Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Virus And More


  • This topic is locked This topic is locked
11 replies to this topic

#1 socaljarhead

socaljarhead

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 08 August 2007 - 07:25 PM

I have been working on a pc for a few days now. It is heavily contaminated with virus and spyware items. I have been able to clean up some stuff by reading these forums but I just can't beat this thing..;)

At any rate, I ran hijack this and here is the log. I 'd highly appreciate any help.

socaljarhead

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:50:03 PM, on 8/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\zudalchA.exe
C:\PROGRA~1\COMMON~1\FNTS~1\wowexec.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Common Files\?dobe\t?skmgr.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1A9F1188-0084-4C66-8311-F51AD9C6A374} - C:\Program Files\Messenger\meqocapoc4444.dll
O2 - BHO: (no name) - {48ABDBB9-4652-6989-2903-38B67F3AF29F} - C:\WINDOWS\system32\mrt.dll
O2 - BHO: (no name) - {492B901B-F1BB-4D0C-8C91-26C79783F2Bf} - C:\WINDOWS\system32\cvvprjlo.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {8371CD08-751F-4CC2-9D01-CC79E8EF58F3} - C:\Program Files\Messenger\meqocapoc.dll (file missing)
O2 - BHO: (no name) - {8556DBB2-5903-4783-9AF1-729D4CFFC0A9} - C:\WINDOWS\system32\cvvprjlo.dll (file missing)
O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINDOWS\system32\glatgrgp.dll (file missing)
O2 - BHO: (no name) - {D4319DD4-C256-4323-8133-113CE0282668} - C:\WINDOWS\system32\pmnll.dll (file missing)
O2 - BHO: (no name) - {F70C0C0E-9065-4FCB-9184-E95BDCC73564} - C:\Program Files\Messenger\meqocapoc83122.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Acronis True Image Monitor] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
O4 - HKLM\..\Run: [zudalchA] C:\WINDOWS\zudalchA.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [SpybotDeletingA5756] command /c del "C:\WINDOWS\SYSTEM32\drivers\core.cache.dsk_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2801] cmd /c del "C:\WINDOWS\SYSTEM32\drivers\core.cache.dsk_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA60] command /c del "C:\WINDOWS\SYSTEM32\drivers\core.sys_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5419] cmd /c del "C:\WINDOWS\SYSTEM32\drivers\core.sys_tobedeleted"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Sen] "C:\PROGRA~1\COMMON~1\FNTS~1\wowexec.exe" -vt yazb
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.norun
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0F15679F-75AB-4B96-A08C-472B7DB1A0F2} (03PrepInstall) - https://www.lacertesoftware.com/my_account/...prepinstall.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137260615250
O16 - DPF: {710B08F6-6CD1-48EA-BC2F-5D31741DC480} (03WebInstall) - https://www.lacertesoftware.com/my_account/...3webinstall.cab
O16 - DPF: {72109033-D398-49B6-8C11-A15619BEE0AF} (04WebInstall) - https://www.lacertesoftware.com/my_account/...4webinstall.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O20 - Winlogon Notify: rqrssst - rqrssst.dll (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - C:\Program Files\ComPlus Applications\rtelek.html

--
End of file - 11500 bytes

BC AdBot (Login to Remove)

 


#2 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:10:42 AM

Posted 08 August 2007 - 09:44 PM

Hi socaljarhead and welcome to BleepingComputers Forums.

My name is Trevuren and I will be helping you with your problem.


A. Please provide a list of uninstallable programs.

To Provide a List of Installed Programs
  • Run HijackThis.
  • Click Config>>Miscellaneous Tools>>Open Uninstall Manager>>Save List
  • Save list to Desktop
  • Copy the Notepad list and Paste it into this thread.

B. Please download this file - combofix.exe by sUBs
  • [color]You must download it to your Desktop[/color]
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log.
Note:
[color="red"]Do not mouse-click combofix's window while it is running. That may cause it to stall.[/color]

Regards,

[color="#006600"]Trevuren[/color]

Microsoft MVP - Consumer Security 2008 - 2009

Posted Image

#3 socaljarhead

socaljarhead
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 09 August 2007 - 12:16 PM

Here ya go...

