Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.trojandownloader.adload Problem


  • This topic is locked This topic is locked
19 replies to this topic

#1 Exclamation

Exclamation

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Location:New York
  • Local time:01:20 PM

Posted 17 August 2007 - 03:06 PM

Hi all, I'm having some computer problems that I've written about on another section of this forum. I keep getting many pop-ups of all sorts and little aspects of my computer work very slowly. Safe mode isn't easily accessible or workable, and it used to be before this problem. Thanks in advance for all help. :thumbsup:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:01:40 PM, on 8/17/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Online Services\mezekosol22011.exe
C:\Program Files\AIM95\aim.exe
C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\SYSTEM\Userinit.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MRT] "C:\WINDOWS\System32\MRT.exe" /R
O4 - HKLM\..\Run: [mezekosol] C:\Program Files\Online Services\mezekosol22011.exe
O4 - HKLM\..\Run: [{00-0A-A0-0D-ZN}] C:\Documents and Settings\default\Local Settings\Temp\thinksnet.exe CHD003
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\System32\rvjenaqb.dll",forkonce
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ISMModule2] "C:\Program Files\ISM\ISMModule2.exe"
O4 - HKCU\..\Run: [Blmzumm] "C:\Program Files\Common Files\s?stem32\w?crtupd.exe"
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.1\webbuying.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Saar] "C:\WINDOWS\WNSXS~1\rundll32.exe" -vt ndrv
O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'Default user')
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\default\Local Settings\Temp\thinksnet.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: IMI - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://business.dellnet.com/ (file missing) (HKCU)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potg_x.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.soundclick.com/CFIDE/classes/CFJava.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.microgaming.com/DLhelper/ve...n7/dlhelper.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw12fd.law12.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\myinlbou.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Accessories\rtemecoq.html

--
End of file - 7499 bytes

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:20 PM

Posted 17 August 2007 - 05:02 PM

Hi,

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
I notice that you do not seem to be running Antivirus software and a Firewall. This is somewhat suicidal in today's digital world.
That's why I want you to install them first!!

Avira, AVG OR Avast are good FREE antivirus.
Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decrease the reliability of it seriously!
Comodo OR Kerio are FREE firewalls.

Understanding and using firewalls

Reboot your computer afterwards.
After reboot, perform a full scan with your Antivirus and let it remove anything it is finding. Then reboot once again in order to delete files that were in use previously.

Post a new HijackThislog in your next reply - then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Exclamation

Exclamation
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Location:New York
  • Local time:01:20 PM

Posted 17 August 2007 - 05:13 PM

I've deleted Viewpoint and Viewpoint Media Player from the Control Panel, but I didn't find the Viewpoint Manager. Is it hiding somewhere else or under a different name perhaps? And is there anything else in my processes or Control Panel that I should remove? I just feel like some of the things that are there may be bad for my computer.

Also, which would you personally suggest out of Avira, AVG or Avast? Same with the firewall choices being Comodo or Kerio, which would you prefer?

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:20 PM

Posted 17 August 2007 - 05:18 PM

Hi,

Don't worry if you couldn't find Viewpoint manager. That's why I also instructed to uninstall IF present.

Also, which would you personally suggest out of Avira, AVG or Avast? Same with the firewall choices being Comodo or Kerio, which would you prefer?

I like the combination Avira Antivirus + Comodo Firewall. But AVG and Avast are also great Antivirus. Same as for Kerio Firewall. So actually it's up to you. So, what I suggest here is, go to their sites and read what they have to offer - and choose the one you like the most :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:20 PM

Posted 17 August 2007 - 05:19 PM

And is there anything else in my processes or Control Panel that I should remove?

Missed that part previously..
Actually, it may be better if you posted an Uninstall log, so I can see what other programs you have to uninstall.
To get the uninstall log, Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 Exclamation

Exclamation
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Location:New York
  • Local time:01:20 PM

Posted 17 August 2007 - 06:11 PM

Thanks for the pointers, I'll get to downloading those soon, I may have to leave soon, so I don't want to start anything until I have time to sit here with it for a while.

