Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help Me


  • This topic is locked This topic is locked
15 replies to this topic

#1 nyarlathotep13

nyarlathotep13

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 03 November 2007 - 03:50 PM

so, my brother got really pissed off at me and put something on my computer that i don't know what to do with.

i have a very wonderful flashing yellow triangle on my taskbar that's asking me to download software, two new icons on my desktop that won't go away, a window i can't close telling me to install 'bestsellerantivirus', and a barrage of pop-ups from savetheinformation.com that open in internet explorer even though i use firefox.

here's my hiijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:49:50 PM, on 11/3/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\iSnooze\iSnooze.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\FlexibleSoft\Absolute Time Corrector\atcorrector.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\asuvmqqt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wlmsngr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\System32\MDM.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dlwixoql.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\System32\mxqrjxly.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [3ca60bee] rundll32.exe "C:\WINDOWS\System32\efbifqlf.dll",b
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [iSnooze] C:\Program Files\iSnooze\iSnooze.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://www.google.com/diskless/bin/tgctlcm.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n019p/EN/install/gtdownlr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161899755250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161899745796
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: Absolute Time Corrector Service (atccorrector) - FlexibleSoft Co. - C:\Program Files\FlexibleSoft\Absolute Time Corrector\atcorrector.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: DomainService - - C:\WINDOWS\System32\asuvmqqt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: wlmsngr - Unknown owner - C:\WINDOWS\wlmsngr.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 7972 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 03 November 2007 - 05:24 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum nyarlathotep13
My name is Richie and i'll be helping you to fix your problems.

wlmsngr.exe is present on your pc which is added by the W32/Rbot-BKL worm and IRC backdoor.
A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to be used by the attacker for malicious purposes unknown to the user.

They are typically installed without user interaction through security exploits, and may allow an attacker to remotely control the infected machine. Such risks may allow the attacker to install additional malware and use the compromised machine to participate in denial of service attacks, spamming, and bot nets, or to transmit sensitive data to a remote server. The malware may be cloaked and not visible to the user. These risks severely compromise the system by lowering security settings, installing 'backdoors,' infecting system files, or spreading to other networked machines.

If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums.
You should consider them to be compromised.
They should be changed by using a different computer and not the infected one,if not an attacker may get the new passwords and transaction information.
Banking and credit card institutions should be notified of the possible security breech.

Since your computer was compromised read:
How to report ID theft, fraud, drive-by installs, hijacking and malware:
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall:
http://www.dslreports.com/faq/10063

If you want us to go ahead and clean up your system then fair enough,but there’s no way I can guarantee your pc will be 100% safe once we’ve finished.
Let me know how you wish to proceed.
Posted Image
Posted Image

#3 nyarlathotep13

nyarlathotep13
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 03 November 2007 - 05:52 PM

Well thanks for helping me Richie.

i don't know how long wlmsngr.exe has been on my computer, if it's linked to what just started today, but i haven't done any banking or anything that's required a credit card no. for about a month now - i'll pay attention to my bills and hope everything's okay.

But i'd still like to try to clean my pc up, for what it's worth.
buy i'll use my other one for banking - and reformat this one if necessary, although i have a lot of data on it and would prefer not to.

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 03 November 2007 - 06:03 PM

Ok then,here we go :thumbsup:

If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
*NOTE*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Now go to:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#5 nyarlathotep13

nyarlathotep13
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 03 November 2007 - 07:15 PM

so i deleted sbybot because it freaked out when combofix tried to change registry entries.

ComboFix 07-11-04.1 - Administrator 2007-11-03 18:54:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.72 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Administrator\err.log
C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\Uninstall.lnk
C:\Documents and Settings\All Users\Application Data.\nsv
C:\Documents and Settings\All Users\Application Data.\nsv\cache\538.dfn
C:\Documents and Settings\All Users\Application Data.\nsv\cache\545.dfn
C:\Documents and Settings\All Users\Application Data.\nsv\keys.dat
C:\Documents and Settings\All Users\Application Data.\nsv\wmv0104.dbd
C:\Documents and Settings\All Users\Application Data.\nsv\wmv0106.ddx
C:\Documents and Settings\All Users\Application Data.\nsv\wmv0204.ddx
C:\Documents and Settings\All Users\Application Data.\nsv\wmv0315.ddx
C:\Documents and Settings\All Users\Application Data.\nsv\wmv0412.ddx
C:\Documents and Settings\All Users\Application Data.\nsv\wmv0504.ddx
C:\Documents and Settings\All Users\Application Data.\nsv\wmv0904.ddx
C:\Documents and Settings\All Users\Application Data.\nsv\wmv1125.ddx
C:\Documents and Settings\All Users\Application Data.\nsv\wmv1204.ddx
C:\Documents and Settings\All Users\Application Data.\nsv\wmv1215.dbd
C:\Documents and Settings\All Users\Application Data.\nsv\wmv1909.ddx
C:\Documents and Settings\All Users\Application Data.\nsv\wmv1920.dbd
C:\Documents and Settings\All Users\Application Data.\nsv\wmv2007.dbd
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2006
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1165127277.old
C:\Program Files\WinBudget\bin\matrix.dll
C:\WA6P
C:\WINDOWS\system32\asuvmqqt.exe
C:\WINDOWS\system32\mxqrjxly.dllbox
C:\WINDOWS\system32\nsvsvc
C:\WINDOWS\system32\nsvsvc\License.txt
C:\WINDOWS\system32\rtutv.bak1
C:\WINDOWS\system32\rtutv.bak2
C:\WINDOWS\system32\rtutv.ini
C:\WINDOWS\System32\vtutr.dll
C:\WINDOWS\uninst2.htm
C:\WINDOWS\unist1.htm

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FOPN
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\DomainService
-------\FOPN
-------\nm


((((((((((((((((((((((((( Files Created from 2007-10-05 to 2007-11-05 )))))))))))))))))))))))))))))))
.

