Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware That Has Taken Over My Active Desktop And Awola Anti-spyware


  • This topic is locked This topic is locked
6 replies to this topic

#1 SubSand

SubSand

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:46 AM

Posted 23 September 2007 - 12:33 AM

Hello All,

I placed this in the wrong forum last week, I home someone can help me.

I seem to have a few problems on my PC, no Pop-ups but something has Hi-jacked both my active-desktop and IE 6. IE 6 is un-useable. I also have Awola Anti-spyware message in near the clock. Another that came up today which says it is Window's Security Center says you have been infected with Spyware.

My active desktop has been hi-jacked again, it keeps bringing up a default.htm in the on my desktop. (what I have done for this is created a default.htm with a picture in it. So when the process calls up this default.htm it is something I want to look at.) Will explain more if it makes a difference.

I also have a LoadLibrary Manager error???? It wants me to send an error report.

Here are the steps that I have taken:

1. Cleaned out Temporary internet files in IE6 and Cleared private data in Firefox.

2. Ran Ad-Aware SE (Crashed several times)

3. Ran Spy-Bot Search and Destroy selected all and clicked Fix and repair

4. Rebooted and tried running Ad-Aware SE again and it crashed.

5. Ran Spy-bot again and downloaded Ad-Aware SE and installed fresh copy.

6. Rebooted and ran Ad-Aware SE selected all and quarantined.

6. Reboot and ran Ad-Aware SE again. quarantined again.

7. Ran Norton Anti-Virus cleaned everything.

8. Ran House Call Anti-virus tried to clean.

9. Attempted to run Panda and Bit defender to no avail, since IE has been hi-jacked.

10. Ran McAfee AVERT Stinger. (really can't tell if it is cleaning anything since the log only shows that it started and says that there are 22000 or so clean files.)

11. In the process of purchasing a Software Firewall.

12. Downloaded latest windows security updates.

13. Downloaded and installed Hi-Jack this and ran the application. I will post the log file in another post.

14. Came here hoping for some assistance on understanding the logfile. ( I notice a few things that I do not believe I want to delete.)



Thanks in advance for any assistance you can provide.

Anny assistance would be greatly appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:12:54 PM, on 9/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\qiawpbjj.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Documents and Settings\richard\Application Data\tovap.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\richard\Desktop\stinger.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.indeed.com/
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: qiawpbjj.msdn_hlp - {026B5895-3E8E-49A9-8EEE-B52A326DA962} - C:\WINDOWS\system32\qiawpbjj.dll
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: (no name) - {0FC541FC-F8C0-4B05-8FDC-47FF6A2B181D} - C:\WINDOWS\system32\gebya.dll (file missing)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {1C4BA30C-4C20-4ABB-8081-D37D848C4F29} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {3AACF3B0-3A0F-6BFD-7C75-4DB6793BF3BF} - C:\WINDOWS\system32\ewsom.dll (file missing)
O2 - BHO: (no name) - {454F118F-8868-D6BE-1D12-8A8DC923D49B} - C:\WINDOWS\system32\nnhk.dll (file missing)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {A191A47E-C927-4BC5-AFAF-63850748464D} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {A97C9BA8-D951-4FDE-BCE7-05F42664B9CF} - C:\Program Files\MSN Gaming Zone\hotex4444.dll (file missing)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: (no name) - {EF3446E8-FC32-4E55-9C56-0B8DA015FC10} - C:\WINDOWS\system32\GE.dll
O2 - BHO: (no name) - {fccf5e42-a74a-4c9f-b1d8-0086f2146ffd} - C:\WINDOWS\system32\dsoufat.dll (file missing)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [qmqq] C:\PROGRA~1\COMMON~1\qmqq\qmqqm.exe
O4 - HKCU\..\Run: [Toub] "C:\DOCUME~1\richard\APPLIC~1\MANTEC~1\mmc.exe" -vt yazb
O4 - HKCU\..\Run: [Wgpjbm] "C:\Program Files\Common Files\?icrosoft\?canregw.exe"
O4 - HKCU\..\Run: [Microsft Windows Adapter 5.1.3013] C:\Documents and Settings\richard\Application Data\tovap.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp...302/Coupons.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - http://66.121.122.195/wg_webeye.cab
O16 - DPF: {C77FB8C0-8B6D-440E-AC26-2BD39E97E8F2} (SpdTCtl Class) - http://speedtest.adelphia.net/customerdiag...TESTACTIVEX.CAB
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://amgen.webex.com/client/T23SP33EP5/webex/ieatgpc.cab
O20 - AppInit_DLLs: c:\windows\system32\jkklmkj.dll
O20 - Winlogon Notify: dsoufat - dsoufat.dll (file missing)
O20 - Winlogon Notify: gebya - C:\WINDOWS\system32\gebya.dll (file missing)
O20 - Winlogon Notify: tfpatsk - C:\WINDOWS\Cursors\tfpatsk.dll (file missing)
O20 - Winlogon Notify: winlogon - C:\WINDOWS\system32\winlogon.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 10991 bytes