2000 Lacerte Tax
2001 Lacerte Tax
2002 Lacerte Tax
2003 Lacerte Tax
2004 Lacerte Tax
2005 Lacerte Tax
2005 Lacerte Tax Planner
2006 Lacerte Tax
Acronis True Image
Ad-Aware SE Personal
Adobe Flash Player 9
Adobe Reader 7.0.9
Adobe Reader Japanese Fonts
America Online (Choose which version to remove)
AOL Connectivity Services
Banctec Service Agreement
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window DSLR 5 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX (E)
CCScore
Conexant D850 56K V.9x DFVc Modem
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
Dell Media Experience Update
DellSupport
Digital Line Detect
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
Google Earth
Half-Life: Counter-Strike
Half-Life: Opposing Force Online
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Adapters and Drivers
Intel® PROSet for Wired Connections
Internet Explorer Default Page
iPod for Windows 2005-06-26
iTunes
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java 2 Runtime Environment, SE v1.4.2_03
kgcbase
Kodak EasyShare software
KSU
Learn2 Player (Uninstall Only)
Lernout & Hauspie TruVoice for Microsoft Agent
LiveUpdate 1.7 (Symantec Corporation)
Macromedia Flash Player
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Standard
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft SQL Server Desktop Engine (LACERTEDB)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works 2000
Modem Helper
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
Musicmatch® Jukebox
netbrdg
NetWaiting
Notifier
OfotoXMI
Panda ActiveScan
Paragon Partition Manager 7.0 Server Edition
Photo Click
PowerDVD 5.3
QuickBooks Pro 2001
QuickBooks Pro Edition 2004
QuickTime
Savings Bond Wizard
SBC Yahoo! Applications
SBC Yahoo! DSL Home Networking Installer
SBC Yahoo! Login
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
SFR
SHASTA
SKIN0001
SKINXSDK
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Spybot - Search & Destroy 1.4
staticcr
Steam
Symantec AntiVirus Client
tooltips
TurboTax Deluxe Deduction Maximizer 2006
TurboTax ItsDeductible 2006
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB936357)
VBRunDLL 3.0
Viewpoint Media Player
VPRINTOL
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888240
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WIRELESS
WordPerfect Office 12
Yahoo! Browser Services
Yahoo! Mail
Yahoo! Toolbar
ZoneAlarm

#4 socaljarhead

socaljarhead
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 09 August 2007 - 12:20 PM

I'm having trouble with Combofix but I think it is scanning correctly now. I will post the results as soon as it finishes.

#5 socaljarhead

socaljarhead
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 09 August 2007 - 12:47 PM

ComboFix 07-08-10 - "Doreen Greyshock" 2007-08-09 10:20:38.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.248 [GMT -7:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\ProductCode
C:\DOCUME~1\DAVIDG~1\APPLIC~1\..\err.log
C:\DOCUME~1\DAVIDG~1\APPLIC~1\HbTools_Icons
C:\DOCUME~1\DAVIDG~1\APPLIC~1\HbTools_Icons\Registryrepair.ico
C:\DOCUME~1\DAVIDG~1\APPLIC~1\HbTools_Icons\Software_Online_8.ico
C:\DOCUME~1\DAVIDG~1\APPLIC~1\HbTools_Icons\wallpapere1.ico
C:\DOCUME~1\DOREEN~1\APPLIC~1\..\err.log
C:\DOCUME~1\DOREEN~1\STARTM~1\Programs.\Outerinfo
C:\DOCUME~1\DOREEN~1\STARTM~1\Programs.\Outerinfo\Terms.lnk
C:\DOCUME~1\DOREEN~1\STARTM~1\Programs.\Outerinfo\Uninstall.lnk
C:\DOCUME~1\ELIZAB~1\APPLIC~1\HbTools_Icons
C:\DOCUME~1\ELIZAB~1\APPLIC~1\HbTools_Icons\Registryrepair.ico
C:\DOCUME~1\ELIZAB~1\APPLIC~1\HbTools_Icons\Software_Online_8.ico
C:\DOCUME~1\ELIZAB~1\APPLIC~1\HbTools_Icons\wallpapere1.ico
C:\Program Files\Common Files\dobe~1
C:\Program Files\Common Files\dobe~1\t?skmgr.exe
C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\fnts~1\F?nts\
C:\Program Files\Common Files\fnts~1\wowexec.exe
C:\Program Files\Common Files\icroso~1.net
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\WinAntiSpyware 2007\err.log
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
C:\Program Files\Common Files\winantispyware 2007\WAS7Mon.exe
C:\Program Files\ComPlus Applications\rtelek.html
C:\Program Files\Messenger\meqocapoc4444.dll
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\temp\0c2
C:\temp\0c2\tmpRC.log
C:\temp\brr
C:\temp\brr\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\cfg32a.exe
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\dobe~1
C:\WINDOWS\system32\B0
C:\WINDOWS\system32\b02FdUe
C:\WINDOWS\system32\B1
C:\WINDOWS\system32\B2
C:\WINDOWS\system32\B4
C:\WINDOWS\system32\B5
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\mrt.dll
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T4
C:\WINDOWS\system32\T5
C:\WINDOWS\system32\T6
C:\WINDOWS\system32\T7
C:\WINDOWS\system32\version69ie7fix.dll
C:\WINDOWS\system32\wapiicom32.exe
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\TISKY009.exe
C:\WINDOWS\TTC-4444.exe
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FOPN
-------\LEGACY_NET_AGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\core
-------\Net Agent