2007-11-04 19:04 7,851 --a------ C:\IS.EXE
2007-11-04 19:03 115,095 --a------ C:\wr2.exe
2007-11-04 18:56 75,328 --a------ C:\WINDOWS\system32\lrateeoi.exe
2007-11-03 18:51 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-03 15:49 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-03 15:49 812,344 --a------ C:\HJTInstall.exe
2007-11-03 15:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-03 15:10 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-11-03 14:27 34,304 --a------ C:\WINDOWS\system32\xxywwwx.dll
2007-11-03 07:46 87,616 --a------ C:\WINDOWS\system32\efbifqlf.dll
2007-11-03 07:40 81,472 --a------ C:\WINDOWS\system32\wxfecbww.dll
2007-11-03 07:38 340,032 --a------ C:\WINDOWS\system32\mxqrjxly.dll
2007-11-03 07:37 340,032 --a------ C:\WINDOWS\system32\jfinaqon.dll
2007-11-02 20:27 0 --a------ C:\WINDOWS\system32\setup_16761.exe
2007-11-02 19:23 34,304 --a------ C:\WINDOWS\system32\yayywxw.dll
2007-11-02 19:17 62,739 -r-hs---- C:\WINDOWS\wlmsngr.exe
2007-10-24 21:43 365,343 --a------ C:\Magnetosphere.exe
2007-10-23 16:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-03 23:49 --------- d-----w C:\Documents and Settings\Administrator\Application Data\SiteAdvisor
2007-11-02 23:55 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2007-11-02 00:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2007-10-23 21:47 --------- d-----w C:\Program Files\iTunes
2007-10-23 21:47 --------- d-----w C:\Program Files\Apple Software Update
2007-10-23 21:46 --------- d-----w C:\Program Files\iPod
2007-10-05 00:50 --------- d-----w C:\Program Files\Last.fm
2007-09-21 15:15 --------- d-----w C:\Program Files\uTorrent
2007-09-20 02:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-09-17 21:10 --------- d-----w C:\Program Files\Common Files\SupportSoft
2007-09-17 21:10 --------- d-----w C:\Program Files\CHARTER
2007-09-07 01:54 --------- d-----w C:\Program Files\iSnooze
2007-09-07 01:16 --------- d-----w C:\Program Files\LimeWire
2007-09-06 02:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Last.fm
2007-09-05 13:54 --------- d-----w C:\Program Files\FlexibleSoft
2007-09-05 13:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Flexiblesoft
2007-09-05 13:54 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Flexiblesoft
2007-01-30 13:41 2,842,857 ----a-w C:\Program Files\PfSetup30.exe
2007-01-23 23:19 18,725,888 ----a-w C:\Program Files\ticonnect_eng.exe
2006-12-13 22:11 5,900,416 ----a-w C:\Program Files\Firefox Setup 2.0.exe
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-03 07:38 340032 --a------ C:\WINDOWS\system32\mxqrjxly.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F6B1F430-52B5-4478-9FC6-A94F79D423C3}]
2007-11-03 14:27 34304 --a------ C:\WINDOWS\system32\xxywwwx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fe950150-b3a9-404f-9799-ff78e7746f1f}]
2007-11-03 07:40 81472 --a------ C:\WINDOWS\System32\wxfecbww.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\mxqrjxly.dll [2007-11-03 07:38 340032]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{821F87FF-8245-4972-9E28-732E92EC2F51}"= C:\Program Files\VSToolbar\VSToolBar.dll [ ]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\mxqrjxly.dll [2007-11-03 07:38 340032]

[HKEY_CLASSES_ROOT\CLSID\{821F87FF-8245-4972-9E28-732E92EC2F51}]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-10 21:10]
"@"="" []
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2004-06-15 22:17]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2005-10-19 08:59]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2005-10-19 08:59]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2005-01-24 19:58]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 10:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-27 19:14]
"3ca60bee"="C:\WINDOWS\System32\efbifqlf.dll" [2007-11-03 07:46]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="C:\Program Files\IGN\Download Manager\DLM.exe" [2006-11-07 17:22]
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [2004-04-16 06:43]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 05:48]
"atc.exe"="" []
"iSnooze"="C:\Program Files\iSnooze\iSnooze.exe" [2004-10-18 15:27]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-02-24 02:05:00]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52]
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-09-07 08:45:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56]
Symantec Fax Starter Edition Port.lnk - C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 16:51:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=1 (0x1)
"AllowUnhashedWebView"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{F6B1F430-52B5-4478-9FC6-A94F79D423C3}"= C:\WINDOWS\system32\xxywwwx.dll [2007-11-03 14:27 34304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mxqrjxly]
mxqrjxly.dll 2007-11-03 07:38 340032 C:\WINDOWS\system32\mxqrjxly.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywwwx]
xxywwwx.dll 2007-11-03 14:27 34304 C:\WINDOWS\system32\xxywwwx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayywxw]
yayywxw.dll 2007-11-02 19:23 34304 C:\WINDOWS\system32\yayywxw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\vtutr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

R2 atccorrector;Absolute Time Corrector Service;C:\Program Files\FlexibleSoft\Absolute Time Corrector\atcorrector.exe /startedbyscm:72129319-40E32761-atccorrector
R2 AVWUpSrv;AntiVir Update;"C:\Program Files\AVPersonal\AVWUPSRV.EXE"
R2 wlmsngr;wlmsngr;"C:\WINDOWS\wlmsngr.exe"
S0 ggksuiod;ggksuiod;C:\WINDOWS\System32\drivers\qkgpafgq.sys
S0 huimdvcw;huimdvcw;C:\WINDOWS\System32\drivers\famqgptu.sys
S3 avgntdw;avgntdw;\??\C:\Program Files\AVPersonal\AVGNTDW.SYS
S3 TIEHDUSB;TIEHDUSB;C:\WINDOWS\System32\drivers\tiehdusb.sys

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder
"2007-10-23 21:47:54 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-04 19:04:13
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\atccorrector]
"ImagePath"="C:\Program Files\FlexibleSoft\Absolute Time Corrector\atcorrector.exe /startedbyscm:72129319-40E32761-atccorrector"
.
Completion time: 2007-11-04 19:06:07 - machine was rebooted
C:\ComboFix2.1.txt ... 2006-11-04 07:22
C:\ComboFix2.txt ... 2006-12-12 16:40
C:\ComboFix3.txt ... 2006-12-05 22:33
C:\ComboFix4.txt ... 2006-11-20 13:09
.
--- E O F ---

_____________________________________________________________________________________________


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:11:06 PM, on 11/4/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\FlexibleSoft\Absolute Time Corrector\atcorrector.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wlmsngr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
c:\wr2.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iSnooze\iSnooze.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\MDM.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\abc.bat.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\mxqrjxly.dll
O2 - BHO: (no name) - {DEF98733-635F-403F-88A2-138B4441DC3D} - C:\WINDOWS\System32\mljji.dll
O2 - BHO: (no name) - {F6B1F430-52B5-4478-9FC6-A94F79D423C3} - C:\WINDOWS\system32\xxywwwx.dll
O2 - BHO: {f1f6477e-87ff-9979-f404-9a3b051059ef} - {fe950150-b3a9-404f-9799-ff78e7746f1f} - C:\WINDOWS\System32\wxfecbww.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\mxqrjxly.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [3ca60bee] rundll32.exe "C:\WINDOWS\System32\efbifqlf.dll",b
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [iSnooze] C:\Program Files\iSnooze\iSnooze.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://www.google.com/diskless/bin/tgctlcm.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n019p/EN/install/gtdownlr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161899755250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161899745796
O20 - Winlogon Notify: mxqrjxly - C:\WINDOWS\SYSTEM32\mxqrjxly.dll
O20 - Winlogon Notify: xxywwwx - C:\WINDOWS\SYSTEM32\xxywwwx.dll
O20 - Winlogon Notify: yayywxw - C:\WINDOWS\SYSTEM32\yayywxw.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: Absolute Time Corrector Service (atccorrector) - FlexibleSoft Co. - C:\Program Files\FlexibleSoft\Absolute Time Corrector\atcorrector.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: wlmsngr - Unknown owner - C:\WINDOWS\wlmsngr.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 8297 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 03 November 2007 - 07:30 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\IS.EXE
C:\wr2.exe
C:\WINDOWS\wlmsngr.exe
C:\WINDOWS\system32\lrateeoi.exe
C:\WINDOWS\system32\xxywwwx.dll
C:\WINDOWS\system32\efbifqlf.dll
C:\WINDOWS\system32\wxfecbww.dll
C:\WINDOWS\system32\mxqrjxly.dll
C:\WINDOWS\system32\jfinaqon.dll
C:\WINDOWS\system32\setup_16761.exe
C:\WINDOWS\system32\yayywxw.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F6B1F430-52B5-4478-9FC6-A94F79D423C3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fe950150-b3a9-404f-9799-ff78e7746f1f}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{821F87FF-8245-4972-9E28-732E92EC2F51}"=-
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\CLSID\{821F87FF-8245-4972-9E28-732E92EC2F51}]
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"3ca60bee"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{F6B1F430-52B5-4478-9FC6-A94F79D423C3}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mxqrjxly]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywwwx]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayywxw]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
Service::
wlmsngr