I just tried to post the uninstall log, but I had a problem. I followed your directions and all went well until I clicked "save list," which did not generate a list, but just calmly closed out the Hijack This program. I tried again, and the same thing happened. Am I missing something, or missing a step?

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:20 PM

Posted 18 August 2007 - 12:42 AM

Don't worry about the uninstall list for now.

Just look in add/remove programs if next are present as well and uninstall them:

Go to start > controlpanel > software > add/remove programs and uninstall next if present:

WebBuying
Winpop
Enhanced Ads by Think-Adz
Think-Adz Search Assistant
Outerinfo
Oin
Yazzle by Oin
YazzleActiveX By OIN
Purityscan by Oin
MediaTickets by OIN
Snowballwars by Oin
Cowabanga by OIN
or anything similar with Oin in it.


Reboot when done! Really important!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 Exclamation

Exclamation
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Location:New York
  • Local time:01:20 PM

Posted 19 August 2007 - 04:05 PM

Okay, so I've downloaded Avira and Comodo. I seem to understand how Comodo works, it just asks me every time I'm about to do something if it's okay or not, but now every five seconds, LITERALLY, as I'm typing this, Avira is coming up with a "Detection!" window and telling me I have a virus called khhhg.dll in my System32 folder.

There seems to be nothing I can do to stop this detection from coming up - how many of these files could I have? I can literally only type like six words at a time before it pops up and I need to manually select 'delete.' It's driving me insane. What can I do about this? :thumbsup:

Comodo seems to have stopped a few bad things that weren't supposed to be running. At first, I did run the Avira and it found some things, I deleted them, then I rebooted. Now I have this problem with the khhhg.dll detection. After I get this fixed, should I then give a Hijack This report? Or should I give one now? Thanks, you guys. :flowers:

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:20 PM

Posted 19 August 2007 - 11:31 PM

Hi,

Avira won't be able to deal with this khhhg.dll, but we'll deal with it in another way afterwards..
Just post a new HijackThislog, then I can give my next set of instructions.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 Exclamation

Exclamation
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Location:New York
  • Local time:01:20 PM

Posted 20 August 2007 - 01:48 AM

Here you go. :thumbsup:

I get the feeling that this specific "O4 - HKLM\..\Run: [mezekosol] C:\Program Files\Online Services\mezekosol22011.exe" should not be there.

-----

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:45:46 AM, on 8/20/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\SYSTEM\Userinit.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MRT] "C:\WINDOWS\System32\MRT.exe" /R
O4 - HKLM\..\Run: [mezekosol] C:\Program Files\Online Services\mezekosol22011.exe
O4 - HKLM\..\Run: [{00-0A-A0-0D-ZN}] C:\Documents and Settings\default\Local Settings\Temp\thinksnet.exe CHD003
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\System32\ubaulpms.dll",forkonce
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ISMModule2] "C:\Program Files\ISM\ISMModule2.exe"
O4 - HKCU\..\Run: [Blmzumm] "C:\Program Files\Common Files\s?stem32\w?crtupd.exe"
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.1\webbuying.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Saar] "C:\WINDOWS\WNSXS~1\rundll32.exe" -vt ndrv
O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'Default user')
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\default\Local Settings\Temp\thinksnet.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: IMI - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://business.dellnet.com/ (file missing) (HKCU)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potg_x.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.soundclick.com/CFIDE/classes/CFJava.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.microgaming.com/DLhelper/ve...n7/dlhelper.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw12fd.law12.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\myinlbou.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Accessories\rtemecoq.html

--
End of file - 8123 bytes

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:20 PM

Posted 20 August 2007 - 12:15 PM

Hi,

I get the feeling that this specific "O4 - HKLM\..\Run: [mezekosol] C:\Program Files\Online Services\mezekosol22011.exe" should not be there.

There's more than that that shouldn't be there..
Please perform my steps in the right order without missing any steps..

* Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab
Select "C:\Program Files\Accessories\rtemecoq.html" you find in there and press the delete button on the right.
Hit ok below > apply in previous window.