((((((((((((((((((((((((( Files Created from 2007-07-09 to 2007-08-09 )))))))))))))))))))))))))))))))


2007-08-09 10:18 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-08 16:49 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-08 16:30 <DIR> d-------- C:\DOCUME~1\DOREEN~1\.housecall6.6
2007-08-08 16:10 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-08-08 14:09 4,212 ---h----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2007-08-08 14:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-08-08 14:08 808,992 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2007-08-08 14:08 75,932 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klick.dat
2007-08-08 14:08 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-08-08 14:08 74,396 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klin.dat
2007-08-08 14:08 110,360 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kl1.sys
2007-08-08 14:08 11,264 --a------ C:\WINDOWS\SYSTEM32\SpOrder.dll
2007-08-08 14:08 1,086,952 --a------ C:\WINDOWS\SYSTEM32\zpeng24.dll
2007-08-08 14:08 <DIR> d-------- C:\WINDOWS\SYSTEM32\ZoneLabs
2007-08-08 14:07 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-08-08 12:14 3,870,720 --a------ C:\WINDOWS\SYSTEM32\qt-mt323.dll
2007-08-08 12:14 18,208 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\hotcore.sys
2007-08-08 12:14 <DIR> d-------- C:\Program Files\Paragon Software
2007-08-07 14:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-07 10:56 <DIR> d-------- C:\VundoFix Backups
2007-08-06 17:03 <DIR> d-------- C:\DOCUME~1\DOREEN~1\APPLIC~1\Acronis
2007-08-06 16:53 77,856 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\snapman.sys
2007-08-06 16:53 478,208 --a------ C:\WINDOWS\SYSTEM32\autoprnt.exe
2007-08-06 16:53 37,888 --a------ C:\WINDOWS\SYSTEM32\setupnt.dll
2007-08-06 16:53 28,000 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tifsfilt.sys
2007-08-06 16:53 200,416 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\timntr.sys
2007-08-06 16:53 122,880 --a------ C:\WINDOWS\SYSTEM32\snapapi.dll
2007-08-06 16:53 <DIR> d-------- C:\Program Files\Common Files\Acronis
2007-08-06 16:53 <DIR> d-------- C:\Program Files\Acronis
2007-08-06 14:37 14,848 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kbdhid.sys
2007-08-06 14:37 14,848 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\kbdhid.sys
2007-08-05 11:38 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-05 11:27 786,432 --ah----- C:\DOCUME~1\ADMINI~1.OFF\NTUSER.DAT
2007-08-05 11:27 <DIR> d-------- C:\DOCUME~1\ADMINI~1.OFF\APPLIC~1\Sonic
2007-08-05 11:27 <DIR> d-------- C:\DOCUME~1\ADMINI~1.OFF\APPLIC~1\Jasc Software Inc
2007-08-05 10:56 83,672 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2007-08-05 10:56 73,224 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS
2007-08-05 10:53 <DIR> d-------- C:\Program Files\Symantec
2007-08-05 10:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-08-05 10:52 <DIR> d-------- C:\Program Files\Symantec_Client_Security
2007-08-05 10:52 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-05 10:30 <DIR> d-------- C:\DOCUME~1\DOREEN~1\APPLIC~1\Lavasoft
2007-07-16 16:06 <DIR> d-------- C:\DOCUME~1\DAVIDG~1\APPLIC~1\AdobeUM
2007-07-16 15:46 192,622 --a------ C:\WINDOWS\SYSTEM32\twinkndt.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-09 10:25 13616 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-08-09 10:24 --------- d-------- C:\Program Files\Messenger
2007-08-08 13:49 --------- d-------- C:\Program Files\Jasc Software Inc
2007-08-08 12:14 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-07 16:55 --------- d-------- C:\Program Files\Common Files\Real
2007-08-07 16:55 --------- d-------- C:\DOCUME~1\DOREEN~1\APPLIC~1\Real
2007-08-07 16:54 --------- d-------- C:\Program Files\Flock
2007-08-07 16:54 --------- d-------- C:\DOCUME~1\DOREEN~1\APPLIC~1\Flock
2007-08-07 14:41 --------- d-------- C:\Program Files\MyWay
2007-08-05 11:49 --------- d-------- C:\Program Files\NoAdware5.0
2007-08-05 11:00 --------- d-------- C:\Program Files\McAfee.com
2007-07-07 08:54 43062 --a------ C:\WINDOWS\WpAJTrYf67HazytRD.exe
2007-06-05 21:31 102400 --a------ C:\WINDOWS\MBDownloader_876916.exe
2007-05-16 08:12 86528 --a------ C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 08:12 85504 --a------ C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 08:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 08:12 683520 --a------ C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 08:12 510976 --a------ C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 08:12 1314816 --a------ C:\WINDOWS\system32\dllcache\msoe.dll
2006-11-18 11:59 17533000 --a------ C:\Program Files\ie7setup_mail.exe
1989-12-12 17:10:10 1,076,352 --sh--r C:\WINDOWS\zudalchA.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{492B901B-F1BB-4D0C-8C91-26C79783F2Bf}]
C:\WINDOWS\system32\cvvprjlo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8371CD08-751F-4CC2-9D01-CC79E8EF58F3}]
C:\Program Files\Messenger\meqocapoc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8556DBB2-5903-4783-9AF1-729D4CFFC0A9}]
C:\WINDOWS\system32\cvvprjlo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4319DD4-C256-4323-8133-113CE0282668}]
C:\WINDOWS\system32\pmnll.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F70C0C0E-9065-4FCB-9184-E95BDCC73564}]
C:\Program Files\Messenger\meqocapoc83122.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IPInSightMonitor 02"="C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2003-07-14 12:30]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 00:01]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 14:49]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 14:50]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 14:46]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 15:54]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 00:05]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 11:35]
"Acronis True Image Monitor"="C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" [2007-08-06 16:53]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-08-06 16:53]
"zudalchA"="C:\WINDOWS\zudalchA.exe" [1989-12-12 10:10]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-08-04 00:17]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" []
"Sen"="C:\PROGRA~1\COMMON~1\FNTS~1\wowexec.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]