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#7 nyarlathotep13

nyarlathotep13
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 03 November 2007 - 08:37 PM

ComboFix 07-11-04.1 - Administrator 2007-11-04 19:54:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.33 [GMT -5:00]Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\WINDOWS\system32\ijjlm.bak1
C:\WINDOWS\system32\ijjlm.ini
C:\WINDOWS\system32\lrateeoi.exe
C:\WINDOWS\system32\mljji.dll
C:\WINDOWS\system32\mxqrjxly.dllbox

.
((((((((((((((((((((((((( Files Created from 2007-10-05 to 2007-11-05 )))))))))))))))))))))))))))))))
.

2007-11-04 20:00 34,304 --a------ C:\WINDOWS\system32\awtqnkh.dll
2007-11-04 19:03 115,095 --a------ C:\wr2.exe
2007-11-03 18:51 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-03 15:49 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-03 15:49 812,344 --a------ C:\HJTInstall.exe
2007-11-03 15:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-03 15:10 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-11-03 14:27 34,304 --a------ C:\WINDOWS\system32\xxywwwx.dll
2007-11-03 07:46 87,616 --a------ C:\WINDOWS\system32\efbifqlf.dll
2007-11-03 07:40 81,472 --a------ C:\WINDOWS\system32\wxfecbww.dll
2007-11-03 07:38 340,032 --a------ C:\WINDOWS\system32\mxqrjxly.dll
2007-11-03 07:37 340,032 --a------ C:\WINDOWS\system32\jfinaqon.dll
2007-11-02 20:27 0 --a------ C:\WINDOWS\system32\setup_16761.exe
2007-11-02 19:23 34,304 --a------ C:\WINDOWS\system32\yayywxw.dll
2007-11-02 19:17 62,739 -r-hs---- C:\WINDOWS\wlmsngr.exe
2007-10-24 21:43 365,343 --a------ C:\Magnetosphere.exe
2007-10-23 16:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-05 00:24 --------- d-----w C:\Documents and Settings\Administrator\Application Data\SiteAdvisor
2007-11-02 23:55 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2007-11-02 00:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2007-10-23 21:47 --------- d-----w C:\Program Files\iTunes
2007-10-23 21:47 --------- d-----w C:\Program Files\Apple Software Update
2007-10-23 21:46 --------- d-----w C:\Program Files\iPod
2007-10-05 00:50 --------- d-----w C:\Program Files\Last.fm
2007-09-21 15:15 --------- d-----w C:\Program Files\uTorrent
2007-09-20 02:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-09-17 21:10 --------- d-----w C:\Program Files\Common Files\SupportSoft
2007-09-17 21:10 --------- d-----w C:\Program Files\CHARTER
2007-09-07 01:54 --------- d-----w C:\Program Files\iSnooze
2007-09-07 01:16 --------- d-----w C:\Program Files\LimeWire
2007-09-06 02:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Last.fm
2007-09-05 13:54 --------- d-----w C:\Program Files\FlexibleSoft
2007-09-05 13:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Flexiblesoft
2007-09-05 13:54 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Flexiblesoft
2007-01-30 13:41 2,842,857 ----a-w C:\Program Files\PfSetup30.exe
2007-01-23 23:19 18,725,888 ----a-w C:\Program Files\ticonnect_eng.exe
2006-12-13 22:11 5,900,416 ----a-w C:\Program Files\Firefox Setup 2.0.exe
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-03 07:38 340032 --a------ C:\WINDOWS\system32\mxqrjxly.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fe950150-b3a9-404f-9799-ff78e7746f1f}]
2007-11-03 07:40 81472 --a------ C:\WINDOWS\System32\wxfecbww.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\mxqrjxly.dll [2007-11-03 07:38 340032]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{821F87FF-8245-4972-9E28-732E92EC2F51}"= C:\Program Files\VSToolbar\VSToolBar.dll [ ]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\mxqrjxly.dll [2007-11-03 07:38 340032]

[HKEY_CLASSES_ROOT\CLSID\{821F87FF-8245-4972-9E28-732E92EC2F51}]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-10 21:10]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2004-06-15 22:17]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2005-10-19 08:59]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2005-10-19 08:59]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2005-01-24 19:58]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 10:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-27 19:14]
"3ca60bee"="C:\WINDOWS\System32\efbifqlf.dll" [2007-11-03 07:46]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="C:\Program Files\IGN\Download Manager\DLM.exe" [2006-11-07 17:22]
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [2004-04-16 06:43]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 05:48]
"atc.exe"="" []
"iSnooze"="C:\Program Files\iSnooze\iSnooze.exe" [2004-10-18 15:27]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-02-24 02:05:00]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52]
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-09-07 08:45:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56]
Symantec Fax Starter Edition Port.lnk - C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 16:51:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=1 (0x1)
"AllowUnhashedWebView"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{F6B1F430-52B5-4478-9FC6-A94F79D423C3}"= C:\WINDOWS\System32\awtqnkh.dll [2007-11-04 20:00 34304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqnkh]
awtqnkh.dll 2007-11-04 20:00 34304 C:\WINDOWS\system32\awtqnkh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mxqrjxly]
mxqrjxly.dll 2007-11-03 07:38 340032 C:\WINDOWS\system32\mxqrjxly.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxywwwx]
xxywwwx.dll 2007-11-03 14:27 34304 C:\WINDOWS\system32\xxywwwx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayywxw]
yayywxw.dll 2007-11-02 19:23 34304 C:\WINDOWS\system32\yayywxw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\mljji.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

R2 atccorrector;Absolute Time Corrector Service;C:\Program Files\FlexibleSoft\Absolute Time Corrector\atcorrector.exe /startedbyscm:72129319-40E32761-atccorrector
R2 AVWUpSrv;AntiVir Update;"C:\Program Files\AVPersonal\AVWUPSRV.EXE"
R2 wlmsngr;wlmsngr;"C:\WINDOWS\wlmsngr.exe"
S0 ggksuiod;ggksuiod;C:\WINDOWS\System32\drivers\qkgpafgq.sys
S0 huimdvcw;huimdvcw;C:\WINDOWS\System32\drivers\famqgptu.sys
S3 avgntdw;avgntdw;\??\C:\Program Files\AVPersonal\AVGNTDW.SYS
S3 TIEHDUSB;TIEHDUSB;C:\WINDOWS\System32\drivers\tiehdusb.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-23 21:47:54 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-04 20:17:49
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\atccorrector]
"ImagePath"="C:\Program Files\FlexibleSoft\Absolute Time Corrector\atcorrector.exe /startedbyscm:72129319-40E32761-atccorrector"
.
Completion time: 2007-11-04 20:19:23 - machine was rebooted
C:\ComboFix2.1.txt ... 2006-11-04 07:22
C:\ComboFix2.txt ... 2007-11-04 19:06
C:\ComboFix3.txt ... 2006-12-12 16:40
C:\ComboFix4.txt ... 2006-11-20 13:09
.
--- E O F ---