Again any assistance would be greatly appreciated.

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:46 PM

Posted 23 September 2007 - 02:41 AM

Hi,

Your system is terribly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

Before you proceed with the following steps, please do this first..

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file:

C:\WINDOWS\system32\GE.dll

Select it and click ok:
Then click the Send File button below.

Then AFTER you did before...

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.indeed.com/
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: qiawpbjj.msdn_hlp - {026B5895-3E8E-49A9-8EEE-B52A326DA962} - C:\WINDOWS\system32\qiawpbjj.dll
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {0FC541FC-F8C0-4B05-8FDC-47FF6A2B181D} - C:\WINDOWS\system32\gebya.dll (file missing)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {1C4BA30C-4C20-4ABB-8081-D37D848C4F29} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {3AACF3B0-3A0F-6BFD-7C75-4DB6793BF3BF} - C:\WINDOWS\system32\ewsom.dll (file missing)
O2 - BHO: (no name) - {454F118F-8868-D6BE-1D12-8A8DC923D49B} - C:\WINDOWS\system32\nnhk.dll (file missing)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {A191A47E-C927-4BC5-AFAF-63850748464D} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {A97C9BA8-D951-4FDE-BCE7-05F42664B9CF} - C:\Program Files\MSN Gaming Zone\hotex4444.dll (file missing)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: (no name) - {EF3446E8-FC32-4E55-9C56-0B8DA015FC10} - C:\WINDOWS\system32\GE.dll
O2 - BHO: (no name) - {fccf5e42-a74a-4c9f-b1d8-0086f2146ffd} - C:\WINDOWS\system32\dsoufat.dll (file missing)
O4 - HKCU\..\Run: [qmqq] C:\PROGRA~1\COMMON~1\qmqq\qmqqm.exe
O4 - HKCU\..\Run: [Toub] "C:\DOCUME~1\richard\APPLIC~1\MANTEC~1\mmc.exe" -vt yazb
O4 - HKCU\..\Run: [Wgpjbm] "C:\Program Files\Common Files\?icrosoft\?canregw.exe"
O4 - HKCU\..\Run: [Microsft Windows Adapter 5.1.3013] C:\Documents and Settings\richard\Application Data\tovap.exe
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp...302/Coupons.cab
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O20 - AppInit_DLLs: c:\windows\system32\jkklmkj.dll
O20 - Winlogon Notify: dsoufat - dsoufat.dll (file missing)
O20 - Winlogon Notify: gebya - C:\WINDOWS\system32\gebya.dll (file missing)
O20 - Winlogon Notify: tfpatsk - C:\WINDOWS\Cursors\tfpatsk.dll (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then, * Download Combofix to your desktop.
In case you already used Combofix previously, please delete the version you are having and redownload it again, because Combofix is being updated everyday.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SubSand

SubSand
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:46 AM

Posted 30 September 2007 - 07:53 PM

miekiemoes,

Thanks very much for your help, I want to fix this long enought to save a couple of Important files. Once I have done this I will reformat and re-install windows and all my other software.

As you requested all the info is below, if you have any suggestions regarding purchasing software once I have a clean install of windows I am willing to listen.

Thanks again for your help on this issue.





ComboFix 07-09-30.10 - richard 2007-09-30 17:23:56.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1512 [GMT -7:00]
Running from: C:\Documents and Settings\richard\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Documents and Settings\richard\Start Menu\Programs\Startup\system.exe
C:\Program Files\3721
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\Accoona
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\guid.dat
C:\Program Files\amsys\ijl15.dll
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\aconti.exe
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\settn.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\afdcedfefd.dll
C:\WINDOWS\system32\drivers\alert_icon.gif
C:\WINDOWS\system32\drivers\close_icon.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\header_bg.gif
C:\WINDOWS\system32\drivers\icon_warning.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\secuity_center_logo.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\WinAvXX.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_SMTPDRV


((((((((((((((((((((((((( Files Created from 2007-09-01 to 2007-10-01 )))))))))))))))))))))))))))))))
.

