Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vonde


  • Please log in to reply
22 replies to this topic

#1 leroyinva

leroyinva

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 19 October 2007 - 05:41 PM

i know virtually nothing about removing virus' etc. will someone please help me? I downloaded hijack this and will post the log. windows live one care will not get rid of this thing. HELP! PLEASE??

Here is the logfile....

Logfile of HijackThis v1.99.1
Scan saved at 6:16:46 PM, on 10/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Leroy\Desktop\HijackThis.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\BigFix\BigFix.exe

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:39:18 PM, on 10/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Leroy\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50245
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://profiles.myspace.com/users/14232939
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\LEROY\Application Data\Mozilla\Profiles\default\twv3ltqe.slt\prefs.js)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: (no name) - {10103318-4D2A-40A3-98B1-4C8337A70D6a} - C:\WINDOWS\system32\clutvjxv.dll (file missing)
O2 - BHO: (no name) - {50CFCEE7-27DC-482A-B72D-701DA6ED1FE4} - C:\WINDOWS\system32\clutvjxv.dll (file missing)
O2 - BHO: (no name) - {537415CE-C3CB-496A-A3A8-0A1F1952B97e} - C:\WINDOWS\system32\clutvjxv.dll (file missing)
O2 - BHO: (no name) - {69998B74-57A0-4651-B0E3-556DF4A89C27} - C:\WINDOWS\system32\uxsxcypi.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {89B2A271-70E6-4AE8-8F9B-AC513B0E2786} - C:\WINDOWS\system32\avifil.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: (no name) - {FECF1259-92B0-4D9E-99FA-1B921B2107Ef} - C:\WINDOWS\system32\uxsxcypi.dll (file missing)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [ktqv] C:\WINDOWS\ktqv.exe
O4 - HKLM\..\Run: [buludgn] C:\WINDOWS\buludgn.exe
O4 - HKLM\..\Run: [ahil] c:\windows\ahil.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P35 "EPSON Stylus CX4200 Series (Copy 1)" /O5 "LPT1:" /M "Stylus CX4200"
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB002" /M "Stylus CX4200"
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB003" /M "Stylus CX4800"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZUxdm053YYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 11098 bytes



Any help would be greatly appreciated

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 19 October 2007 - 07:09 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum leroyinva :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Click on Start/Control Panel/Add or Remove Programs and remove/uninstall MyWebSearch,then restart your pc.

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".
This will change from what we know in 2006 read this article:
http://www.clickz.com/news/article.php/3561546

You are well advised to remove the program now.
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present,then restart your pc:
Viewpoint
Viewpoint Manager
Viewpoint Media Player


If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 leroyinva

leroyinva
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 21 October 2007 - 03:29 PM

combo fix log



ComboFix 07-10-22.1 - Leroy 2007-10-21 16:10:53.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.149 [GMT -4:00]
Running from: C:\Documents and Settings\Leroy\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\FunWebProducts
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\adtif.ret
C:\WINDOWS\system32\avifil.dll
C:\WINDOWS\system32\bot007dll.dll
C:\WINDOWS\system32\drivers\vqjzdnxy.dat
C:\WINDOWS\system32\drivers\vqjzdnxy.sys
C:\WINDOWS\system32\drivers\xquolhoo.dat
C:\WINDOWS\system32\irclass.uce
C:\WINDOWS\system32\nwapi32.lic

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_BJEXFHGP
-------\ApiMon
-------\bjexfhgp
-------\nm


((((((((((((((((((((((((( Files Created from 2007-09-22 to 2007-10-22 )))))))))))))))))))))))))))))))
.