Then,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\SYSTEM\Userinit.exe
O4 - HKLM\..\Run: [mezekosol] C:\Program Files\Online Services\mezekosol22011.exe
O4 - HKLM\..\Run: [{00-0A-A0-0D-ZN}] C:\Documents and Settings\default\Local Settings\Temp\thinksnet.exe CHD003
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\System32\ubaulpms.dll",forkonce
O4 - HKCU\..\Run: [ISMModule2] "C:\Program Files\ISM\ISMModule2.exe"
O4 - HKCU\..\Run: [Blmzumm] "C:\Program Files\Common Files\s?stem32\w?crtupd.exe"
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.1\webbuying.exe
O4 - HKCU\..\Run: [Saar] "C:\WINDOWS\WNSXS~1\rundll32.exe" -vt ndrv
O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'Default user')
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\default\Local Settings\Temp\thinksnet.exe
O9 - Extra button: (no name) - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: IMI - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.microgaming.com/DLhelper/ve...n7/dlhelper.cab
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\myinlbou.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\Accessories\rtemecoq.html


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 Exclamation

Exclamation
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Location:New York
  • Local time:01:20 PM

Posted 22 August 2007 - 01:37 PM

Hiya,

Okay, so I've done all those steps. Before I post the log, let me just say that I had to remove Avira, as it was causing my computer many problems. Perhaps I'll be able to reinstall it later after we fix these various malware issues?

Anyway, this is what came up as "log.txt," I don't believe this is the quarantined-files.exe. Oh, and I see I'm supposed to post a new Hijack This log, so I'll post that underneath my Combofix log.

ComboFix 07-08-17.2 - "default" 2007-08-22 13:55:46.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.255 [GMT -4:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ANNETTE\APPLIC~1\install.dat
C:\DOCUME~1\default\STARTM~1\Programs\Startup.\TA_Start.lnk
C:\Program Files\Common Files\sstem3~1
C:\Program Files\tsks~1
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\DOWNLO~1.\temp
C:\WINDOWS\IA
C:\WINDOWS\start.exe
C:\WINDOWS\system32\aceejrrl.dll
C:\WINDOWS\system32\B1
C:\WINDOWS\system32\cojlkxvp.dll
C:\WINDOWS\system32\cshufccx.dll
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\SYSTEM32\ghhhk.bak1
C:\WINDOWS\SYSTEM32\ghhhk.bak2
C:\WINDOWS\SYSTEM32\ghhhk.ini
C:\WINDOWS\SYSTEM32\ghhhk.ini2
C:\WINDOWS\SYSTEM32\ghhhk.tmp
C:\WINDOWS\system32\grgsdpjn.dll
C:\WINDOWS\system32\ifyykojt.dll
C:\WINDOWS\system32\illbsahx.dll
C:\WINDOWS\system32\jxjnjuus.exe
C:\WINDOWS\system32\khhhg.dll
C:\WINDOWS\SYSTEM32\lrrjeeca.ini
C:\WINDOWS\SYSTEM32\njpdsgrg.ini
C:\WINDOWS\SYSTEM32\pceojobv.ini
C:\WINDOWS\SYSTEM32\pvxkljoc.ini
C:\WINDOWS\system32\qdmpfti.dll
C:\WINDOWS\SYSTEM32\tjokyyfi.ini
C:\WINDOWS\system32\vbojoecp.dll
C:\WINDOWS\system32\windows.scr
C:\WINDOWS\system32\X1
C:\WINDOWS\SYSTEM32\xccfuhsc.ini
C:\WINDOWS\SYSTEM32\xhasblli.ini
C:\WINDOWS\wnsxs~1
C:\WINDOWS\wnsxs~1\W?nSxS\


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-07-22 to 2007-08-22 )))))))))))))))))))))))))))))))