__________________________________________________________________________________________


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:34:22 PM, on 11/4/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\FlexibleSoft\Absolute Time Corrector\atcorrector.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wlmsngr.exe
c:\wr2.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\iSnooze\iSnooze.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\MDM.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0B0682AE-9C15-487D-99E7-23B694BA3383} - C:\WINDOWS\System32\mlljh.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\mxqrjxly.dll
O2 - BHO: {f1f6477e-87ff-9979-f404-9a3b051059ef} - {fe950150-b3a9-404f-9799-ff78e7746f1f} - C:\WINDOWS\System32\wxfecbww.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\mxqrjxly.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [3ca60bee] rundll32.exe "C:\WINDOWS\System32\efbifqlf.dll",b
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [iSnooze] C:\Program Files\iSnooze\iSnooze.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://www.google.com/diskless/bin/tgctlcm.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n019p/EN/install/gtdownlr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161899755250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161899745796
O20 - Winlogon Notify: awtqnkh - C:\WINDOWS\SYSTEM32\awtqnkh.dll
O20 - Winlogon Notify: mxqrjxly - C:\WINDOWS\SYSTEM32\mxqrjxly.dll
O20 - Winlogon Notify: xxywwwx - C:\WINDOWS\SYSTEM32\xxywwwx.dll
O20 - Winlogon Notify: yayywxw - C:\WINDOWS\SYSTEM32\yayywxw.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: Absolute Time Corrector Service (atccorrector) - FlexibleSoft Co. - C:\Program Files\FlexibleSoft\Absolute Time Corrector\atcorrector.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: wlmsngr - Unknown owner - C:\WINDOWS\wlmsngr.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 8262 bytes

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 04 November 2007 - 08:05 AM

Please download OTMoveIt by OldTimer,save it to your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe
Don't do anything with it yet.

Download FIX.REG thats attached to the bottom of this post,unzip it to your desktop.
Don't do anything with it yet.

Now backup the registry by doing the following.
Click on Start>Run,copy and paste the following bold text into the 'Open:' space,then press Ok.
regedit /e c:\registrybackup.reg
It won't appear to be doing anything,that's normal.
Your mouse pointer may have an hour glass along side it for a minute or so.
Please be patient and continue when the hour glass disappears.


Click on Start>Run and type Services.msc then hit Ok.
Scroll down and find the service called:
wlmsngr
When you find it, double-click on it.
In the next window that opens, click the 'Stop' button.
Then change the 'Startup Type:' to 'Disabled'.
Now press Apply and then Ok and close any open windows.

Click Start>Run and type regedit then click OK.
Navigate to HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services
Scroll down the left pane,locate the service name:
wlmsngr
Right click on it 'Delete'.
Then restart your pc.


Now please double-click OTMoveIt.exe to run it.
Copy ALL the file paths inside the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\system32\awtqnkh.dll
C:\wr2.exe
C:\WINDOWS\system32\xxywwwx.dll
C:\WINDOWS\system32\efbifqlf.dll
C:\WINDOWS\system32\wxfecbww.dll
C:\WINDOWS\system32\mxqrjxly.dll
C:\WINDOWS\system32\jfinaqon.dll
C:\WINDOWS\system32\setup_16761.exe
C:\WINDOWS\system32\yayywxw.dll
C:\WINDOWS\wlmsngr.exe

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.


Now double click on FIX.REG you downloaded/unzipped earlierPosted Image
Agree to merge the imformation into the registry,then restart your pc.

Also post a new Hijackthis log.
Posted Image
Posted Image

#9 nyarlathotep13

nyarlathotep13
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 04 November 2007 - 10:37 AM

When OTMoveIt asked to reboot, i sort of assumed it would do like Combofix and open a list of results after the reboot. so i kind of missed the results from that.
i could maybe try running through the same process again....

*another edit: i just remembered that in sevices.msc, i couldn't click on the 'stop' button, i don't know the word for it,, but it was gray and fuzzy and didn't seem to believe that i would want to stop wlmsngr.exe at all. so i changed the startup type to 'disabled' and rebooted, which didn't allow it to start up again and changed the status to 'stopped'.

*edit: that seems to have been incredibly helpful. we've significantly diminished the number of pop-ups, brought my processing speed close to somewhere normal again, i didn't have to try six times to reboot, and the little yellow triangle is gone. thank you.

Here's the HJT log after i did everything you told me to:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:32:30 AM, on 11/5/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\iSnooze\iSnooze.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\FlexibleSoft\Absolute Time Corrector\atcorrector.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {A77D03B0-D0F6-4802-B7CF-18D2D8D59F02} - C:\WINDOWS\System32\mlljh.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\mxqrjxly.dll (file missing)
O2 - BHO: (no name) - {F6B1F430-52B5-4478-9FC6-A94F79D423C3} - C:\WINDOWS\System32\awtqnkh.dll
O2 - BHO: {f1f6477e-87ff-9979-f404-9a3b051059ef} - {fe950150-b3a9-404f-9799-ff78e7746f1f} - C:\WINDOWS\System32\wxfecbww.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [iSnooze] C:\Program Files\iSnooze\iSnooze.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://www.google.com/diskless/bin/tgctlcm.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n019p/EN/install/gtdownlr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161899755250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161899745796
O20 - Winlogon Notify: awtqnkh - C:\WINDOWS\SYSTEM32\awtqnkh.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: Absolute Time Corrector Service (atccorrector) - FlexibleSoft Co. - C:\Program Files\FlexibleSoft\Absolute Time Corrector\atcorrector.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 7806 bytes

Edited by nyarlathotep13, 04 November 2007 - 10:49 AM.


#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 04 November 2007 - 11:03 AM

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.
Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.


Double click on combofix.exe again and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#11 nyarlathotep13

nyarlathotep13
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 04 November 2007 - 01:11 PM

my desktop icons that wouldn't go away are gone. :thumbsup:

Vundofix rebooted my computer twice trying to remove C:\windows\system32\awtqnkh.dll before i gave up on it.



VundoFix V6.5.11

Checking Java version...

Java version is 1.5.0.10

Scan started at 11:08:45 AM 11/5/2007

Listing files found while scanning....

C:\windows\system32\awtqnkh.dll
C:\windows\system32\jkkiigh.dll
C:\WINDOWS\system32\mxqrjxly.dll
C:\windows\system32\vxucqawo.dll
C:\windows\system32\wvuusrr.dll

Beginning removal...

Attempting to delete C:\windows\system32\awtqnkh.dll
C:\windows\system32\awtqnkh.dll Could not be deleted.

Attempting to delete C:\windows\system32\jkkiigh.dll
C:\windows\system32\jkkiigh.dll Has been deleted!

Attempting to delete C:\windows\system32\vxucqawo.dll
C:\windows\system32\vxucqawo.dll Has been deleted!

Attempting to delete C:\windows\system32\wvuusrr.dll
C:\windows\system32\wvuusrr.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.11

Checking Java version...

Java version is 1.5.0.10

Scan started at 11:13:24 AM 11/5/2007

Listing files found while scanning....