2007-10-21 16:09 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-21 03:06 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-20 06:27 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-20 06:27 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-10-19 14:14 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-10-19 12:54 <DIR> d-------- C:\VundoFix Backups
2007-10-19 11:38 <DIR> d-------- C:\WINDOWS\pss
2007-10-19 11:34 88,008 --a------ C:\WINDOWS\system32\drivers\msfwdrv.sys
2007-10-19 11:33 112,840 --a------ C:\WINDOWS\system32\drivers\msfwhlpr.sys
2007-10-19 11:32 67,784 --a------ C:\WINDOWS\system32\drivers\MpFilter.sys
2007-10-19 11:17 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2007-10-19 11:16 591,632 --a------ C:\WINDOWS\system32\WinSSWebAgent.dll
2007-10-10 02:28 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-09-28 12:58 159,764 --a------ C:\WINDOWS\system32\eudynags.dll
2007-09-27 09:20 4,736 --a------ C:\WINDOWS\system32\drivers\xquolhoo.sys
2007-09-25 15:48 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-09-24 14:24 <DIR> d-------- C:\Documents and Settings\Leroy\Application Data\DivX
2007-09-24 13:58 <DIR> d-------- C:\Program Files\Norton Security Scan
2007-09-24 13:42 <DIR> d-------- C:\Program Files\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-21 19:54 --------- d-----w C:\Program Files\Viewpoint
2007-10-21 19:54 --------- d-----w C:\Documents and Settings\Leroy\Application Data\Viewpoint
2007-10-21 19:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-20 06:09 --------- d-----w C:\Program Files\Toolbar
2007-10-19 21:51 --------- d-----w C:\Program Files\Java
2007-10-19 15:10 --------- d-----w C:\Program Files\Elaborate Bytes
2007-10-19 15:09 --------- d-----w C:\Program Files\SlySoft
2007-10-10 18:21 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-05 21:33 --------- d-----w C:\Documents and Settings\Leroy\Application Data\PC Suite
2007-10-03 21:28 --------- d-----w C:\Documents and Settings\Andrew\Application Data\Viewpoint
2007-10-03 21:17 --------- d-----w C:\Documents and Settings\Andrew\Application Data\PC Suite
2007-09-27 20:58 --------- d-----w C:\Program Files\dvdSanta
2007-09-26 13:17 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-09-26 00:24 --------- d-----w C:\Documents and Settings\Leroy\Application Data\Azureus
2007-09-25 19:48 --------- d-----w C:\Program Files\Common Files\Real
2007-09-25 19:47 --------- d-----w C:\Program Files\Common Files\csshare
2007-09-24 17:56 --------- d-----w C:\Documents and Settings\Leroy\Application Data\MSN6
2007-09-23 14:47 --------- d-----w C:\Documents and Settings\Steve\Application Data\AdobeUM
2007-09-22 00:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2007-09-22 00:35 --------- d-----w C:\Documents and Settings\Leroy\Application Data\Nokia
2007-09-18 17:26 --------- d-----w C:\Program Files\Illustrate
2007-09-18 17:21 --------- d-----w C:\Program Files\DivX
2007-09-18 17:15 --------- d-----w C:\Program Files\Xvid
2007-09-18 16:47 --------- d-----w C:\Program Files\illiminable
2007-09-18 16:11 --------- d-----w C:\Program Files\Nokia
2007-09-18 16:11 --------- d-----w C:\Program Files\Common Files\PCSuite
2007-09-18 16:11 --------- d-----w C:\Program Files\Common Files\Nokia
2007-09-18 16:09 --------- d-----w C:\Program Files\DIFX
2007-09-18 16:08 --------- d-----w C:\Program Files\PC Connectivity Solution
2007-09-18 16:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2007-09-18 04:37 --------- d-----w C:\Program Files\ExtractNow
2007-09-18 01:33 --------- d-----w C:\Program Files\Azureus
2007-09-18 01:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2007-09-18 00:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2007-09-12 11:32 --------- d-----w C:\Documents and Settings\Steve\Application Data\Viewpoint
2007-09-06 19:32 --------- d-----w C:\Program Files\MSXML 4.0
2007-09-06 18:03 --------- d-----w C:\Program Files\Common Files\Viewpoint
2005-12-03 00:51 4 -c--a-w C:\Documents and Settings\Steve\lock.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{10103318-4D2A-40A3-98B1-4C8337A70D6a}]
C:\WINDOWS\system32\clutvjxv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{50CFCEE7-27DC-482A-B72D-701DA6ED1FE4}]
C:\WINDOWS\system32\clutvjxv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{537415CE-C3CB-496A-A3A8-0A1F1952B97e}]
C:\WINDOWS\system32\clutvjxv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69998B74-57A0-4651-B0E3-556DF4A89C27}]
C:\WINDOWS\system32\uxsxcypi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FECF1259-92B0-4D9E-99FA-1B921B2107Ef}]
C:\WINDOWS\system32\uxsxcypi.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 22:42]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2003-12-17 06:40]
"SunKistEM"="C:\Program Files\eMachines Bay Reader\shwiconem.exe" [2004-03-11 18:18]
"LWBMOUSE"="C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe" [2001-03-26 00:35]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-23 10:58]
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [2003-08-08 19:02]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2003-08-17 22:50]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2003-08-27 12:00]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2003-08-21 19:10]
"ktqv"="C:\WINDOWS\ktqv.exe" []
"buludgn"="C:\WINDOWS\buludgn.exe" []
"ahil"="c:\windows\ahil.exe" []
"EPSON Stylus CX4200 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.exe" [2005-03-07 23:00]
"EPSON Stylus CX4200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.exe" [2005-03-07 23:00]
"EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 15:00]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-25 15:47]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2007-10-01 09:53]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
"C:\Program Files\America Online 9.0\AOL.EXE" -b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1106492174\ee\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

R1 MSFWHLPR;MSFWHLPR;C:\WINDOWS\system32\DRIVERS\msfwhlpr.sys
R2 MSFWDrv;MSFWDrv;C:\WINDOWS\system32\DRIVERS\msfwdrv.sys
R2 msfwsvc;OneCare Firewall;"C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe"
R2 OneCareMP;OneCare AntiSpyware and AntiVirus;"C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe"
R3 MpFilter;Microsoft Malware Protection Driver;C:\WINDOWS\system32\DRIVERS\MpFilter.sys
R3 NaiFiltr;NaiFiltr;C:\WINDOWS\system32\DRIVERS\NaiFiltr.sys
S3 A5AGU;D-Link USB Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\A5AGU.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-22 20:23:00 C:\WINDOWS\Tasks\McAfee.com Update Check (WHITEHEAD-Andrew).job"
"2007-10-22 20:22:00 C:\WINDOWS\Tasks\McAfee.com Update Check (WHITEHEAD-Carla).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-10-22 20:20:00 C:\WINDOWS\Tasks\McAfee.com Update Check (WHITEHEAD-Christina).job"
"2007-10-22 20:21:39 C:\WINDOWS\Tasks\McAfee.com Update Check (WHITEHEAD-Leroy).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-10-22 20:23:00 C:\WINDOWS\Tasks\McAfee.com Update Check (WHITEHEAD-Steve).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-10-19 19:00:00 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
"2007-10-21 18:52:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-22 16:20:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-22 16:24:28 - machine was rebooted
.
--- E O F ---

#4 leroyinva

leroyinva
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 21 October 2007 - 03:31 PM

new hijack this log



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:29:46 PM, on 10/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BigFix\BigFix.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Documents and Settings\Leroy\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://profiles.myspace.com/users/14232939
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\LEROY\Application Data\Mozilla\Profiles\default\twv3ltqe.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {10103318-4D2A-40A3-98B1-4C8337A70D6a} - C:\WINDOWS\system32\clutvjxv.dll (file missing)
O2 - BHO: (no name) - {50CFCEE7-27DC-482A-B72D-701DA6ED1FE4} - C:\WINDOWS\system32\clutvjxv.dll (file missing)
O2 - BHO: (no name) - {537415CE-C3CB-496A-A3A8-0A1F1952B97e} - C:\WINDOWS\system32\clutvjxv.dll (file missing)
O2 - BHO: (no name) - {69998B74-57A0-4651-B0E3-556DF4A89C27} - C:\WINDOWS\system32\uxsxcypi.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {FECF1259-92B0-4D9E-99FA-1B921B2107Ef} - C:\WINDOWS\system32\uxsxcypi.dll (file missing)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [ktqv] C:\WINDOWS\ktqv.exe
O4 - HKLM\..\Run: [buludgn] C:\WINDOWS\buludgn.exe
O4 - HKLM\..\Run: [ahil] c:\windows\ahil.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P35 "EPSON Stylus CX4200 Series (Copy 1)" /O5 "LPT1:" /M "Stylus CX4200"
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB002" /M "Stylus CX4200"
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB003" /M "Stylus CX4800"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZUxdm053YYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9173 bytes

#5 leroyinva

leroyinva
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 21 October 2007 - 03:32 PM

thanks for helping out. I really need the help.