2007-09-30 17:27 16,128 --a------ C:\WINDOWS\764.exe
2007-09-28 11:57 39,424 --a------ C:\WINDOWS\system32\vtr.dll
2007-09-15 20:19 <DIR> d-------- C:\Documents and Settings\richard\Application Data\wsInspector
2007-09-15 20:17 <DIR> d-------- C:\Program Files\Startup Inspector for Windows
2007-09-15 20:12 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-15 16:04 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-09-15 16:02 <DIR> d-------- C:\Documents and Settings\richard\.housecall6.6
2007-09-15 16:01 32,512 --a------ C:\WINDOWS\kvnab.dll
2007-09-15 16:01 26,368 --a------ C:\WINDOWS\kvnab$.exe
2007-09-15 16:01 20,224 --a------ C:\WINDOWS\xadbrk.dll
2007-09-15 12:28 18,432 --a------ C:\WINDOWS\winh32.exe
2007-09-15 00:40 <DIR> d-------- C:\WINDOWS\Google_files
2007-09-15 00:32 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-15 00:30 30,464 --a------ C:\WINDOWS\system32\ace16win.dll
2007-09-15 00:30 25,344 --a------ C:\WINDOWS\pbar.dll
2007-09-15 00:30 21,760 --a------ C:\WINDOWS\flt.dll
2007-09-15 00:30 19,712 --a------ C:\WINDOWS\vxddsk.exe
2007-09-15 00:30 11,264 --a------ C:\WINDOWS\system32\vxddsk.exe
2007-09-14 23:48 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-09-11 12:42 21,504 --a------ C:\WINDOWS\system32\qiawpbjj.dll
2007-09-11 12:42 12 --a------ C:\WINDOWS\system32\gtv_sd.bin
2007-09-10 13:03 428,032 --a------ C:\WINDOWS\system32\AClient.dll
2007-09-08 16:40 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2007-09-08 16:40 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-09-08 16:40 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-09-08 16:40 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-09-03 15:46 <DIR> d-------- C:\Program Files\QuickTime
2007-09-02 18:22 <DIR> d-------- C:\Program Files\SiteAdvisor
2007-09-02 18:22 <DIR> d-------- C:\Documents and Settings\richard\Application Data\SiteAdvisor
2007-09-02 18:22 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-09-02 18:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-09-02 18:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-09-02 12:07 <DIR> d-------- C:\Program Files\GPLGS
2007-09-01 16:41 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-01 16:16 <DIR> d-------- C:\Documents and Settings\richard\Application Data\Awola