C:\windows\system32\awtqnkh.dll

Beginning removal...

Attempting to delete C:\windows\system32\awtqnkh.dll
C:\windows\system32\awtqnkh.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\awtqnkh.dll
C:\windows\system32\awtqnkh.dll Could not be deleted.

Performing Repairs to the registry.
Done!








ComboFix 07-11-04.1 - Administrator 2007-11-05 11:26:54.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.41 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\WINDOWS\system32\awtqnkh.dll
C:\WINDOWS\system32\hjllm.bak1
C:\WINDOWS\system32\hjllm.ini
C:\WINDOWS\System32\mlljh.dll
C:\WINDOWS\system32\mxqrjxly.dllbox

.
((((((((((((((((((((((((( Files Created from 2007-10-05 to 2007-11-05 )))))))))))))))))))))))))))))))
.

2007-11-05 11:08 <DIR> d-------- C:\VundoFix Backups
2007-11-05 10:00 79,091,706 --a------ C:\registrybackup.reg
2007-11-03 18:51 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-03 15:49 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-03 15:49 812,344 --a------ C:\HJTInstall.exe
2007-11-03 15:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-03 15:10 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-10-24 21:43 365,343 --a------ C:\Magnetosphere.exe
2007-10-23 16:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-05 15:58 --------- d-----w C:\Documents and Settings\Administrator\Application Data\SiteAdvisor
2007-11-02 23:55 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2007-11-02 00:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2007-10-23 21:47 --------- d-----w C:\Program Files\iTunes
2007-10-23 21:47 --------- d-----w C:\Program Files\Apple Software Update
2007-10-23 21:46 --------- d-----w C:\Program Files\iPod
2007-10-05 00:50 --------- d-----w C:\Program Files\Last.fm
2007-09-21 15:15 --------- d-----w C:\Program Files\uTorrent
2007-09-20 02:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-09-17 21:10 --------- d-----w C:\Program Files\Common Files\SupportSoft
2007-09-17 21:10 --------- d-----w C:\Program Files\CHARTER
2007-09-07 01:54 --------- d-----w C:\Program Files\iSnooze
2007-09-07 01:16 --------- d-----w C:\Program Files\LimeWire
2007-09-06 02:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Last.fm
2007-09-05 13:54 --------- d-----w C:\Program Files\FlexibleSoft
2007-09-05 13:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Flexiblesoft
2007-09-05 13:54 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Flexiblesoft
2007-01-30 13:41 2,842,857 ----a-w C:\Program Files\PfSetup30.exe
2007-01-23 23:19 18,725,888 ----a-w C:\Program Files\ticonnect_eng.exe
2006-12-13 22:11 5,900,416 ----a-w C:\Program Files\Firefox Setup 2.0.exe
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fe950150-b3a9-404f-9799-ff78e7746f1f}]
C:\WINDOWS\System32\wxfecbww.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-10 21:10]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2004-06-15 22:17]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2005-10-19 08:59]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2005-10-19 08:59]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2005-01-24 19:58]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 10:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-27 19:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="C:\Program Files\IGN\Download Manager\DLM.exe" [2006-11-07 17:22]
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [2004-04-16 06:43]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 05:48]
"atc.exe"="" []
"iSnooze"="C:\Program Files\iSnooze\iSnooze.exe" [2004-10-18 15:27]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-02-24 02:05:00]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52]
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-09-07 08:45:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56]
Symantec Fax Starter Edition Port.lnk - C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 16:51:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=1 (0x1)
"AllowUnhashedWebView"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\mlljh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

R2 atccorrector;Absolute Time Corrector Service;C:\Program Files\FlexibleSoft\Absolute Time Corrector\atcorrector.exe /startedbyscm:72129319-40E32761-atccorrector
R2 AVWUpSrv;AntiVir Update;"C:\Program Files\AVPersonal\AVWUPSRV.EXE"
S0 ggksuiod;ggksuiod;C:\WINDOWS\System32\drivers\qkgpafgq.sys
S0 huimdvcw;huimdvcw;C:\WINDOWS\System32\drivers\famqgptu.sys
S3 avgntdw;avgntdw;\??\C:\Program Files\AVPersonal\AVGNTDW.SYS
S3 TIEHDUSB;TIEHDUSB;C:\WINDOWS\System32\drivers\tiehdusb.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-23 21:47:54 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-05 13:05:14
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\atccorrector]
"ImagePath"="C:\Program Files\FlexibleSoft\Absolute Time Corrector\atcorrector.exe /startedbyscm:72129319-40E32761-atccorrector"
.
Completion time: 2007-11-05 13:06:34 - machine was rebooted
C:\ComboFix2.1.txt ... 2006-11-04 07:22
C:\ComboFix2.txt ... 2007-11-04 20:19
C:\ComboFix3.txt ... 2007-11-04 19:06
C:\ComboFix4.txt ... 2006-11-20 13:09
.
--- E O F ---







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:07:11 PM, on 11/5/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\FlexibleSoft\Absolute Time Corrector\atcorrector.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\iSnooze\iSnooze.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\abc.bat.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: {f1f6477e-87ff-9979-f404-9a3b051059ef} - {fe950150-b3a9-404f-9799-ff78e7746f1f} - C:\WINDOWS\System32\wxfecbww.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [iSnooze] C:\Program Files\iSnooze\iSnooze.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://www.google.com/diskless/bin/tgctlcm.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n019p/EN/install/gtdownlr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161899755250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161899745796
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: Absolute Time Corrector Service (atccorrector) - FlexibleSoft Co. - C:\Program Files\FlexibleSoft\Absolute Time Corrector\atcorrector.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 7457 bytes

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 04 November 2007 - 01:42 PM

Thats looking a lot better,lets continue :thumbsup:

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: {f1f6477e-87ff-9979-f404-9a3b051059ef} - {fe950150-b3a9-404f-9799-ff78e7746f1f} - C:\WINDOWS\System32\wxfecbww.dll (file missing)

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 3'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.


Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,on the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.


Please run the F-Secure online virus/spyware scan using Internet Explorer:
http://support.f-secure.com/enu/home/ols.shtml
Follow the directions in the F-Secure page for proper Installation.
Accept the License Agreement.
Once the ActiveX installs,Click ‘Custom Scan’ and be sure the following are checked:
1.Scan whole System
2.Scan all files
3.Scan whole system for rootkits
4.Scan whole system for spyware
5.Scan inside archives
6.Use advanced heuristics
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.

Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#13 nyarlathotep13

nyarlathotep13
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 04 November 2007 - 06:55 PM

wow. f-secure really did take some time.
a significant portion of what either one of these found was quarantined from the one other time my computer was infected with anything, which show up in the qoofix, killbox, and avenger folders in the logs. f-secure didn't offer 'disinfect' as an option for these, but they aren't exactly doing much in their current state anyways.
looking over the f-secure log, some things were renamed or just not disinfected; i chose 'disinfect' for every virus where that was listed as an option.