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 21 October 2007 - 03:42 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\eudynags.dll
C:\WINDOWS\system32\drivers\xquolhoo.sys
Folder::
C:\Program Files\Toolbar
C:\Program Files\Viewpoint
C:\Documents and Settings\Leroy\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\Andrew\Application Data\Viewpoint
C:\Documents and Settings\Steve\Application Data\Viewpoint
C:\Program Files\Common Files\Viewpoint
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{10103318-4D2A-40A3-98B1-4C8337A70D6a}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{50CFCEE7-27DC-482A-B72D-701DA6ED1FE4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{537415CE-C3CB-496A-A3A8-0A1F1952B97e}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69998B74-57A0-4651-B0E3-556DF4A89C27}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FECF1259-92B0-4D9E-99FA-1B921B2107Ef}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ktqv"=-
"buludgn"=-
"ahil"=-

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#7 leroyinva

leroyinva
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 23 October 2007 - 02:19 PM

ComboFix 07-10-22.1 - Leroy 2007-10-24 14:19:11.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.261 [GMT -4:00]
Running from: C:\Documents and Settings\Leroy\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\Andrew\Application Data\Viewpoint
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBar\alert.xml
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBar\DogEars.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBar\DogEarsList.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBar\GeneralOptions.ini
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBar\Group.1.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBar\Group.2.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBar\Group.3.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBar\Group.4.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBar\Group.5.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBar\Group.6.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBar\Groups.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBar\Opts.AlertOptions.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBar\Opts.ClassicSkinOptions.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBar\Opts.GeneralOptions.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBar\Opts.NonPropogatingOptions.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBar\Pings.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBar\PopupBlacklist.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBar\PopupWhitelist.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBar\SavedAlerts.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBar\SearchHistory.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBar\SitesBlacklist.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBar\SitesWhitelist.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBar\Thumbnails.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBar\ViewBar.ddb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBarV35\DogEars.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBarV35\DogEarsList.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBarV35\GeneralOptions.ini
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBarV35\Group.1.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBarV35\Group.2.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBarV35\Group.3.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBarV35\Group.4.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBarV35\Group.5.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBarV35\Group.6.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBarV35\Groups.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBarV35\Opts.AdvancedOptions.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBarV35\Opts.AlertOptions.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBarV35\Opts.Alerts.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBarV35\Opts.ClassicSkinOptions.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBarV35\Opts.GeneralOptions.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBarV35\Opts.NonPropogatingOptions.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBarV35\Opts.Popups.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBarV35\Opts.Search.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBarV35\Opts.SelectorEditor.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBarV35\Opts.ThemeCustomizer.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBarV35\PopupBlacklist.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBarV35\PopupWhitelist.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBarV35\SavedAlerts.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBarV35\SearchHistory.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBarV35\Selectors.dat
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBarV35\SitesBlacklist.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBarV35\SitesWhitelist.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBarV35\Thumbnails.tdb
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBarV35\Thumbnails\Thumb.11.jpg
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBarV35\Thumbnails\Thumb.13.jpg
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBarV35\Thumbnails\Thumb.2.jpg
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBarV35\Thumbnails\Thumb.3.jpg
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBarV35\Thumbnails\Thumb.5.jpg
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBarV35\Thumbnails\Thumb.7.jpg
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBarV35\Thumbnails\Thumb.9.jpg
C:\Documents and Settings\Andrew\Application Data\Viewpoint\ViewBarV35\ViewBar.ddb
C:\Documents and Settings\Leroy\Application Data\Viewpoint
C:\Documents and Settings\Leroy\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\URLCache.ini
C:\Documents and Settings\Leroy\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\URLCache.ini
C:\Documents and Settings\Leroy\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\URLCache.ini
C:\Documents and Settings\Leroy\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\1007280907.mtx
C:\Documents and Settings\Leroy\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\URLCache.ini
C:\Documents and Settings\Leroy\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\UpdateVersionList_v2.mtx
C:\Documents and Settings\Steve\Application Data\Viewpoint
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBar\alert.xml
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBar\DogEarsList.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBar\GeneralOptions.ini
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBar\Group.1.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBar\Group.2.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBar\Group.3.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBar\Group.4.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBar\Group.5.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBar\Group.6.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBar\Groups.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBar\Opts.AlertOptions.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBar\Opts.ClassicSkinOptions.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBar\Opts.GeneralOptions.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBar\Opts.NonPropogatingOptions.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBar\PopupBlacklist.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBar\PopupWhitelist.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBar\SearchHistory.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBar\SitesBlacklist.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBar\SitesWhitelist.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBar\Thumbnails.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBar\ViewBar.ddb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\alert.xml
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\DogEars.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\DogEarsList.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\GeneralOptions.ini
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\Group.1.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\Group.2.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\Group.3.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\Group.4.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\Group.5.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\Group.6.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\Groups.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\Opts.AdvancedOptions.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\Opts.AlertOptions.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\Opts.Alerts.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\Opts.Bookmarks.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\Opts.ClassicSkinOptions.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\Opts.GeneralOptions.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\Opts.NonPropogatingOptions.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\Opts.PhotoView.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\Opts.Popups.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\Opts.Search.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\Opts.SelectorEditor.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\Opts.ThemeCustomizer.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\Opts.VideoOptions.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\PhotoView\Database\Album.2.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\PhotoView\Database\Album.3.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\PhotoView\Database\Album.4.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\PhotoView\Database\Albums.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\PhotoView\Database\Media.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\PhotoView\Database\PhotoView.ddb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\PhotoView\Database\Roll.2.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\PhotoView\Database\Roll.3.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\PhotoView\Database\Rolls.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\PhotoView\Thumbnails\Media_10.jpg
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\PhotoView\Thumbnails\Media_11.jpg
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\PhotoView\Thumbnails\Media_12.jpg
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\PhotoView\Thumbnails\Media_13.jpg
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\PhotoView\Thumbnails\Media_2.jpg
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\PhotoView\Thumbnails\Media_3.jpg
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\PhotoView\Thumbnails\Media_4.jpg
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\PhotoView\Thumbnails\Media_5.jpg
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\PhotoView\Thumbnails\Media_6.jpg
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\PhotoView\Thumbnails\Media_7.jpg
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\PhotoView\Thumbnails\Media_8.jpg
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\PhotoView\Thumbnails\Media_9.jpg
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\Pings.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\PopupBlacklist.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\PopupWhitelist.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\SavedAlerts.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\SavedAlerts\Channel7.1.xml
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\SearchHistory.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\Selectors.dat
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\SitesBlacklist.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\SitesWhitelist.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\Thumbnails.tdb
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\Thumbnails\Thumb.11.jpg
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\Thumbnails\Thumb.13.jpg
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\Thumbnails\Thumb.2.jpg
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\Thumbnails\Thumb.3.jpg
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\Thumbnails\Thumb.5.jpg
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\Thumbnails\Thumb.7.jpg
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\Thumbnails\Thumb.9.jpg
C:\Documents and Settings\Steve\Application Data\Viewpoint\ViewBarV35\ViewBar.ddb
C:\Documents and Settings\Steve\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-1241215004.mtx
C:\Documents and Settings\Steve\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-2109988218.mtj&p2=1&p3=10530724467448031461598826167385&p4=0
C:\Documents and Settings\Steve\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\URLCache.ini
C:\Documents and Settings\Steve\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\-1233786184.mtx
C:\Documents and Settings\Steve\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\-1355542221.mts
C:\Documents and Settings\Steve\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\URLCache.ini
C:\Documents and Settings\Steve\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\323056176.mtj&p2=1&p3=10530724467448031461598826167385&p4=50463258
C:\Documents and Settings\Steve\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\URLCache.ini
C:\Documents and Settings\Steve\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\-76596054.mtj&p2=1&p3=10530724467448031461598826167385&p4=50463258
C:\Documents and Settings\Steve\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\URLCache.ini
C:\Documents and Settings\Steve\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\UpdateVersionList_v2.mtx
C:\Program Files\Common Files\Viewpoint
C:\Program Files\Toolbar
C:\Program Files\Toolbar\gykhxlmu.rmr
C:\Program Files\Toolbar\nzqlihv.wzg
C:\Program Files\Toolbar\rw.wzg
C:\Program Files\Toolbar\TBPS.dat
C:\Program Files\Toolbar\xlmurin.wzg
C:\Program Files\Toolbar\xzxsv.wzg
C:\Program Files\Toolbar\yildhvi.olt
C:\Program Files\Toolbar\yywr.wzg
C:\Program Files\Toolbar\yywsv.wzg
C:\Program Files\Toolbar\zwipvbh.wzg
C:\Program Files\Viewpoint
C:\Program Files\Viewpoint\Viewpoint Toolbar1\barintro.html
C:\Program Files\Viewpoint\Viewpoint Toolbar1\images\about.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar1\images\bar_big.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar1\images\bar_screen.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar1\images\bottom.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar1\images\box.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar1\images\browser_settings.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar1\images\button_signup.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar1\images\congratulations.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar1\images\gr.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar1\images\gray.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar1\images\header_left.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar1\images\header_logo.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar1\images\header_middle.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar1\images\helper.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar1\images\left.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar1\images\lets_get.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar1\images\orange1.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar1\images\privacy.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar1\images\results_you_see.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar1\images\right.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar1\images\s.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar1\images\signup_2.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar1\images\support.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar1\images\text_yell.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar1\images\top_left_bottom.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar1\images\top_left_mid.jpg
C:\Program Files\Viewpoint\Viewpoint Toolbar1\images\top_left_top.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar1\images\top_right_bottom.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar1\images\top_right_mid.jpg
C:\Program Files\Viewpoint\Viewpoint Toolbar1\images\top_right_top.gif
C:\Program Files\Viewpoint\Viewpoint Toolbar1\images\yellow_bot.gif
C:\WINDOWS\system32\drivers\xquolhoo.sys
C:\WINDOWS\system32\eudynags.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-24 to 2007-10-24 )))))))))))))))))))))))))))))))
.