2007-08-22 13:53 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-21 00:43 <DIR> d-------- C:\DOCUME~1\default\APPLIC~1\U3
2007-08-19 15:14 <DIR> d-------- C:\DOCUME~1\default\APPLIC~1\Comodo
2007-08-19 15:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-08-19 15:11 <DIR> d-------- C:\Program Files\Comodo
2007-08-17 16:00 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-16 20:16 1,069,056 --a------ C:\DOCUME~1\NETWOR~1\ntuser.dat
2007-08-16 20:16 1,069,056 --a------ C:\DOCUME~1\LOCALS~1\ntuser.dat
2007-08-15 22:00 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Talkback
2007-08-15 20:19 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-15 20:10 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-15 20:10 <DIR> d-------- C:\DOCUME~1\default\APPLIC~1\SUPERAntiSpyware.com
2007-08-15 20:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-15 19:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-15 19:12 1,310,720 --ah----- C:\DOCUME~1\ADMINI~1\ntuser.dat
2007-08-15 18:38 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-08-14 19:16 <DIR> d-------- C:\DOCUME~1\default\APPLIC~1\Yahoo!
2007-08-14 19:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-08-14 02:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\checkdll
2007-08-14 02:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\adll
2007-08-14 02:24 <DIR> d-------- C:\Temp
2007-08-10 08:04 <DIR> d-------- C:\DOCUME~1\default\APPLIC~1\Apple
2007-08-06 21:27 75,440 --a------ C:\DOCUME~1\default\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-08-06 18:41 <DIR> d-------- C:\Program Files\Apple Software Update
2007-08-06 18:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-08-06 12:37 1,156 --a------ C:\WINDOWS\mozver.dat
2007-08-02 15:03 <DIR> d-------- C:\WINDOWS\.jagex_cache_32


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-12 14:44 --------- d-------- C:\Program Files\Yahoo!
2000-10-13 16:56 271 ---hs---- C:\Program Files\desktop.ini
2000-10-13 16:56 23357 ---h----- C:\Program Files\folder.htt


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E6F1D6A-1F20-11D4-8859-00A0CCE26836}]
2001-07-12 09:09 86016 --a------ C:\PROGRAM FILES\SVA PLAYER\SVAPLAYER.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A481104B-580E-40D4-0591-06C48E664D2F}]
C:\Program Files\Accessories\qudanuw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD7A066C-EEDA-8F2E-89AD-EEABDE0250EF}]
C:\WINDOWS\System32\nmvhqay.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-12-18 00:20]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"MRT"="C:\WINDOWS\System32\MRT.exe" [2007-06-28 00:57]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-08-19 15:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM95\aim.exe" [2005-08-05 15:08]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" []
"MSMSGS"="C:\PROGRA~1\MESSEN~1\MSMSGS.exe" [2004-11-15 16:18]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-30 09:47]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-06-11 18:16]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM95\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDUpgrade]
DVDUpgrd.exe /async9x