C:\Documents and Settings\Doreen Greyshock\Start Menu\Programs\Startup\
DESKTOP.INI [2004-08-10 12:04:12]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2004-08-10 12:04:12]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-01-11 06:54:36]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-09-04 15:23:00]
QuickBooks 2001 Delivery Agent.lnk - C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe [2005-01-19 20:29:48]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-01-20 22:08:45]
Service Manager.norun [2005-01-17 17:57:44]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\ComPlus Applications\rtelek.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrssst]
rqrssst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Doreen Greyshock^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Doreen Greyshock\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Doreen Greyshock^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\Doreen Greyshock\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Doreen Greyshock^Start Menu^Programs^Startup^Yahoo! Widget Engine.lnk]
path=C:\Documents and Settings\Doreen Greyshock\Start Menu\Programs\Startup\Yahoo! Widget Engine.lnk
backup=C:\WINDOWS\pss\Yahoo! Widget Engine.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\SYSTEM32\twinkndt.exe CHD003

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HbTools]
C:\Program Files\HbTools\Bin\4.8.4.0\HbtOEAddOn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IpWins]
C:\Program Files\Ipwindows\ipwins.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\j2201239]
rundll32 C:\WINDOWS\system32\j2201239.dll sook

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lvgpak]
"C:\Program Files\Common Files\?icrosoft.NET\n?lookup.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
"C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Oentrcf]
"C:\Program Files\Common Files\?dobe\t?skmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\retadpu2000219.exe 61A847B5BBF72810329B385473F001F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
"C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sen]
"C:\PROGRA~1\COMMON~1\FNTS~1\wowexec.exe" -vt yazb

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
rundll32.exe "C:\WINDOWS\system32\yxsevnys.dll",forkonce

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wkjutbpA]
C:\WINDOWS\wkjutbpA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\Program Files\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zudalchA]
C:\WINDOWS\zudalchA.exe

R0 hotcore;hotcore;C:\WINDOWS\system32\drivers\hotcore.sys
R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\system32\DRIVERS\snapman.sys
R0 timounter;Acronis TrueImage Backup Archive Explorer;C:\WINDOWS\system32\DRIVERS\timntr.sys
R2 NAVAPEL;NAVAPEL;\??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS
R2 tifsfilter;Acronis TrueImage FS Filter;C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
R3 NAVAP;NAVAP;\??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAP.sys
S1 wceusbsh;Windows CE USB Serial Host Driver;C:\WINDOWS\system32\DRIVERS\wceusbsh.sys
S3 MSSQL$LACERTEDB;MSSQL$LACERTEDB;C:\Program Files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe -sLACERTEDB
S3 SDDMI2;SDDMI2;\??\C:\WINDOWS\system32\DDMI2.sys
S3 SQLAgent$LACERTEDB;SQLAgent$LACERTEDB;C:\Program Files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlagent.EXE -i LACERTEDB