2007-10-21 16:09 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-21 03:06 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-20 06:27 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-20 06:27 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-10-19 14:14 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-10-19 12:54 <DIR> d-------- C:\VundoFix Backups
2007-10-19 11:38 <DIR> d-------- C:\WINDOWS\pss
2007-10-19 11:34 88,008 --a------ C:\WINDOWS\system32\drivers\msfwdrv.sys
2007-10-19 11:33 112,840 --a------ C:\WINDOWS\system32\drivers\msfwhlpr.sys
2007-10-19 11:32 67,784 --a------ C:\WINDOWS\system32\drivers\MpFilter.sys
2007-10-19 11:17 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2007-10-19 11:16 591,632 --a------ C:\WINDOWS\system32\WinSSWebAgent.dll
2007-10-10 02:28 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-09-25 15:48 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-09-24 14:24 <DIR> d-------- C:\Documents and Settings\Leroy\Application Data\DivX
2007-09-24 13:58 <DIR> d-------- C:\Program Files\Norton Security Scan
2007-09-24 13:42 <DIR> d-------- C:\Program Files\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-19 21:51 --------- d-----w C:\Program Files\Java
2007-10-19 15:10 --------- d-----w C:\Program Files\Elaborate Bytes
2007-10-19 15:09 --------- d-----w C:\Program Files\SlySoft
2007-10-10 18:21 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-05 21:33 --------- d-----w C:\Documents and Settings\Leroy\Application Data\PC Suite
2007-10-03 21:17 --------- d-----w C:\Documents and Settings\Andrew\Application Data\PC Suite
2007-09-27 20:58 --------- d-----w C:\Program Files\dvdSanta
2007-09-26 13:17 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-09-26 00:24 --------- d-----w C:\Documents and Settings\Leroy\Application Data\Azureus
2007-09-25 19:48 --------- d-----w C:\Program Files\Common Files\Real
2007-09-25 19:47 --------- d-----w C:\Program Files\Common Files\csshare
2007-09-24 17:56 --------- d-----w C:\Documents and Settings\Leroy\Application Data\MSN6
2007-09-23 14:47 --------- d-----w C:\Documents and Settings\Steve\Application Data\AdobeUM
2007-09-22 00:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2007-09-22 00:35 --------- d-----w C:\Documents and Settings\Leroy\Application Data\Nokia
2007-09-18 17:26 --------- d-----w C:\Program Files\Illustrate
2007-09-18 17:21 --------- d-----w C:\Program Files\DivX
2007-09-18 17:15 --------- d-----w C:\Program Files\Xvid
2007-09-18 17:08 10,884,472 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
2007-09-18 16:47 --------- d-----w C:\Program Files\illiminable
2007-09-18 16:11 --------- d-----w C:\Program Files\Nokia
2007-09-18 16:11 --------- d-----w C:\Program Files\Common Files\PCSuite
2007-09-18 16:11 --------- d-----w C:\Program Files\Common Files\Nokia
2007-09-18 16:09 --------- d-----w C:\Program Files\DIFX
2007-09-18 16:08 --------- d-----w C:\Program Files\PC Connectivity Solution
2007-09-18 16:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2007-09-18 04:37 --------- d-----w C:\Program Files\ExtractNow
2007-09-18 01:33 --------- d-----w C:\Program Files\Azureus
2007-09-18 01:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2007-09-18 00:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2007-09-06 19:32 --------- d-----w C:\Program Files\MSXML 4.0
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 00:26 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-08-21 00:26 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-08-15 22:33 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-08-15 22:33 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-08-15 22:33 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-08-15 22:33 144,704 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-08-15 22:33 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2007-08-15 22:33 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2007-08-15 22:33 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2007-08-15 22:33 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-08-15 22:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-08-15 22:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-08-15 22:31 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-08-15 22:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-08-15 22:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-08-15 22:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-08-15 22:30 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-08-15 22:30 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-08-15 22:30 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-08-15 22:30 740,442 ----a-w C:\WINDOWS\system32\DivX.dll
2007-08-15 22:30 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 43,352 -c--a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2005-12-03 00:51 4 -c--a-w C:\Documents and Settings\Steve\lock.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 22:42]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2003-12-17 06:40]
"SunKistEM"="C:\Program Files\eMachines Bay Reader\shwiconem.exe" [2004-03-11 18:18]
"LWBMOUSE"="C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe" [2001-03-26 00:35]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-23 10:58]
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [2003-08-08 19:02]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2003-08-17 22:50]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2003-08-27 12:00]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2003-08-21 19:10]
"EPSON Stylus CX4200 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.exe" [2005-03-07 23:00]
"EPSON Stylus CX4200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.exe" [2005-03-07 23:00]
"EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 15:00]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-25 15:47]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2007-10-01 09:53]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
"C:\Program Files\America Online 9.0\AOL.EXE" -b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1106492174\ee\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