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLL]
rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
SysTray.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTools]
C:\Program Files\Common files\WinTools\WToolsA.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe
"zzgshp"=C:\WINDOWS\gshp.vbs
"ClockSync"=C:\Program Files\ClockSync\Sync.exe /q
"ContentService"=C:\WINDOWS\SYSTEM32\winservn.exe
"MSMSGS"=C:\PROGRA~1\MESSEN~1\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PCHealth"=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
"sp"=regedit -s C:\WINDOWS\sp.dll
"dla"=C:\WINDOWS\system\dla\tfswctrl.exe
"New.net Startup"=rundll32 C:\WINDOWS\NEWDOT~1.DLL,NewDotNetStartup
"devldr16.exe"=C:\WINDOWS\SYSTEM32\DEVLDR16.EXE
"TCASUTIEXE"=TCAUDIAG -off
"LTWinModem1"=ltmsg.exe 9
"LoadQM"=loadqm.exe
"Norton Auto-Protect"=C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
"NAV DefAlert"=C:\PROGRA~1\NORTON~1\DEFALERT.EXE
"SVAPlayer"=C:\Program Files\SVA Player\SVAPLAYER.EXE
"b3dUpdate"=C:\WINDOWS\BDE\Update\Zupdate.EXE -silent -p "C:\WINDOWS\BDE\Update" -s setup.cab
"ScanRegistry"=C:\WINDOWS\scanregw.exe /autorun
"WorksFUD"=C:\Program Files\Microsoft Works\wkfud.exe
"Microsoft Works Portfolio"=C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
"Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe
"MULTIMEDIA KEYBOARD"=C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
"Speed racer"=C:\Program Files\Creative\PlayCenter\CTSRReg.exe
"UpdReg"=C:\WINDOWS\Updreg.exe
"CrazyTalk Serve"=rundll32.exe C:\WINDOWS\SYSTEM32\crazytalk.dll,DllServeMediaFile
"HP DLA"="C:\Program Files\HP DLA\dlatray.exe" /t
"AudioHQ"=C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
"SaveNow"=C:\PROGRA~1\SAVENOW\SaveNow.exe
"Tray Temperature"=C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHERBUG.EXE 1
"HP CD-DVD"=C:\Program Files\HP CD-DVD\Umbrella\hpcdtray.exe
"ausvc"=C:\WINDOWS\ausvc.exe
"SysScan"=C:\WINDOWS\bvt.exe
"ABsr"=C:\WINDOWS\absr.exe
"CMESys"="C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
"MMTray"=C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
"MovieNetworks"="C:\Program Files\MovieNetworks\MovieNetworks.exe" /H
"XupiterStartup"=C:\Program Files\Xupiter\XupiterStartup.exe
"MoviePlace"="C:\Program Files\MoviePlace\MoviePlace.exe" /H
"FSW"=C:\Program Files\FSW\FSW.EXE
"SENTRY"=C:\WINDOWS\SENTRY.exe
"gkqftwwm"=C:\WINDOWS\SYSTEM32\gkqftwwm.exe
"WinampAgent"="C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
"RVP"="C:\Program Files\RVP\bpc.exe"
"srng"=\Program Files\Srng\Srng.exe
"EanthologyApp"=C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~2.EXE /b Startup
"WebScan"=C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE -k
"VBouncerDL"=C:\Program Files\VBouncer\VBouncerInner1113.exe /S
"QuickTime Task"="C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
"Internat Conf"=\bootconf.exe
"Hidserv"=Hidserv.exe run
"Uninstall0001"="C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.stripsaver.com!StatsStripSaver
"Uninstall0002"="C:\Program Files\Common Files\Totem Shared\Uninstall0002\upd.exe" LASTCALL!adverts.virtuagirl.com!StatsVirtuaGirl

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Pop-Up Stopper"="C:\Documents and Settings\default\My Documents\Download\GregEchidna\Pop-Up Stopper\dpps2.exe"
"win32app"=C:\WINDOWS\SYSTEM32\winpup32.exe
"POINTER"=point32.exe
"QuickTime Task"="C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
"MSConfigReminder"=C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\MSCONFIG.EXE /reminder

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"SSDPSRV"=C:\WINDOWS\SYSTEM\ssdpsrv.exe
"SchedulingAgent"=mstask.exe


*Newly Created Service* - ALG
*Newly Created Service* - IPNAT

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\^RNA]
rundll rnasetup.dll,installoptionalcomponent rna

Contents of the 'Scheduled Tasks' folder
2007-08-05 03:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job
2007-08-18 00:00:02 C:\WINDOWS\Tasks\Scan for Viruses.job
2007-08-22 18:00:08 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\NDETECT.EXE
2007-08-22 17:24:02 C:\WINDOWS\Tasks\Uninstall Expiration Reminder.job - C:\WINDOWS\System32\OOBE\oobebaln.exe
2007-08-17 12:04:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-22 14:00:16
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-22 14:01:14 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-22 14:01

--- E O F ---


----------(okay, here's the Hijack This log)----------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:37:29 PM, on 8/22/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\AIM95\aim.exe
C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: MediaDir Class - {1E6F1D6A-1F20-11D4-8859-00A0CCE26836} - C:\PROGRAM FILES\SVA PLAYER\SVAPLAYER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: 0 - {A481104B-580E-40D4-0591-06C48E664D2F} - C:\Program Files\Accessories\qudanuw.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {CD7A066C-EEDA-8F2E-89AD-EEABDE0250EF} - C:\WINDOWS\System32\nmvhqay.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MRT] "C:\WINDOWS\System32\MRT.exe" /R
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://business.dellnet.com/ (file missing) (HKCU)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potg_x.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.soundclick.com/CFIDE/classes/CFJava.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw12fd.law12.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 7099 bytes