My computer is running much better now. Anything that's left on it now could have been there for months as far as i know because it's running as well as it ever has. thank you very much.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/05/2007 at 03:09 PM

Application Version : 3.9.1008

Core Rules Database Version : 3337
Trace Rules Database Version: 1338

Scan type : Complete Scan
Total Scan Time : 00:37:31

Memory items scanned : 459
Memory threats detected : 0
Registry items scanned : 6252
Registry threats detected : 89
File items scanned : 37080
File threats detected : 31

Adware.Avenue Media/Internet Optimizer
HKLM\Software\Classes\CLSID\{00000010-6F7D-442C-93E3-4A4827C2E4C8}
HKCR\CLSID\{00000010-6F7D-442C-93E3-4A4827C2E4C8}
HKCR\CLSID\{00000010-6F7D-442C-93E3-4A4827C2E4C8}
HKCR\CLSID\{00000010-6F7D-442C-93E3-4A4827C2E4C8}\InprocServer32
HKCR\CLSID\{00000010-6F7D-442C-93E3-4A4827C2E4C8}\InprocServer32#ThreadingModel
HKCR\CLSID\{00000010-6F7D-442C-93E3-4A4827C2E4C8}\ProgID
HKCR\CLSID\{00000010-6F7D-442C-93E3-4A4827C2E4C8}\Programmable
HKCR\CLSID\{00000010-6F7D-442C-93E3-4A4827C2E4C8}\TypeLib
HKCR\CLSID\{00000010-6F7D-442C-93E3-4A4827C2E4C8}\VersionIndependentProgID
C:\WINDOWS\NEM220.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@enhance[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@bestsellerantivirus[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@atwola[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@hotbar[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@goclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adinterax[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@sexbuddies[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.admedia365[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@divx.adbureau[2].txt
C:\Documents and Settings\kyle.TOOTS-HK2EZWRRQ\Cookies\kyle@msnportal.112.2o7[1].txt
C:\Documents and Settings\LocalService\Cookies\system@belnk[1].txt
C:\Documents and Settings\LocalService\Cookies\system@dist.belnk[2].txt

Registry Cleaner Trial
C:\Documents and Settings\Administrator\Application Data\Registry Cleaner\Backups\2005-09-05,08-05 09 218.zip
C:\Documents and Settings\Administrator\Application Data\Registry Cleaner\Backups
C:\Documents and Settings\Administrator\Application Data\Registry Cleaner

Adware.MediaMotor
HKCR\mm06ocx.mm06ocxf
HKCR\mm06ocx.mm06ocxf\Clsid
HKCR\CLSID\{5526B4C6-63D6-41A1-9783-0FABF529859A}
HKCR\CLSID\{5526B4C6-63D6-41A1-9783-0FABF529859A}\Control
HKCR\CLSID\{5526B4C6-63D6-41A1-9783-0FABF529859A}\Implemented Categories
HKCR\CLSID\{5526B4C6-63D6-41A1-9783-0FABF529859A}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}
HKCR\CLSID\{5526B4C6-63D6-41A1-9783-0FABF529859A}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}
HKCR\CLSID\{5526B4C6-63D6-41A1-9783-0FABF529859A}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}
HKCR\CLSID\{5526B4C6-63D6-41A1-9783-0FABF529859A}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}
HKCR\CLSID\{5526B4C6-63D6-41A1-9783-0FABF529859A}\InprocServer32
HKCR\CLSID\{5526B4C6-63D6-41A1-9783-0FABF529859A}\InprocServer32#ThreadingModel
HKCR\CLSID\{5526B4C6-63D6-41A1-9783-0FABF529859A}\MiscStatus
HKCR\CLSID\{5526B4C6-63D6-41A1-9783-0FABF529859A}\MiscStatus\1
HKCR\CLSID\{5526B4C6-63D6-41A1-9783-0FABF529859A}\ProgID
HKCR\CLSID\{5526B4C6-63D6-41A1-9783-0FABF529859A}\ToolboxBitmap32
HKCR\CLSID\{5526B4C6-63D6-41A1-9783-0FABF529859A}\TypeLib
HKCR\CLSID\{5526B4C6-63D6-41A1-9783-0FABF529859A}\VERSION
HKCR\TypeLib\{D13DECBB-52F8-4BF4-BA6C-B0CC603963C9}
HKCR\TypeLib\{D13DECBB-52F8-4BF4-BA6C-B0CC603963C9}\2.1
HKCR\TypeLib\{D13DECBB-52F8-4BF4-BA6C-B0CC603963C9}\2.1\0
HKCR\TypeLib\{D13DECBB-52F8-4BF4-BA6C-B0CC603963C9}\2.1\0\win32
HKCR\TypeLib\{D13DECBB-52F8-4BF4-BA6C-B0CC603963C9}\2.1\FLAGS
HKCR\TypeLib\{D13DECBB-52F8-4BF4-BA6C-B0CC603963C9}\2.1\HELPDIR
HKCR\Interface\{41E1565D-B7A8-4251-BD79-E6C5FACB2B5F}
HKCR\Interface\{41E1565D-B7A8-4251-BD79-E6C5FACB2B5F}\Forward
HKCR\Interface\{41E1565D-B7A8-4251-BD79-E6C5FACB2B5F}\ProxyStubClsid
HKCR\Interface\{41E1565D-B7A8-4251-BD79-E6C5FACB2B5F}\ProxyStubClsid32
HKCR\Interface\{DB312456-E762-4369-844A-AED9006B1B2F}
HKCR\Interface\{DB312456-E762-4369-844A-AED9006B1B2F}\Forward
HKCR\Interface\{DB312456-E762-4369-844A-AED9006B1B2F}\ProxyStubClsid
HKCR\Interface\{DB312456-E762-4369-844A-AED9006B1B2F}\ProxyStubClsid32

Adware.BitLocker
HKCR\ONONE.Theimp
HKCR\ONONE.Theimp\CLSID
HKCR\ONONE.Theimp\CurVer
HKCR\ONONE.Theimp.1
HKCR\ONONE.Theimp.1\CLSID

Adware.Zango Toolbar/Hb
HKCR\CLSID\{8109FD3D-D891-4F80-8339-50A4913ACE6F}
HKCR\CLSID\{8109FD3D-D891-4F80-8339-50A4913ACE6F}\InprocServer32
HKCR\CLSID\{8109FD3D-D891-4F80-8339-50A4913ACE6F}\InprocServer32#ThreadingModel
HKCR\CLSID\{8109FD3D-D891-4F80-8339-50A4913ACE6F}\ProgID
HKCR\CLSID\{8109FD3D-D891-4F80-8339-50A4913ACE6F}\Programmable
HKCR\CLSID\{8109FD3D-D891-4F80-8339-50A4913ACE6F}\TypeLib
HKCR\CLSID\{8109FD3D-D891-4F80-8339-50A4913ACE6F}\VersionIndependentProgID
HKCR\TypeLib\{5937CD7F-1C0B-41E1-9075-60EBDF3C7D34}
HKCR\TypeLib\{5937CD7F-1C0B-41E1-9075-60EBDF3C7D34}\1.0
HKCR\TypeLib\{5937CD7F-1C0B-41E1-9075-60EBDF3C7D34}\1.0\0
HKCR\TypeLib\{5937CD7F-1C0B-41E1-9075-60EBDF3C7D34}\1.0\0\win32
HKCR\TypeLib\{5937CD7F-1C0B-41E1-9075-60EBDF3C7D34}\1.0\FLAGS
HKCR\TypeLib\{5937CD7F-1C0B-41E1-9075-60EBDF3C7D34}\1.0\HELPDIR
HKCR\Interface\{85E06077-C824-43D0-A8DC-5EFB17BC348A}
HKCR\Interface\{85E06077-C824-43D0-A8DC-5EFB17BC348A}\ProxyStubClsid
HKCR\Interface\{85E06077-C824-43D0-A8DC-5EFB17BC348A}\ProxyStubClsid32
HKCR\Interface\{85E06077-C824-43D0-A8DC-5EFB17BC348A}\TypeLib
HKCR\Interface\{85E06077-C824-43D0-A8DC-5EFB17BC348A}\TypeLib#Version