R1 MSFWHLPR;MSFWHLPR;C:\WINDOWS\system32\DRIVERS\msfwhlpr.sys
R2 MSFWDrv;MSFWDrv;C:\WINDOWS\system32\DRIVERS\msfwdrv.sys
R2 msfwsvc;OneCare Firewall;"C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe"
R2 OneCareMP;OneCare AntiSpyware and AntiVirus;"C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe"
R3 MpFilter;Microsoft Malware Protection Driver;C:\WINDOWS\system32\DRIVERS\MpFilter.sys
R3 NaiFiltr;NaiFiltr;C:\WINDOWS\system32\DRIVERS\NaiFiltr.sys
S3 A5AGU;D-Link USB Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\A5AGU.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-24 19:13:01 C:\WINDOWS\Tasks\McAfee.com Update Check (WHITEHEAD-Andrew).job"
"2007-10-24 19:17:00 C:\WINDOWS\Tasks\McAfee.com Update Check (WHITEHEAD-Carla).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-10-24 19:15:01 C:\WINDOWS\Tasks\McAfee.com Update Check (WHITEHEAD-Christina).job"
"2007-10-24 19:16:00 C:\WINDOWS\Tasks\McAfee.com Update Check (WHITEHEAD-Leroy).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-10-24 19:13:03 C:\WINDOWS\Tasks\McAfee.com Update Check (WHITEHEAD-Steve).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-10-19 19:00:00 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
"2007-10-24 18:52:05 C:\WINDOWS\Tasks\Symantec NetDetect.job"
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-24 14:22:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-24 15:18:01
C:\ComboFix2.txt ... 2007-10-22 16:24
.
--- E O F ---

#8 leroyinva

leroyinva
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 23 October 2007 - 02:21 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:20:36 PM, on 10/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Leroy\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://profiles.myspace.com/users/14232939
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\LEROY\Application Data\Mozilla\Profiles\default\twv3ltqe.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P35 "EPSON Stylus CX4200 Series (Copy 1)" /O5 "LPT1:" /M "Stylus CX4200"
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB002" /M "Stylus CX4200"
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB003" /M "Stylus CX4800"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZUxdm053YYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8634 bytes

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 23 October 2007 - 03:43 PM

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZUxdm053YYUS
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe (file missing)

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.


Please run the F-Secure online virus/spyware scan using Internet Explorer:
http://support.f-secure.com/enu/home/ols.shtml
Follow the directions in the F-Secure page for proper Installation.
Accept the License Agreement.
Once the ActiveX installs,Click ‘Custom Scan’ and be sure the following are checked:
1.Scan whole System
2.Scan all files
3.Scan whole system for rootkits
4.Scan whole system for spyware
5.Scan inside archives
6.Use advanced heuristics
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.


Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#10 leroyinva

leroyinva
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 25 October 2007 - 12:14 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/25/2007 at 08:46 PM

Application Version : 3.9.1008

Core Rules Database Version : 3329
Trace Rules Database Version: 1330

Scan type : Complete Scan
Total Scan Time : 01:11:21

Memory items scanned : 442
Memory threats detected : 0
Registry items scanned : 5364
Registry threats detected : 14
File items scanned : 41540
File threats detected : 40

Spyware.WebSearch (WinTools/Huntbar)
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#DeviceDesc
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinTools_ESIES
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinTools_ESIES#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinTools_ESIES#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinTools_ESIES#Publisher
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinTools_ESIES#URLInfoAbout

Adware.Tracking Cookie
C:\Documents and Settings\Andrew\Cookies\andrew@2o7[1].txt
C:\Documents and Settings\Andrew\Cookies\andrew@ad.yieldmanager[2].txt
C:\Documents and Settings\Andrew\Cookies\andrew@advertising[1].txt
C:\Documents and Settings\Andrew\Cookies\andrew@atdmt[2].txt
C:\Documents and Settings\Andrew\Cookies\andrew@atwola[1].txt
C:\Documents and Settings\Andrew\Cookies\andrew@burstnet[1].txt
C:\Documents and Settings\Andrew\Cookies\andrew@casalemedia[1].txt
C:\Documents and Settings\Andrew\Cookies\andrew@data1.perf.overture[1].txt
C:\Documents and Settings\Andrew\Cookies\andrew@doubleclick[1].txt
C:\Documents and Settings\Andrew\Cookies\andrew@fastclick[2].txt
C:\Documents and Settings\Andrew\Cookies\andrew@focalex[1].txt
C:\Documents and Settings\Andrew\Cookies\andrew@icc.intellisrv[2].txt
C:\Documents and Settings\Andrew\Cookies\andrew@image.masterstats[1].txt
C:\Documents and Settings\Andrew\Cookies\andrew@interclick[2].txt
C:\Documents and Settings\Andrew\Cookies\andrew@media.fastclick[1].txt
C:\Documents and Settings\Andrew\Cookies\andrew@mediaplex[1].txt
C:\Documents and Settings\Andrew\Cookies\andrew@mywebsearch[2].txt
C:\Documents and Settings\Andrew\Cookies\andrew@perf.overture[1].txt
C:\Documents and Settings\Andrew\Cookies\andrew@statcounter[2].txt
C:\Documents and Settings\Andrew\Cookies\andrew@tribalfusion[2].txt
C:\Documents and Settings\Andrew\Cookies\andrew@www.burstbeacon[2].txt
C:\Documents and Settings\Andrew\Cookies\andrew@www.entrepreneur[1].txt
C:\Documents and Settings\Steve\Cookies\steve@2o7[1].txt
C:\Documents and Settings\Steve\Cookies\steve@ads.web.aol[1].txt
C:\Documents and Settings\Steve\Cookies\steve@advertising[2].txt
C:\Documents and Settings\Steve\Cookies\steve@ar.atwola[1].txt
C:\Documents and Settings\Steve\Cookies\steve@atdmt[1].txt
C:\Documents and Settings\Steve\Cookies\steve@atdmt[2].txt
C:\Documents and Settings\Steve\Cookies\steve@atwola[1].txt
C:\Documents and Settings\Steve\Cookies\steve@doubleclick[1].txt
C:\Documents and Settings\Steve\Cookies\steve@doubleclick[2].txt
C:\Documents and Settings\Steve\Cookies\steve@imrworldwide[2].txt
C:\Documents and Settings\Steve\Cookies\steve@mediaplex[2].txt
C:\Documents and Settings\Steve\Cookies\steve@mywebsearch[1].txt
C:\Documents and Settings\Steve\Cookies\steve@mywebsearch[2].txt
C:\Documents and Settings\Steve\Cookies\steve@revsci[2].txt
C:\Documents and Settings\Steve\Cookies\steve@sexsearchcom[2].txt
C:\Documents and Settings\Steve\Cookies\steve@wt.sexsearch[1].txt
C:\Documents and Settings\Steve\Cookies\steve@www.sexsearchcom[2].txt

Trojan.Downloader-Crew
C:\SYSTEM VOLUME INFORMATION\_RESTORE{404043AC-9D15-419E-BEE6-189397015038}\RP915\A0524339.DLL

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 25 October 2007 - 02:29 PM

Thanks,now follow the F-Secure online virus/spyware scan instructions please.
Posted Image
Posted Image

#12 leroyinva

leroyinva
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 25 October 2007 - 06:03 PM

Scanning Report
Friday, October 26, 2007 13:31:28 - 18:34:59

Computer name: WHITEHEAD
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\
Result: 29 malware found
FizzleBar (spyware)

* System (Disinfected)

GAIN (spyware)

* System (Disinfected)

IBIS Toolbar (spyware)

* System (Disinfected)

Rootkit.Win32.Agent.li (virus)

* C:\qoobox\Quarantine\catchme2007-10-22_161901.82.zip\vqjzdnxy.dat

Rootkit.Win32.Agent.lk (virus)

* C:\qoobox\Quarantine\catchme2007-10-22_161901.82.zip\xquolhoo.dat

Toolbar.Softo (spyware)

* System

Trojan-Downloader.Java.OpenStream.y (virus)

* C:\Documents and Settings\Leroy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-593ebb39-696e2c90.class (Renamed & Submitted)

Trojan.Win32.BHO.gy (virus)

* C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\vqjzdnxy.sys.vir (Renamed & Submitted)

Vundo.gen38 (virus)

* C:\WINDOWS\system32\dixkwquq.ini (Submitted)
* C:\WINDOWS\system32\tnoxtoas.ini (Submitted)

Vundo.gen39 (virus)