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-15 12:08 --------- d-------- C:\Program Files\Symantec AntiVirus
2007-09-15 00:48 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-15 00:48 --------- d-------- C:\Program Files\Sony
2007-09-15 00:32 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-11 12:41 841 --a------ C:\WINDOWS\system32\drivers\perfect_cleaner_header_small.gif
2007-09-11 12:41 811 --a------ C:\WINDOWS\system32\drivers\download_btn.gif
2007-09-11 12:41 746 --a------ C:\WINDOWS\system32\drivers\buy_btn.gif
2007-09-11 12:41 737 --a------ C:\WINDOWS\system32\drivers\logo_bg.gif
2007-09-11 12:41 580 --a------ C:\WINDOWS\system32\drivers\features.gif
2007-09-11 12:41 579 --a------ C:\WINDOWS\system32\drivers\spy_away_header_small.gif
2007-09-11 12:41 567 --a------ C:\WINDOWS\system32\drivers\users_rating.gif
2007-09-11 12:41 5097 --a------ C:\WINDOWS\system32\drivers\spy_away_box_small.jpg
2007-09-11 12:41 4557 --a------ C:\WINDOWS\system32\drivers\perfect_cleaner_box_small.jpg
2007-09-11 12:41 427 --a------ C:\WINDOWS\system32\drivers\4_stars.gif
2007-09-11 12:41 365 --a------ C:\WINDOWS\system32\drivers\5_stars.gif
2007-09-11 12:41 1804 --a------ C:\WINDOWS\system32\drivers\perfect_cleaner_header.gif
2007-09-11 12:41 14484 --a------ C:\WINDOWS\system32\drivers\protect.gif
2007-09-11 12:41 1139 --a------ C:\WINDOWS\system32\drivers\spy_away_header.gif
2007-09-11 12:41 1009 --a------ C:\WINDOWS\system32\drivers\arrow.gif
2007-09-08 12:44 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-09-02 11:09 --------- d-------- C:\Program Files\eMule
2007-08-29 18:00 211456 --a------ C:\Documents and Settings\richard\load.exe
2007-08-23 23:27 492544 --a------ C:\WINDOWS\system32\HtBt.dll
2007-08-23 17:02 543232 --a------ C:\WINDOWS\system32\GE.dll
2007-08-20 14:34 15360 --a------ C:\sysutic.exe
2007-08-20 14:34 15360 --a------ C:\Documents and Settings\richard\Application Data\tovap.exe
2007-08-14 21:11 --------- d-------- C:\Program Files\SoftPortal
2007-08-12 00:48 --------- d-------- C:\Program Files\DAEMON Tools
2007-08-12 00:10 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-12 00:03 --------- d-------- C:\Program Files\Symantec
2007-08-12 00:02 --------- d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-08-09 16:46 2184 --a------ C:\vkve.exe
2007-08-08 14:29 59392 --a------ C:\WINDOWS\mscrypt.dll
2007-08-08 14:29 28160 --a------ C:\kvpd.exe
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-05 12:48 --------- d-------- C:\Documents and Settings\richard\Application Data\eMule
2007-08-04 19:48 --------- d-------- C:\Program Files\PowerISO
2007-08-04 16:33 --------- d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-08-04 15:16 --------- d-------- C:\Program Files\DAEMON Tools SearchBar
2007-08-01 14:02 --------- d-------- C:\Program Files\Common Files\qmqq
2006-02-19 04:28 12288 --a------ C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((( snapshot_2007-09-01_165209.03 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 135,168 2007-09-28 16:06:08 C:\WINDOWS\catchme.exe
----a-r 1,038,336 2007-09-15 07:32:28 C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
----a-r 178,688 2007-09-15 07:32:28 C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
--s-a-w 22,016 2001-05-22 08:00:00 C:\WINDOWS\system32\borlndmm.dll
----a-w 10,752 2003-09-30 23:25:07 C:\WINDOWS\system32\lsp.exe
----a-w 52,764 2007-10-01 00:34:05 C:\WINDOWS\system32\perfc009.dat
----a-w 380,350 2007-10-01 00:34:05 C:\WINDOWS\system32\perfh009.dat
----a-w 195,600 2003-09-30 23:25:12 C:\WINDOWS\system32\q342.exe
----a-w 134,660 2003-09-11 19:41:55 C:\WINDOWS\system32\qiawpbjj.exe
----a-w 844,800 2007-07-23 01:39:27 C:\WINDOWS\system32\swreg.exe
----a-w 252,416 2004-07-11 01:55:38 C:\WINDOWS\system32\wsiShared.dll
----a-w 30,464 2007-09-11 20:02:39 C:\WINDOWS\system32\acespy\systune.exe
----a-w 6,272 2007-07-11 21:37:26 C:\WINDOWS\system32\drivers\AWRTPD.sys
.
----a-w 109,056 2007-07-20 07:47:22 C:\WINDOWS\catchme.exe
----a-w 52,764 2007-09-01 23:38:46 C:\WINDOWS\system32\perfc009.dat
----a-w 380,350 2007-09-01 23:38:46 C:\WINDOWS\system32\perfh009.dat
----a-w 279,552 2007-07-23 01:39:27 C:\WINDOWS\system32\swreg.exe
----a-w 6,272 2007-06-04 22:14:56 C:\WINDOWS\system32\drivers\AWRTPD.sys
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{026B5895-3E8E-49A9-8EEE-B52A326DA962}]
2007-09-30 17:19 21504 --a------ C:\WINDOWS\system32\qiawpbjj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-09-08 12:44]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-03-30 08:42]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 08:56:20]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 08:56:20]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winlogon]
C:\WINDOWS\system32\winlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\hadjajr.ini