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:20 PM

Posted 22 August 2007 - 02:42 PM

Hi,

Please uninstall SVA PLAYER / QuickFlicks Streaming Player because it's unwanted and installs spyware.
http://www.ca.com/securityadvisor/pest/pes...px?id=453073164

Then, * Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Folder::
C:\PROGRAM FILES\SVA PLAYER
C:\WINDOWS\SYSTEM32\checkdll
C:\WINDOWS\SYSTEM32\adll
C:\Temp

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E6F1D6A-1F20-11D4-8859-00A0CCE26836}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A481104B-580E-40D4-0591-06C48E664D2F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD7A066C-EEDA-8F2E-89AD-EEABDE0250EF}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLL]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTools]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"zzgshp"=-
"ClockSync"=-
"ContentService"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"sp"=-
"New.net Startup"=-
"SVAPlayer"=-
"b3dUpdate"=-
"CrazyTalk Serve"=-
"SaveNow"=-
"Tray Temperature"=-
"ausvc"=-
"SysScan"=-
"ABsr"=-
"CMESys"=-
"MovieNetworks"=-
"XupiterStartup"=-
"MoviePlace"=-
"FSW"=-
"gkqftwwm"=-
"RVP"=-
"srng"=-
"EanthologyApp"=-
"WebScan"=-
"VBouncerDL"=-
"Uninstall0001"=-
"Uninstall0002"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"win32app"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 Exclamation

Exclamation
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Location:New York
  • Local time:01:20 PM

Posted 22 August 2007 - 04:14 PM

Hiya, I've deleted the SVA Player and put the notepad document into ComboFix. I've got this log posted. Underneath, you'll find the Hijack This post.

-----

ComboFix 07-08-17.2 - "default" 2007-08-22 17:07:52.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.232 [GMT -4:00]
Command switches used :: C:\Documents and Settings\default\Desktop\CFScript.txt
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\PROGRAM FILES\SVA PLAYER
C:\Temp
C:\WINDOWS\SYSTEM32\adll
C:\WINDOWS\SYSTEM32\checkdll


((((((((((((((((((((((((( Files Created from 2007-07-22 to 2007-08-22 )))))))))))))))))))))))))))))))


2007-08-22 13:53 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-21 00:43 <DIR> d-------- C:\DOCUME~1\default\APPLIC~1\U3
2007-08-19 15:14 <DIR> d-------- C:\DOCUME~1\default\APPLIC~1\Comodo
2007-08-19 15:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-08-19 15:11 <DIR> d-------- C:\Program Files\Comodo
2007-08-17 16:00 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-16 20:16 1,069,056 --a------ C:\DOCUME~1\NETWOR~1\ntuser.dat
2007-08-16 20:16 1,069,056 --a------ C:\DOCUME~1\LOCALS~1\ntuser.dat
2007-08-15 22:00 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Talkback
2007-08-15 20:19 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-15 20:10 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-15 20:10 <DIR> d-------- C:\DOCUME~1\default\APPLIC~1\SUPERAntiSpyware.com
2007-08-15 20:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-15 19:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-15 19:12 1,310,720 --ah----- C:\DOCUME~1\ADMINI~1\ntuser.dat
2007-08-15 18:38 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-08-14 19:16 <DIR> d-------- C:\DOCUME~1\default\APPLIC~1\Yahoo!
2007-08-14 19:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-08-10 08:04 <DIR> d-------- C:\DOCUME~1\default\APPLIC~1\Apple
2007-08-06 21:27 75,440 --a------ C:\DOCUME~1\default\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-08-06 18:41 <DIR> d-------- C:\Program Files\Apple Software Update
2007-08-06 18:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-08-06 12:37 1,156 --a------ C:\WINDOWS\mozver.dat
2007-08-02 15:03 <DIR> d-------- C:\WINDOWS\.jagex_cache_32