* C:\WINDOWS\system32\bessdrdl.ini (Submitted)
* C:\WINDOWS\system32\bivcbtsv.ini (Submitted)
* C:\WINDOWS\system32\cixumudo.ini (Submitted)
* C:\WINDOWS\system32\gbdnnnnh.ini (Submitted)
* C:\WINDOWS\system32\jmncimmf.ini (Submitted)
* C:\WINDOWS\system32\kxirpysj.ini (Submitted)
* C:\WINDOWS\system32\lpbtbsaq.ini (Submitted)
* C:\WINDOWS\system32\lpxlokcr.ini (Submitted)
* C:\WINDOWS\system32\ocyhlkfu.ini (Submitted)
* C:\WINDOWS\system32\pquvtuec.ini (Submitted)
* C:\WINDOWS\system32\qhustrav.ini (Submitted)
* C:\WINDOWS\system32\ruqwwdqs.ini (Submitted)
* C:\WINDOWS\system32\rytfgulr.ini (Submitted)

Vundo.gen45 (virus)

* C:\WINDOWS\system32\rbyvvarl.ini (Submitted)
* C:\WINDOWS\system32\rbyvvarl.tmp (Submitted)
* C:\WINDOWS\system32\svixexdd.ini (Submitted)

W32/BHO.QG (virus)

* C:\qoobox\Quarantine\catchme2007-10-22_161901.82.zip\avifil.dll

W32/Malware.AXCV (virus)

* C:\qoobox\Quarantine\C\WINDOWS\system32\adtif.ret.vir (Submitted)
* C:\qoobox\Quarantine\C\WINDOWS\system32\bot007dll.dll.vir (Submitted)

Statistics
Scanned:

* Files: 177842
* System: 5153
* Not scanned: 187

Actions:

* Disinfected: 3
* Renamed: 2
* Deleted: 0
* None: 24
* Submitted: 22

Files not scanned:

* �Y�xTIBERFIL.SYS C:\PAGEFILE.SYS
* C:\WINDOWS\Temp\mcu10.tmp\vsoins.cab\vsoins.ui\countries.js
* C:\WINDOWS\Temp\mcu10.tmp\vsoins.ui\countries.js
* C:\WINDOWS\SYSTEM32\AVIFIL.1
* C:\WINDOWS\SYSTEM32\BIOS1.ROM
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
* C:\WINDOWS\SYSTEM32\CATROOT2\EDB.LOG
* C:\WINDOWS\SYSTEM32\CATROOT2\TMP.EDB
* bios1.rom
* C:\VUNDOFIX BACKUPS\FEKDIVIW.DLL.BAD
* C:\VUNDOFIX BACKUPS\JPHEFCCY.DLL.BAD
* C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DRIVERS\XQUOLHOO.SYS.VIR
* C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\MYWEBSEARCH\BAR\HISTORY\SEARCH2.VIR
* C:\PROGRAM FILES\TOOLBAR(2)\YILDHVI.OLT
* C:\PROGRAM FILES\TOOLBAR(2)\CURSORS(2)\CURSORS.XML
* C:\PROGRAM FILES\NETSCAPE\NETSCAPE 6\PLUGINS\NPZANGO.DLL
* C:\PROGRAM FILES\MICROSOFT WINDOWS ONECARE LIVE\DATABASE\EDB.LOG
* C:\PROGRAM FILES\MICROSOFT WINDOWS ONECARE LIVE\DATABASE\TMP.EDB
* C:\Program Files\McAfee.com\Agent\Uninst\screm.ui\agntcons.vbs
* C:\PROGRAM FILES\COMMON FILES\CSSHARE\PLUGINS0942\NPZANGO.DLL
* C:\PROGRAM FILES\AHEAD\INCD\DMA.BIN
* C:\PROGRAM FILES\AHEAD\INCD\GAA.BIN
* C:\PROGRAM FILES\AHEAD\INCD\LGC.BIN
* C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DAT
* C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
* C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\NTUSER.DAT
* C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
* C:\DOCUMENTS AND SETTINGS\LEROY\NTUSER.DAT
* C:\DOCUMENTS AND SETTINGS\LEROY\RECENT\09 - KANYE WEST - FLASHING LIGHTS (FT. DWELE).LNK
* C:\DOCUMENTS AND SETTINGS\LEROY\MY DOCUMENTS\AZUREUS DOWNLOADS\[KUNG_FU]_BRUCE LEE'S FIGHTING METHOD (TED WONG & RICHARD BUSTILLO) - RMVB\READ ME FIRST - UPDATED 22072007.TXT
* C:\DOCUMENTS AND SETTINGS\LEROY\MY DOCUMENTS\AZUREUS DOWNLOADS\[KUNG_FU]_BRUCE LEE'S FIGHTING METHOD (TED WONG & RICHARD BUSTILLO) - RMVB\[KUNG_FU]_BRUCE LEE'S FIGHTING METHOD (TED WONG & RICHARD BUSTILLO) - RMVB.RMVB
* C:\DOCUMENTS AND SETTINGS\LEROY\MY DOCUMENTS\AZUREUS DOWNLOADS\WAR 2\WAR 2.AVI
* C:\DOCUMENTS AND SETTINGS\LEROY\MY DOCUMENTS\AZUREUS DOWNLOADS\SCRUBS\SEASON 06\SCRUBS.601.PDTV-LOL.AVI
* C:\DOCUMENTS AND SETTINGS\LEROY\MY DOCUMENTS\AZUREUS DOWNLOADS\SCRUBS\SEASON 06\SCRUBS.602.PDTV.XVID.NOTV.AVI
* C:\DOCUMENTS AND SETTINGS\LEROY\MY DOCUMENTS\AZUREUS DOWNLOADS\SCRUBS\SEASON 06\SCRUBS.603.PDTV.XVID.NOTV.AVI
* C:\DOCUMENTS AND SETTINGS\LEROY\MY DOCUMENTS\AZUREUS DOWNLOADS\SCRUBS\SEASON 06\SCRUBS.604.PDTV.XVID.NOTV.AVI
* C:\DOCUMENTS AND SETTINGS\LEROY\MY DOCUMENTS\AZUREUS DOWNLOADS\SCRUBS\SEASON 06\SCRUBS.605.PDTV.XVID.NOTV.AVI
* C:\DOCUMENTS AND SETTINGS\LEROY\MY DOCUMENTS\AZUREUS DOWNLOADS\SCRUBS\SEASON 06\SCRUBS.606.PDTV.XVID.NOTV.AVI
* C:\DOCUMENTS AND SETTINGS\LEROY\MY DOCUMENTS\AZUREUS DOWNLOADS\SCRUBS\SEASON 06\SCRUBS.611.PDTV-LOL.AVI
* C:\DOCUMENTS AND SETTINGS\LEROY\MY DOCUMENTS\AZUREUS DOWNLOADS\SCRUBS\SEASON 06\SCRUBS.612.PDTV.XVID.NOTV.AVI
* C:\DOCUMENTS AND SETTINGS\LEROY\MY DOCUMENTS\AZUREUS DOWNLOADS\SCRUBS\SEASON 06\SCRUBS.615.PDTV-LOL.AVI
* C:\DOCUMENTS AND SETTINGS\LEROY\MY DOCUMENTS\AZUREUS DOWNLOADS\SCRUBS\SEASON 06\SCRUBS.618.PDTV-LOL.AVI
* C:\DOCUMENTS AND SETTINGS\LEROY\MY DOCUMENTS\AZUREUS DOWNLOADS\SCRUBS\SEASON 06\SCRUBS.621-22.PDTV-LOL.AVI
* C:\DOCUMENTS AND SETTINGS\LEROY\MY DOCUMENTS\AZUREUS DOWNLOADS\SCRUBS\SEASON 06\SCRUBS.S06E07.PDTV.XVID-XOR.AVI
* C:\DOCUMENTS AND SETTINGS\LEROY\MY DOCUMENTS\AZUREUS DOWNLOADS\SCRUBS\SEASON 06\SCRUz