Adware.VSToolbar
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{821F87FF-8245-4972-9E28-732E92EC2F51}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{821F87FF-8245-4972-9E28-732E92EC2F51}#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{821F87FF-8245-4972-9E28-732E92EC2F51}#UninstallString

Adware.eZula/BannerRotator
HKCR\Interface\{BA2A20E0-2476-43BB-BCC8-BFEE2419B293}
HKCR\Interface\{BA2A20E0-2476-43BB-BCC8-BFEE2419B293}\ProxyStubClsid
HKCR\Interface\{BA2A20E0-2476-43BB-BCC8-BFEE2419B293}\ProxyStubClsid32
HKCR\Interface\{BA2A20E0-2476-43BB-BCC8-BFEE2419B293}\TypeLib
HKCR\Interface\{BA2A20E0-2476-43BB-BCC8-BFEE2419B293}\TypeLib#Version
HKCR\Interface\{D0C1545E-61E1-40D5-8F8C-37D4E7758275}
HKCR\Interface\{D0C1545E-61E1-40D5-8F8C-37D4E7758275}\ProxyStubClsid
HKCR\Interface\{D0C1545E-61E1-40D5-8F8C-37D4E7758275}\ProxyStubClsid32
HKCR\Interface\{D0C1545E-61E1-40D5-8F8C-37D4E7758275}\TypeLib
HKCR\Interface\{D0C1545E-61E1-40D5-8F8C-37D4E7758275}\TypeLib#Version

Adware.AdRotate/System
HKCR\CLSID\{2CAB0356-88E3-4902-A85D-379689C625E1}
HKCR\CLSID\{2CAB0356-88E3-4902-A85D-379689C625E1}\InprocServer32
HKCR\CLSID\{2CAB0356-88E3-4902-A85D-379689C625E1}\InprocServer32#ThreadingModel
HKCR\CLSID\{2CAB0356-88E3-4902-A85D-379689C625E1}\ProgID
HKCR\CLSID\{2CAB0356-88E3-4902-A85D-379689C625E1}\Programmable
HKCR\CLSID\{2CAB0356-88E3-4902-A85D-379689C625E1}\TypeLib
HKCR\CLSID\{2CAB0356-88E3-4902-A85D-379689C625E1}\VersionIndependentProgID
HKCR\TypeLib\{FDB10602-AA12-4E76-AAE2-2B328A3E950A}
HKCR\TypeLib\{FDB10602-AA12-4E76-AAE2-2B328A3E950A}\1.0
HKCR\TypeLib\{FDB10602-AA12-4E76-AAE2-2B328A3E950A}\1.0\0
HKCR\TypeLib\{FDB10602-AA12-4E76-AAE2-2B328A3E950A}\1.0\0\win32
HKCR\TypeLib\{FDB10602-AA12-4E76-AAE2-2B328A3E950A}\1.0\FLAGS
HKCR\TypeLib\{FDB10602-AA12-4E76-AAE2-2B328A3E950A}\1.0\HELPDIR

Trojan.Downloader-DoWork
C:\!KILLBOX\BFMNMAOE.DLL
C:\!KILLBOX\KMMHEBLY.DLL

Adware.eZula
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\ASUVMQQT.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\LRATEEOI.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2B86A5BF-E773-40A6-BB7F-DAE43B1465CA}\RP2\A0000039.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2B86A5BF-E773-40A6-BB7F-DAE43B1465CA}\RP4\A0000118.EXE

Adware.Vundo Variant
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\AWTQNKH.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2B86A5BF-E773-40A6-BB7F-DAE43B1465CA}\RP5\A0004346.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2B86A5BF-E773-40A6-BB7F-DAE43B1465CA}\RP5\A0004347.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2B86A5BF-E773-40A6-BB7F-DAE43B1465CA}\RP5\A0005370.DLL
C:\VUNDOFIX BACKUPS\AWTQNKH.DLL.BAD
C:\VUNDOFIX BACKUPS\JKKIIGH.DLL.BAD
C:\VUNDOFIX BACKUPS\WVUUSRR.DLL.BAD
C:\_OTMOVEIT\MOVEDFILES\WINDOWS\SYSTEM32\XXYWWWX.DLL
C:\_OTMOVEIT\MOVEDFILES\WINDOWS\SYSTEM32\YAYYWXW.DLL



__________________________________________________________________________________


F-Secure:
Scanning Report
Monday, November 05, 2007 15:24:48 - 18:41:53

Computer name: TOOTS-HK2EZWRRQ
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ F:\
Result: 19 malware found
Adware.AdMedia (spyware)

* System (Disinfected)

Backdoor.Win32.SdBot.xd (virus)

* C:\_OTMoveIt\MovedFiles\WINDOWS\wlmsngr.exe (Renamed & Submitted)

Backdoor.Win32.VB.bps (virus)

* C:\_OTMoveIt\MovedFiles\wr2.exe (Renamed & Submitted)

Keylog.CJS (virus)

* C:\Program Files\FlexibleSoft\Absolute Time Corrector\atc-setup.exe (Submitted)

Tracking Cookie (spyware)

* System (Disinfected)
* System

Trojan-Downloader.BAT.Ftp.ab (virus)

* C:\WINDOWS\system32\i (Renamed & Submitted)

Trojan-Downloader.Win32.ConHook.ao (virus)

* C:\avenger\backup-Tue 11.28.2006-19.03.46.95.zip\avenger\iuen71u.dll

Trojan-Downloader.Win32.Qoologic.ax (virus)

* C:\avenger\backup-Thu 10.26.2006-18.24.39.12.zip\avenger\wawcrw.exe
* C:\avenger\backup-Wed 11.29.2006-23.35.07.85.zip\avenger\epenpea.dll
* C:\avenger\backup-Wed 11.29.2006-23.35.07.85.zip\avenger\fmfwr.dll
* C:\avenger\backup-Wed 11.29.2006-23.35.07.85.zip\avenger\fvfddfc.exe

Trojan.Win32.VB.tg (virus)

* C:\avenger\backup-Tue 11.28.2006-19.03.46.95.zip\avenger\uninst108.exe
* C:\avenger\backup-Tue 11.28.2006-19.03.46.95.zip\avenger\uni_e6h.exe

Vundo.gen41 (virus)

* C:\QooBox\Quarantine\catchme2007-11-04_190318.93.zip\vtutr.dll
* C:\QooBox\Quarantine\catchme2007-11-05_130459.46.zip\mlljh.dll
* C:\QooBox\Quarantine\C\WINDOWS\system32\mljji.dll.vir (Submitted)

W32/Smalltroj.BMAA (virus)

* C:\RECYCLER\S-1-5-21-1801674531-1547161642-839522115-501\Dc37\Gunz\XPatch.exe (Submitted)
* C:\RECYCLER\S-1-5-21-1801674531-1547161642-839522115-501\Dc35\XPatch.exe (Submitted)

