Cdralw2k.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R1 wpsdrvnt;wpsdrvnt;\??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys
R2 FeebeSecDiskDriver;Feebe Secure Disk Driver;\??\C:\WINDOWS\system32\drivers\feebe_sd_disk.sys
R2 FeebeSecDiskSrv;Feebe Secure Disk Service;C:\Program Files\Feebe\FeebeSecDisk\feebe_sd_srv.exe
R2 wg3n;SyGate for NT, wg3n;C:\WINDOWS\system32\Drivers\wg3n.sys
R2 wg4n;SyGate for NT, wg4n;C:\WINDOWS\system32\Drivers\wg4n.sys
R2 wg5n;SyGate for NT, wg5n;C:\WINDOWS\system32\Drivers\wg5n.sys
R2 wg6n;SyGate for NT, wg6n;C:\WINDOWS\system32\Drivers\wg6n.sys
R3 BDRsDrv;BDRsDrv;\??\C:\Program Files\Softwin\BitDefender9\bdrsdrv.sys
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys
R3 HSFHWICH;HSFHWICH;C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 ROOTMODEM;Microsoft Legacy Modem Driver;C:\WINDOWS\system32\Drivers\RootMdm.sys
R3 tbhsd;Tunebite High-Speed Dubbing;C:\WINDOWS\system32\drivers\tbhsd.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 EraserUtilDrv10500;EraserUtilDrv10500;\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10500.sys
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
S3 UIUSys;Conexant Setup API;C:\WINDOWS\system32\drivers\UIUSys.sys
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S3 WmaCDriverV32;WmaCDriverV32;C:\WINDOWS\system32\drivers\WmaCDriverV32.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc


Contents of the 'Scheduled Tasks' folder
2007-07-29 05:16:11 C:\WINDOWS\Tasks\{11EF8333-3B99-40F3-9AD3-56F8FAFD9474}_BEREA.EDU_haynesr.job - C:\WINDOWS\system32\mobsync.exe
2007-07-29 07:14:04 C:\WINDOWS\Tasks\{4CFCCC61-7FBF-4A7A-8A0C-2C6F9BBFD06D}_BEREA.EDU_haynesr.job - C:\WINDOWS\system32\mobsync.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-30 00:22:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-30 0:27:12 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-30 00:26
C:\ComboFix2.txt ... 2007-07-29 02:46

--- E O F ---





Hijack This

Logfile of HijackThis v1.99.1
Scan saved at 12:30:52 AM, on 7/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Feebe\FeebeSecDisk\feebe_sd_srv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\cmd.exe
C:\ComboFix\vfind.cfexe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Softwin\BitDefender9\bdmcon.exe
C:\Program Files\Softwin\BitDefender9\bdnagent.exe
C:\Documents and Settings\haynesr.00114348542A\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.berea.edu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.berea.edu:8080
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.berea.edu"); (C:\Documents and Settings\haynesr\Application Data\Mozilla\Profiles\default\7qjsh317.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {374C388E-A944-F9BB-4F13-8F8DBD2CD0CD} - C:\WINDOWS\system32\dyku.dll (file missing)
O2 - BHO: ALTAVISTA - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\PROGRA~1\DYNAMI~1\ALTAVI~1\ALTAVI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: ALTAVISTA - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\PROGRA~1\DYNAMI~1\ALTAVI~1\ALTAVI~1.DLL
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender9\bdnagent.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\Program Files\Softwin\BitDefender9\bdswitch.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: KeyAccess.lnk = ?
O8 - Extra context menu item: AltaVista Search - file://C:\Program Files\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextSearch.htm
O8 - Extra context menu item: Translate - file://C:\Program Files\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextTranslation.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110376070784
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - http://entriq.vo.llnwd.net/o1/NBCUniversal...sal_1_0_0_7.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = berea.edu
O17 - HKLM\Software\..\Telephony: DomainName = berea.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = berea.edu
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Feebe Secure Disk Service (FeebeSecDiskSrv) - Feebe, Inc. - C:\Program Files\Feebe\FeebeSecDisk\feebe_sd_srv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:34 PM

Posted 30 July 2007 - 06:33 AM

Hi,

Sorry to jump in for a second, but can you do me a favour please...

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file:

C:\Qoobox\quarantine\C\Program Files\Ttdtxmms\vzfiakbk.dll

Select it and click ok:
Then click the Send File button below.

Thank you very much!

RichieUK will give you further instructions from here...
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 AndWeWereDreaming

AndWeWereDreaming
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 31 July 2007 - 12:56 AM

I have submitted the file.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:34 PM

Posted 31 July 2007 - 03:22 AM

Hi,

The file you submitted is 0 bytes, which means it's most probably still in use. So, can you reboot your computer and submit it again after reboot please?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 AndWeWereDreaming

AndWeWereDreaming
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 31 July 2007 - 10:47 PM

I submitted the file as soon as I started my computer

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 01 August 2007 - 06:59 AM

Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Also post a new Hijackthis log please.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users