Contents of the 'Scheduled Tasks' folder
2007-08-09 17:37:05 C:\WINDOWS\Tasks\EasyShare Registration RunOnce Task.job
2007-06-18 02:41:00 C:\WINDOWS\Tasks\EasyShare Registration Task.job - C:\WINDOWS\system32\RUNDLL32.EXE
2007-07-21 01:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (D7SZGK61-Doreen Greyshock).job - c:\program files\mcafee.com\vso\mcmnhdlr.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-09 10:38:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acronis True Image Monitor"="C:\\Program Files\\Acronis\\TrueImage\\TrueImageMonitor.exe"

Completion time: 2007-08-09 10:40:30 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-09 10:40

--- E O F ---

#6 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:10:42 AM

Posted 09 August 2007 - 01:12 PM

A. I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.


Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware
I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):

1. Click Start, then Settings, then click Control Panel.
2. In Control Panel, double-click Add or Remove Programs.
3. In Add or Remove Programs, Remove the Viewpoint component
4. Do the same for each Viewpoint component.


B. In addition, please UNINSTALL any programs from MyWay and NoAdware., (if present)


C. Please provide me with a fresh HijackThis log as requested in my previous post.

Trevuren
Microsoft MVP - Consumer Security 2008 - 2009

Posted Image

#7 socaljarhead

socaljarhead
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 09 August 2007 - 01:28 PM

Sorry, I missed the new hijack log...;) See below

Also, I uninstalled the Viewpoint, there is nothing from noadware, and the item for myway does not have a remove option so I don't know how to get rid of it.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:26:34 AM, on 8/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\zudalchA.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {492B901B-F1BB-4D0C-8C91-26C79783F2Bf} - C:\WINDOWS\system32\cvvprjlo.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {8371CD08-751F-4CC2-9D01-CC79E8EF58F3} - C:\Program Files\Messenger\meqocapoc.dll (file missing)
O2 - BHO: (no name) - {8556DBB2-5903-4783-9AF1-729D4CFFC0A9} - C:\WINDOWS\system32\cvvprjlo.dll (file missing)
O2 - BHO: (no name) - {D4319DD4-C256-4323-8133-113CE0282668} - C:\WINDOWS\system32\pmnll.dll (file missing)
O2 - BHO: (no name) - {F70C0C0E-9065-4FCB-9184-E95BDCC73564} - C:\Program Files\Messenger\meqocapoc83122.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Acronis True Image Monitor] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
O4 - HKLM\..\Run: [zudalchA] C:\WINDOWS\zudalchA.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Sen] "C:\PROGRA~1\COMMON~1\FNTS~1\wowexec.exe" -vt yazb
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.norun
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0F15679F-75AB-4B96-A08C-472B7DB1A0F2} (03PrepInstall) - https://www.lacertesoftware.com/my_account/...prepinstall.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137260615250
O16 - DPF: {710B08F6-6CD1-48EA-BC2F-5D31741DC480} (03WebInstall) - https://www.lacertesoftware.com/my_account/...3webinstall.cab
O16 - DPF: {72109033-D398-49B6-8C11-A15619BEE0AF} (04WebInstall) - https://www.lacertesoftware.com/my_account/...4webinstall.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O20 - Winlogon Notify: rqrssst - rqrssst.dll (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - C:\Program Files\ComPlus Applications\rtelek.html

--
End of file - 9876 bytes

#8 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:10:42 AM

Posted 09 August 2007 - 01:41 PM

A. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 2 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u2...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.
Now to Clean out the Java cache:

Go into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 Checked
    • Downloaded Applets
      Downloaded Applications
      Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.

B. Please RUN HijackThis
  • Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
    O2 - BHO: (no name) - {492B901B-F1BB-4D0C-8C91-26C79783F2Bf} - C:\WINDOWS\system32\cvvprjlo.dll (file missing)
    O2 - BHO: (no name) - {8371CD08-751F-4CC2-9D01-CC79E8EF58F3} - C:\Program Files\Messenger\meqocapoc.dll (file missing)
    O2 - BHO: (no name) - {8556DBB2-5903-4783-9AF1-729D4CFFC0A9} - C:\WINDOWS\system32\cvvprjlo.dll (file missing)
    O2 - BHO: (no name) - {D4319DD4-C256-4323-8133-113CE0282668} - C:\WINDOWS\system32\pmnll.dll (file missing)
    O2 - BHO: (no name) - {F70C0C0E-9065-4FCB-9184-E95BDCC73564} - C:\Program Files\Messenger\meqocapoc83122.dll (file missing)
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O4 - HKLM\..\Run: [zudalchA] C:\WINDOWS\zudalchA.exe
    O4 - HKCU\..\Run: [Sen] "C:\PROGRA~1\COMMON~1\FNTS~1\wowexec.exe" -vt yazb
    O20 - Winlogon Notify: rqrssst - rqrssst.dll (file missing)
    O24 - Desktop Component 0: (no name) - C:\Program Files\ComPlus Applications\rtelek.html