R0 m5288;m5288;C:\WINDOWS\system32\DRIVERS\m5288.sys
R3 EraserUtilDrv10733;EraserUtilDrv10733;\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10733.sys
S3 tj2knd5;Terayon Cable Modem (NDIS);C:\WINDOWS\system32\DRIVERS\tj2knd5.sys
S3 tj2kunic;Terayon Cable Modem (WDM);C:\WINDOWS\system32\DRIVERS\tj2kunic.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-17 21:18:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-30 17:40:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-30 17:42:10 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-30 17:42
C:\ComboFix2.txt ... 2007-09-08 14:06
C:\ComboFix3.txt ... 2007-09-03 12:49
.
--- E O F ---
____________________________________________________________________________________





HIJACK THIS CONTENTS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:47:44 PM, on 9/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: qiawpbjj.msdn_hlp - {026B5895-3E8E-49A9-8EEE-B52A326DA962} - C:\WINDOWS\system32\qiawpbjj.dll
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - http://66.121.122.195/wg_webeye.cab
O16 - DPF: {C77FB8C0-8B6D-440E-AC26-2BD39E97E8F2} (SpdTCtl Class) - http://speedtest.adelphia.net/customerdiag...TESTACTIVEX.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://amgen.webex.com/client/T23SP33EP5/webex/ieatgpc.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\hadjajr.ini
O20 - Winlogon Notify: winlogon - C:\WINDOWS\system32\winlogon.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7758 bytes

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:46 PM

Posted 01 October 2007 - 01:13 AM

Hi,

I want to fix this long enought to save a couple of Important files. Once I have done this I will reformat and re-install windows and all my other software.

Why would you fix it first if you're going to format and reinstall anyway? If you're going to format and reinstall, there's no need to fix it first though - You should backup your important files right now as I instructed:

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.


If you want to proceed with manual removal, perform next steps please..
If you will format and reinstall Windows anyway, there's no need to perform next steps, because that would only be a waste of your time.

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\hadjajr.ini
C:\WINDOWS\system32\drivers\perfect_cleaner_header_small.gif
C:\WINDOWS\system32\drivers\download_btn.gif
C:\WINDOWS\system32\drivers\buy_btn.gif
C:\WINDOWS\system32\drivers\logo_bg.gif
C:\WINDOWS\system32\drivers\features.gif
C:\WINDOWS\system32\drivers\spy_away_header_small.gif
C:\WINDOWS\system32\drivers\users_rating.gif
C:\WINDOWS\system32\drivers\spy_away_box_small.jpg
C:\WINDOWS\system32\drivers\perfect_cleaner_box_small.jpg
C:\WINDOWS\system32\drivers\4_stars.gif
C:\WINDOWS\system32\drivers\5_stars.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_header.gif
C:\WINDOWS\system32\drivers\protect.gif
C:\WINDOWS\system32\drivers\spy_away_header.gif
C:\WINDOWS\system32\drivers\arrow.gif
C:\Documents and Settings\richard\load.exe
C:\WINDOWS\system32\HtBt.dll
C:\WINDOWS\system32\GE.dll
C:\sysutic.exe
C:\Documents and Settings\richard\Application Data\tovap.exe
C:\vkve.exe
C:\WINDOWS\mscrypt.dll
C:\kvpd.exe
C:\WINDOWS\764.exe
C:\WINDOWS\system32\vtr.dll
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\winh32.exe
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\flt.dll
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\qiawpbjj.dll
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\AClient.dll

Folder::
C:\Program Files\DAEMON Tools SearchBar
C:\Program Files\Common Files\qmqq

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{026B5895-3E8E-49A9-8EEE-B52A326DA962}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winlogon]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=""


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 SubSand

SubSand
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:46 AM

Posted 06 October 2007 - 06:25 PM

Thank you for your help this fixed it. Everything is at a point where I can back things up before I format.

The reason I went through this exercise was because I had so many problems with IE and I could back anything up.

I wanted to get this to the point where I didn't have 30 opening up before I could back something up.

I would not have wasted your time, if I could have backed things up and reformatted in the first place.

I want to thank you for your help on this. I can actually use the PC now and will be backing everything up and reformatting.

Thank you again for all your help. I do appreciate it very much.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:46 PM

Posted 07 October 2007 - 03:02 AM

Ah, now I understand why you wanted to fix most before :thumbsup:

Glad I could help. :blink:

Please read my Prevention page with lots of info and tips how to prevent this in the future.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:46 PM

Posted 09 October 2007 - 06:20 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users