Options
Scanning engines:

* F-Secure AVP: 7.0.171, 2007-10-25
* F-Secure Blacklight: 1.0.64
* F-Secure Draco: 1.0.35, 0597-150-72
* F-Secure Libra: 2.4.2, 2007-10-25
* F-Secure Orion: 1.2.37, 2007-10-25
* F-Secure Pegasus: 1.19.0, 2007-09-18

Scanning options:

* Scan all files
* Scan inside archives
* Use Advanced heuristics

Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 25 October 2007 - 06:16 PM

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths inside the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\system32\dixkwquq.ini
C:\WINDOWS\system32\tnoxtoas.ini
C:\WINDOWS\system32\bessdrdl.ini
C:\WINDOWS\system32\bivcbtsv.ini
C:\WINDOWS\system32\cixumudo.ini
C:\WINDOWS\system32\gbdnnnnh.ini
C:\WINDOWS\system32\jmncimmf.ini
C:\WINDOWS\system32\kxirpysj.ini
C:\WINDOWS\system32\lpbtbsaq.ini
C:\WINDOWS\system32\lpxlokcr.ini
C:\WINDOWS\system32\ocyhlkfu.ini
C:\WINDOWS\system32\pquvtuec.ini
C:\WINDOWS\system32\qhustrav.ini
C:\WINDOWS\system32\ruqwwdqs.ini
C:\WINDOWS\system32\rytfgulr.ini
C:\WINDOWS\system32\rbyvvarl.ini
C:\WINDOWS\system32\rbyvvarl.tmp
C:\WINDOWS\system32\svixexdd.ini
C:\PROGRAM FILES\NETSCAPE\NETSCAPE 6\PLUGINS\NPZANGO.DLL
C:\PROGRAM FILES\COMMON FILES\CSSHARE\PLUGINS0942\NPZANGO.DLL

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#14 leroyinva

leroyinva
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 25 October 2007 - 06:31 PM

C:\WINDOWS\system32\dixkwquq.ini moved successfully.
C:\WINDOWS\system32\tnoxtoas.ini moved successfully.
C:\WINDOWS\system32\bessdrdl.ini moved successfully.
C:\WINDOWS\system32\bivcbtsv.ini moved successfully.
C:\WINDOWS\system32\cixumudo.ini moved successfully.
C:\WINDOWS\system32\gbdnnnnh.ini moved successfully.
C:\WINDOWS\system32\jmncimmf.ini moved successfully.
C:\WINDOWS\system32\kxirpysj.ini moved successfully.
C:\WINDOWS\system32\lpbtbsaq.ini moved successfully.
C:\WINDOWS\system32\lpxlokcr.ini moved successfully.
C:\WINDOWS\system32\ocyhlkfu.ini moved successfully.
C:\WINDOWS\system32\pquvtuec.ini moved successfully.
C:\WINDOWS\system32\qhustrav.ini moved successfully.
C:\WINDOWS\system32\ruqwwdqs.ini moved successfully.
C:\WINDOWS\system32\rytfgulr.ini moved successfully.
C:\WINDOWS\system32\rbyvvarl.ini moved successfully.
C:\WINDOWS\system32\rbyvvarl.tmp moved successfully.
C:\WINDOWS\system32\svixexdd.ini moved successfully.
LoadLibrary failed for C:\PROGRAM FILES\NETSCAPE\NETSCAPE 6\PLUGINS\NPZANGO.DLL
C:\PROGRAM FILES\NETSCAPE\NETSCAPE 6\PLUGINS\NPZANGO.DLL NOT unregistered.
C:\PROGRAM FILES\NETSCAPE\NETSCAPE 6\PLUGINS\NPZANGO.DLL moved successfully.
LoadLibrary failed for C:\PROGRAM FILES\COMMON FILES\CSSHARE\PLUGINS0942\NPZANGO.DLL
C:\PROGRAM FILES\COMMON FILES\CSSHARE\PLUGINS0942\NPZANGO.DLL NOT unregistered.
C:\PROGRAM FILES\COMMON FILES\CSSHARE\PLUGINS0942\NPZANGO.DLL moved successfully.

Created on 10/26/2007 19:30:17

#15 leroyinva

leroyinva
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 25 October 2007 - 06:32 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:31:34 PM, on 10/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Documents and Settings\Leroy\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://profiles.myspace.com/users/14232939
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\LEROY\Application Data\Mozilla\Profiles\default\twv3ltqe.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P35 "EPSON Stylus CX4200 Series (Copy 1)" /O5 "LPT1:" /M "Stylus CX4200"
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB002" /M "Stylus CX4200"
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB003" /M "Stylus CX4800"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8518 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users