  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

C. 1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\SYSTEM32\DRIVERS\klick.dat
C:\WINDOWS\WpAJTrYf67HazytRD.exe
C:\WINDOWS\SYSTEM32\DRIVERS\klin.dat
C:\WINDOWS\SYSTEM32\DRIVERS\kl1.sys
C:\WINDOWS\MBDownloader_876916.exe
C:\WINDOWS\zudalchA.exe
C:\WINDOWS\SYSTEM32\twinkndt.exe
C:\WINDOWS\pss\Think-Adz.lnkStartup
C:\WINDOWS\SYSTEM32\twinkndt.exe
C:\WINDOWS\system32\j2201239.dll
C:\WINDOWS\retadpu2000219.exe
C:\Program Files\ComPlus Applications\rtelek.html

Folder::
C:\Program Files\MyWay
C:\Program Files\NoAdware5.0
C:\Program Files\Viewpoint
C:\Program Files\Ipwindows

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Doreen Greyshock^Start Menu^Programs^Startup^Think-Adz.lnk] 
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IpWins]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\j2201239]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lvgpak]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Oentrcf]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sen]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wkjutbpA]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zudalchA]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Microsoft MVP - Consumer Security 2008 - 2009

Posted Image

#9 socaljarhead

socaljarhead
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 09 August 2007 - 03:50 PM

Well, things are starting to look a little better here..;)


ComboFix 07-08-10 - "Doreen Greyshock" 2007-08-09 13:20:33.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.194 [GMT -7:00]
Command switches used :: C:\Documents and Settings\Doreen Greyshock\Desktop\CFscript.txt
* Created a new restore point

FILE::
C:\WINDOWS\SYSTEM32\DRIVERS\klick.dat
C:\WINDOWS\WpAJTrYf67HazytRD.exe
C:\WINDOWS\SYSTEM32\DRIVERS\klin.dat
C:\WINDOWS\SYSTEM32\DRIVERS\kl1.sys
C:\WINDOWS\MBDownloader_876916.exe
C:\WINDOWS\zudalchA.exe
C:\WINDOWS\SYSTEM32\twinkndt.exe
C:\WINDOWS\pss\Think-Adz.lnkStartup
C:\WINDOWS\system32\j2201239.dll
C:\WINDOWS\retadpu2000219.exe
C:\Program Files\ComPlus Applications\rtelek.html


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\MyWay
C:\Program Files\NoAdware5.0
C:\Program Files\NoAdware5.0\logs\Date(11-6-2007) Time(20-44-53).txt
C:\Program Files\NoAdware5.0\logs\Date(11-6-2007) Time(21-37-46).txt
C:\Program Files\NoAdware5.0\noadware4_061107.na
C:\Program Files\NoAdware5.0\noadware4_061807.na.zip
C:\WINDOWS\MBDownloader_876916.exe
C:\WINDOWS\pss\Think-Adz.lnkStartup
C:\WINDOWS\SYSTEM32\twinkndt.exe
C:\WINDOWS\WpAJTrYf67HazytRD.exe
C:\WINDOWS\zudalchA.exe


((((((((((((((((((((((((( Files Created from 2007-07-09 to 2007-08-09 )))))))))))))))))))))))))))))))