Statistics
Scanned:

* Files: 296837
* System: 4984
* Not scanned: 103

Actions:

* Disinfected: 2
* Renamed: 3
* Deleted: 0
* None: 14
* Submitted: 7

Files not scanned:

* x'/TUSER.DAT C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
* C:\DOCUMENTS AND SETTINGS\KYLE.TOOTS-HK2EZWRRQ\NTUSER.DAT
* C:\DOCUMENTS AND SETTINGS\KYLE.TOOTS-HK2EZWRRQ\TEMPLATES\EXCEL.XLS
* C:\DOCUMENTS AND SETTINGS\KYLE.TOOTS-HK2EZWRRQ\MY DOCUMENTS\MY MUSIC\ITUNES\ITUNES LIBRARY.ITL
* C:\DOCUMENTS AND SETTINGS\KYLE.TOOTS-HK2EZWRRQ\MY DOCUMENTS\MY MUSIC\ITUNES\ITUNES MUSIC\MARC SEALES, COMPOSER. NEW STORIES. ERNI\SPEAKIN' OUT\01 _HIGHWAY BLUES_.M4A
* C:\DOCUMENTS AND SETTINGS\KYLE.TOOTS-HK2EZWRRQ\MY DOCUMENTS\MY MUSIC\ITUNES\ITUNES MUSIC\LUDWIG VAN BEETHOVEN, COMPOSER. SEATTLE\BEETHOVEN'S SYMPHONY NO. 9 (SCHERZO)\01 SYMPHONY NO. 9 (SCHERZO).M4A
* C:\DOCUMENTS AND SETTINGS\KYLE.TOOTS-HK2EZWRRQ\MY DOCUMENTS\MY MUSIC\ITUNES\ITUNES MUSIC\DAVID BYRNE\LOOK INTO THE EYEBALL\01 LIKE HUMANS DO (RADIO EDIT).M4A
* C:\DOCUMENTS AND SETTINGS\KYLE.TOOTS-HK2EZWRRQ\LOCAL SETTINGS\TEMP\JUSCHED.LOG
* C:\DOCUMENTS AND SETTINGS\KYLE.TOOTS-HK2EZWRRQ\LOCAL SETTINGS\HISTORY\HISTORY.IE5\INDEX.DAT
* C:\DOCUMENTS AND SETTINGS\KYLE.TOOTS-HK2EZWRRQ\LOCAL SETTINGS\APPLICATION DATA\FUSIONCACHE.DAT
* C:\DOCUMENTS AND SETTINGS\KYLE.TOOTS-HK2EZWRRQ\LOCAL SETTINGS\APPLICATION DATA\MUSICMATCH\JUKEBOX\MMJBALTLOG.TXT
* C:\DOCUMENTS AND SETTINGS\KYLE.TOOTS-HK2EZWRRQ\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
* C:\DOCUMENTS AND SETTINGS\KYLE.TOOTS-HK2EZWRRQ\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\INTERNET EXPLORER\MSIMGSIZ.DAT
* C:\DOCUMENTS AND SETTINGS\KYLE.TOOTS-HK2EZWRRQ\LOCAL SETTINGS\APPLICATION DATA\HP\DIGITAL IMAGING\HANDLE.DAT
* C:\DOCUMENTS AND SETTINGS\KYLE.TOOTS-HK2EZWRRQ\LOCAL SETTINGS\APPLICATION DATA\HP\DIGITAL IMAGING\DB\ADMINISTRATIVEINFO.DBF
* C:\DOCUMENTS AND SETTINGS\KYLE.TOOTS-HK2EZWRRQ\LOCAL SETTINGS\APPLICATION DATA\APPLE COMPUTER\ITUNES\ITUNES.PREF
* C:\DOCUMENTS AND SETTINGS\KYLE.TOOTS-HK2EZWRRQ\FAVORITES\MSN.COM.URL
* C:\DOCUMENTS AND SETTINGS\KYLE.TOOTS-HK2EZWRRQ\FAVORITES\LINKS\CUSTOMIZE LINKS.URL
* C:\DOCUMENTS AND SETTINGS\KYLE.TOOTS-HK2EZWRRQ\DESKTOP\YAHOO! MAIL .URL
* C:\DOCUMENTS AND SETTINGS\KYLE.TOOTS-HK2EZWRRQ\COOKIES\INDEX.DAT
* C:\DOCUMENTS AND SETTINGS\KYLE.TOOTS-HK2EZWRRQ\APPLICATION DATA\MICROSOFT\PROTECT\CREDHIST
* C:\DOCUMENTS AND SETTINGS\KYLE.TOOTS-HK2EZWRRQ\APPLICATION DATA\MICROSOFT\INTERNET EXPLORER\BRNDLOG.BAK
* C:\DOCUMENTS AND SETTINGS\KYLE.TOOTS-HK2EZWRRQ\APPLICATION DATA\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\SHOW DESKTOP.SCF
* C:\DOCUMENTS AND SETTINGS\KYLE.TOOTS-HK2EZWRRQ\APPLICATION DATA\MICROSOFT\CLR SECURITY CONFIG\V1.1.4322\SECURITY.CONFIG
* C:\DOCUMENTS AND SETTINGS\KYLE.TOOTS-HK2EZWRRQ\APPLICATION DATA\APPLE COMPUTER\ITUNES\ITUNES.PREF
* C:\Documents and Settings\Guest\My Documents\LD\New Folder\lierox-v062b.zip\LieroX-v0.62b/config/botnames.txt
* C:\Documents and Settings\Guest\My Documents\LD\New Folder\lierox-v062b.zip\LieroX-v0.62b/config/lxnet.cfg
* C:\Documents and Settings\Guest\M �z



__________________________________________________________________________________________


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:52:06 PM, on 11/5/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\iSnooze\iSnooze.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\FlexibleSoft\Absolute Time Corrector\atcorrector.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\MDM.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk32.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [iSnooze] C:\Program Files\iSnooze\iSnooze.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://www.google.com/diskless/bin/tgctlcm.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n019p/EN/install/gtdownlr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161899755250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1161899745796
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: Absolute Time Corrector Service (atccorrector) - FlexibleSoft Co. - C:\Program Files\FlexibleSoft\Absolute Time Corrector\atcorrector.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 7822 bytes

Edited by nyarlathotep13, 04 November 2007 - 06:59 PM.


#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 05 November 2007 - 06:23 AM

Your log is clean :thumbsup:
If all's ok,please do the following:

Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.

Posted Image

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Click on the 'Cleanup' button Posted Image
When you do this a text file named cleanup.txt will be downloaded from the internet.
If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
When the 'Confirm' box appears click 'Yes'.
Restart your pc when prompted.

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

You should take the time to read and follow the information found in the links below,to help you prevent any possible future infections and stay safe and secure while online:

Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

How to prevent Malware:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

So how did I get infected in the first place:
http://forums.spybot.info/showthread.php?t=279

Malware Cleanup Programs and Preventative Procedures:
http://russelltexas.com/malware/allclear.htm
Posted Image
Posted Image

#15 nyarlathotep13

nyarlathotep13
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 05 November 2007 - 08:31 PM

okay. wow. thanks a lot richie. I
think it's absolutely amazing how fast you just fixed my computer.
thank you so much.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users