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-12 14:44 --------- d-------- C:\Program Files\Yahoo!
2000-10-13 16:56 271 ---hs---- C:\Program Files\desktop.ini
2000-10-13 16:56 23357 ---h----- C:\Program Files\folder.htt


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-12-18 00:20]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"MRT"="C:\WINDOWS\System32\MRT.exe" [2007-06-28 00:57]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-08-19 15:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM95\aim.exe" [2005-08-05 15:08]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" []
"MSMSGS"="C:\PROGRA~1\MESSEN~1\MSMSGS.exe" [2004-11-15 16:18]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-30 09:47]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-06-11 18:16]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM95\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDUpgrade]
DVDUpgrd.exe /async9x

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
SysTray.Exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe
"MSMSGS"=C:\PROGRA~1\MESSEN~1\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PCHealth"=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
"dla"=C:\WINDOWS\system\dla\tfswctrl.exe
"devldr16.exe"=C:\WINDOWS\SYSTEM32\DEVLDR16.EXE
"TCASUTIEXE"=TCAUDIAG -off
"LTWinModem1"=ltmsg.exe 9
"LoadQM"=loadqm.exe
"Norton Auto-Protect"=C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
"NAV DefAlert"=C:\PROGRA~1\NORTON~1\DEFALERT.EXE
"ScanRegistry"=C:\WINDOWS\scanregw.exe /autorun
"WorksFUD"=C:\Program Files\Microsoft Works\wkfud.exe
"Microsoft Works Portfolio"=C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
"Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe
"MULTIMEDIA KEYBOARD"=C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
"Speed racer"=C:\Program Files\Creative\PlayCenter\CTSRReg.exe
"UpdReg"=C:\WINDOWS\Updreg.exe
"HP DLA"="C:\Program Files\HP DLA\dlatray.exe" /t
"AudioHQ"=C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
"HP CD-DVD"=C:\Program Files\HP CD-DVD\Umbrella\hpcdtray.exe
"MMTray"=C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
"SENTRY"=C:\WINDOWS\SENTRY.exe
"WinampAgent"="C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
"QuickTime Task"="C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
"Internat Conf"=\bootconf.exe
"Hidserv"=Hidserv.exe run

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Pop-Up Stopper"="C:\Documents and Settings\default\My Documents\Download\GregEchidna\Pop-Up Stopper\dpps2.exe"
"POINTER"=point32.exe
"QuickTime Task"="C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
"MSConfigReminder"=C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\MSCONFIG.EXE /reminder

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"SSDPSRV"=C:\WINDOWS\SYSTEM\ssdpsrv.exe
"SchedulingAgent"=mstask.exe


*Newly Created Service* - ALG
*Newly Created Service* - CATCHME
*Newly Created Service* - IPNAT

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\^RNA]
rundll rnasetup.dll,installoptionalcomponent rna

Contents of the 'Scheduled Tasks' folder
2007-08-05 03:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job
2007-08-18 00:00:02 C:\WINDOWS\Tasks\Scan for Viruses.job
2007-08-22 21:08:00 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\NDETECT.EXE
2007-08-22 20:24:02 C:\WINDOWS\Tasks\Uninstall Expiration Reminder.job - C:\WINDOWS\System32\OOBE\oobebaln.exe
2007-08-17 12:04:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-22 17:09:36
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-22 17:10:03
C:\ComboFix-quarantined-files.txt ... 2007-08-22 17:10
C:\ComboFix2.txt ... 2007-08-22 14:01

--- E O F ---

-----------(Hijack This log starts here)------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:13:55 PM, on 8/22/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\AIM95\aim.exe
C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MRT] "C:\WINDOWS\System32\MRT.exe" /R
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://business.dellnet.com/ (file missing) (HKCU)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potg_x.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.soundclick.com/CFIDE/classes/CFJava.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw12fd.law12.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6798 bytes

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:20 PM

Posted 22 August 2007 - 04:25 PM

Hi,

This looks OK again.

Navigate to and delete the C:\Qoobox folder

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 2.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 2".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.
Also reinstall an Antivirus asap.

Then let me know how things are now..
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users