2007-08-09 13:11 <DIR> d-------- C:\Program Files\RealVNC
2007-08-09 10:45 1 --a------ C:\WINDOWS\AR.DAT
2007-08-09 10:44 <DIR> d-------- C:\Program Files\AddRemove
2007-08-09 10:18 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-08 16:49 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-08 16:30 <DIR> d-------- C:\DOCUME~1\DOREEN~1\.housecall6.6
2007-08-08 16:10 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-08-08 14:09 4,212 ---h----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2007-08-08 14:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-08-08 14:08 11,264 --a------ C:\WINDOWS\SYSTEM32\SpOrder.dll
2007-08-08 14:07 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-08-08 12:14 3,870,720 --a------ C:\WINDOWS\SYSTEM32\qt-mt323.dll
2007-08-08 12:14 18,208 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\hotcore.sys
2007-08-08 12:14 <DIR> d-------- C:\Program Files\Paragon Software
2007-08-07 14:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-07 10:56 <DIR> d-------- C:\VundoFix Backups
2007-08-06 17:03 <DIR> d-------- C:\DOCUME~1\DOREEN~1\APPLIC~1\Acronis
2007-08-06 16:53 77,856 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\snapman.sys
2007-08-06 16:53 478,208 --a------ C:\WINDOWS\SYSTEM32\autoprnt.exe
2007-08-06 16:53 37,888 --a------ C:\WINDOWS\SYSTEM32\setupnt.dll
2007-08-06 16:53 28,000 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tifsfilt.sys
2007-08-06 16:53 200,416 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\timntr.sys
2007-08-06 16:53 122,880 --a------ C:\WINDOWS\SYSTEM32\snapapi.dll
2007-08-06 16:53 <DIR> d-------- C:\Program Files\Common Files\Acronis
2007-08-06 16:53 <DIR> d-------- C:\Program Files\Acronis
2007-08-06 14:37 14,848 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kbdhid.sys
2007-08-06 14:37 14,848 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\kbdhid.sys
2007-08-05 11:38 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-05 11:27 786,432 --ah----- C:\DOCUME~1\ADMINI~1.OFF\NTUSER.DAT
2007-08-05 11:27 <DIR> d-------- C:\DOCUME~1\ADMINI~1.OFF\APPLIC~1\Sonic
2007-08-05 11:27 <DIR> d-------- C:\DOCUME~1\ADMINI~1.OFF\APPLIC~1\Jasc Software Inc
2007-08-05 10:56 83,672 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2007-08-05 10:56 73,224 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS
2007-08-05 10:53 <DIR> d-------- C:\Program Files\Symantec
2007-08-05 10:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-08-05 10:52 <DIR> d-------- C:\Program Files\Symantec_Client_Security
2007-08-05 10:52 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-05 10:30 <DIR> d-------- C:\DOCUME~1\DOREEN~1\APPLIC~1\Lavasoft
2007-07-16 16:06 <DIR> d-------- C:\DOCUME~1\DAVIDG~1\APPLIC~1\AdobeUM


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-09 10:24 --------- d-------- C:\Program Files\Messenger
2007-08-08 13:49 --------- d-------- C:\Program Files\Jasc Software Inc
2007-08-08 12:14 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-07 16:55 --------- d-------- C:\Program Files\Common Files\Real
2007-08-07 16:55 --------- d-------- C:\DOCUME~1\DOREEN~1\APPLIC~1\Real
2007-08-07 16:54 --------- d-------- C:\Program Files\Flock
2007-08-07 16:54 --------- d-------- C:\DOCUME~1\DOREEN~1\APPLIC~1\Flock
2007-08-05 11:00 --------- d-------- C:\Program Files\McAfee.com
2007-05-16 08:12 86528 --a------ C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 08:12 85504 --a------ C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 08:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 08:12 683520 --a------ C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 08:12 510976 --a------ C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 08:12 1314816 --a------ C:\WINDOWS\system32\dllcache\msoe.dll
2006-11-18 11:59 17533000 --a------ C:\Program Files\ie7setup_mail.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IPInSightMonitor 02"="C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2003-07-14 12:30]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 00:01]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 14:49]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 14:50]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 14:46]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 15:54]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 00:05]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 11:35]
"Acronis True Image Monitor"="C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" [2007-08-06 16:53]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-08-06 16:53]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-08-04 00:17]
"WinVNC"="C:\Program Files\RealVNC\WinVNC\WinVNC.exe" [2003-03-05 13:49]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]

C:\Documents and Settings\Doreen Greyshock\Start Menu\Programs\Startup\
DESKTOP.INI [2004-08-10 12:04:12]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2004-08-10 12:04:12]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-01-11 06:54:36]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-09-04 15:23:00]
QuickBooks 2001 Delivery Agent.lnk - C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe [2005-01-19 20:29:48]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-01-20 22:08:45]
Service Manager.norun [2005-01-17 17:57:44]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Doreen Greyshock^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Doreen Greyshock\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Doreen Greyshock^Start Menu^Programs^Startup^Yahoo! Widget Engine.lnk]
path=C:\Documents and Settings\Doreen Greyshock\Start Menu\Programs\Startup\Yahoo! Widget Engine.lnk
backup=C:\WINDOWS\pss\Yahoo! Widget Engine.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HbTools]
C:\Program Files\HbTools\Bin\4.8.4.0\HbtOEAddOn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
"C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\Program Files\Yahoo!\browser\ybrwicon.exe

R0 hotcore;hotcore;C:\WINDOWS\system32\drivers\hotcore.sys
R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\system32\DRIVERS\snapman.sys
R0 timounter;Acronis TrueImage Backup Archive Explorer;C:\WINDOWS\system32\DRIVERS\timntr.sys
R2 NAVAPEL;NAVAPEL;\??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS
R2 tifsfilter;Acronis TrueImage FS Filter;C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
R3 NAVAP;NAVAP;\??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAP.sys
S1 wceusbsh;Windows CE USB Serial Host Driver;C:\WINDOWS\system32\DRIVERS\wceusbsh.sys
S3 MSSQL$LACERTEDB;MSSQL$LACERTEDB;C:\Program Files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe -sLACERTEDB
S3 SDDMI2;SDDMI2;\??\C:\WINDOWS\system32\DDMI2.sys
S3 SQLAgent$LACERTEDB;SQLAgent$LACERTEDB;C:\Program Files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlagent.EXE -i LACERTEDB

*Newly Created Service* - WINVNC

Contents of the 'Scheduled Tasks' folder
2007-08-09 20:08:45 C:\WINDOWS\Tasks\EasyShare Registration RunOnce Task.job
2007-06-18 02:41:00 C:\WINDOWS\Tasks\EasyShare Registration Task.job - C:\WINDOWS\system32\RUNDLL32.EXE
2007-07-21 01:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (D7SZGK61-Doreen Greyshock).job - c:\program files\mcafee.com\vso\mcmnhdlr.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-09 13:23:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acronis True Image Monitor"="C:\\Program Files\\Acronis\\TrueImage\\TrueImageMonitor.exe"

Completion time: 2007-08-09 13:24:10
C:\ComboFix-quarantined-files.txt ... 2007-08-09 13:24
C:\ComboFix2.txt ... 2007-08-09 10:40

--- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:25:40 PM, on 8/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Acronis True Image Monitor] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.norun
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0F15679F-75AB-4B96-A08C-472B7DB1A0F2} (03PrepInstall) - https://www.lacertesoftware.com/my_account/...prepinstall.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137260615250
O16 - DPF: {710B08F6-6CD1-48EA-BC2F-5D31741DC480} (03WebInstall) - https://www.lacertesoftware.com/my_account/...3webinstall.cab
O16 - DPF: {72109033-D398-49B6-8C11-A15619BEE0AF} (04WebInstall) - https://www.lacertesoftware.com/my_account/...4webinstall.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\WinVNC.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

--
End of file - 9285 bytes

#10 Trevuren

Trevuren

  • Malware Response Team
  • 1,006 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:10:42 AM

Posted 09 August 2007 - 04:00 PM

A. Please RUN HijackThis
  • Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)


  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

B. Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Posted Image
Posted Image
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply, along with a fresh HijackThis log

C. Please also tell me how your system is running.

Trevuren
Microsoft MVP - Consumer Security 2008 - 2009

Posted Image

#11 socaljarhead

socaljarhead
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 10 August 2007 - 11:11 AM

Good morning, Trevuren

Well, my client needed her PC back yesterday and so came to pick it up. I explained that it was not totally clean but they needed it for work.

I ran that last Kaspersky scan and it did actually find about 50 bad files. The nice thing was even though it didn't clean them, the Symantec Anti Virus I had put on there was catching every one of them and putting them in quarantine. So, at the end I was able to delete them all...;)

At any rate, thank you very much for your help. The PC was running much much better and was missing all the popups that were there before.

I told her that at some point, I would need to work on it again as there is one last message that still pops up at boot. I saw mention of it on Google but couldn't get rid of it. So, maybe I can work with you again later to get the PC completely clean.

Thanks a lot.

Socaljarhead

#12 Jacee

Jacee

    Bleeping around


  • Malware Response Team
  • 3,716 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:42 AM

Posted 10 August 2007 - 05:20 PM

Hello socaljarhead,
Trevuren is unable to get to the forums due to poblems with his ISP. He has worked with you for free. While I like to see a machine cleaned up going out of this forum, I think it would only be fair to our HJT Team, if they were to help people who weren't being paid to do their work for them.

I hope you understand. We have a ton of infected computers on many different forums and they all need to be cleaned....we volunteer our time to help clean up the Internet.

Thanks,
Jacee

MS_MVP.gif
MS MVP Windows-Security 2006-2016
Member of UNITE, the Unified Network of Instructors and Trusted Eliminators

Admin PC Pitstop





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users