Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Adware.ezula (maybe More)


  • Please log in to reply
11 replies to this topic

#1 sammielea

sammielea

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 10 November 2007 - 02:45 PM

Hi guys....have tons of trouble trying to clean up a friends pc here...

XP Pro / Symantec antivirus / windows firewall....

Symantec keeps picking up this infection " C:\Documents and Settings\Celeste Olson\Local Settings\Temporary Internet Files\Content.IE5\4IZP0MIJ\"
Named threat is "Adware.Ezula" Ive gone in manually in normal and safe mode to try delete the files...in the content.ie5 folder theres about 4 folders..i delete..they reappear...

Symantec also picks up a few other ones but "seems" to be able to delete / quarintine them.. "Downloader.MisleadApp"

In the task bar i have a yellow triangle that keeps popping up with (wat i assume is bogus threats) and asks me to get a variety of antivirus softwares...the IE browser has windows open with following url with various websites for me to visit and fix my probs !!
http://www.savetheinformation.com/
\I have ran symantec / addaware / spybot / stinger and below is my hijackthis log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:28:29 PM, on 11/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Celeste Olson\Desktop\stinger.exe
C:\Documents and Settings\Celeste Olson\My Documents\hijackthis\HiJackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\rutjuibx.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [60176dba] rundll32.exe "C:\WINDOWS\system32\tjfdwpvo.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://install.augie.edu/sav10/webinst/webinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 4762 bytes


Appreciate any help / pointers u may be able to give.
....its driving me nuts !! :thumbsup:

Below is a list to date of files found and actioned by symantec...might help you figure the prob...

Adware.Ezula	pochki20071106[1]	C:\Documents and Settings\Celeste Olson\Local Settings\Temporary Internet Files\Content.IE5\OWTS0ALK\	Left alone	11/10/2007 12:53
Adware.Ezula	uloidvco.exe	c:\windows\system32\	Infected	11/10/2007 12:24
Trojan Horse	A0040850.dll	C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP249\	Infected	11/9/2007 19:44
Trojan Horse	gyhqkyoa.dll	C:\WINDOWS\system32\	Infected	11/9/2007 19:22
Trojan Horse	A0033592.dll	C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP236\	Infected	11/9/2007 19:15
AVSystemCare	Unavailable	Unavailable	Infected	11/10/2007 12:20
Adware.Ezula	tyclnpnv.exe	c:\windows\system32\	Infected	11/10/2007 10:58
Trojan Horse	ihgmgnin.exe	C:\WINDOWS\system32\	Infected	11/9/2007 19:49
Adware.Ezula	ggribmoy.exe	c:\windows\system32\	Infected	11/9/2007 18:55
Adware.Ezula	dujbejke.exe	c:\windows\system32\	Infected	11/10/2007 10:14


Thanks in advance

Edited by sammielea, 10 November 2007 - 02:47 PM.


BC AdBot (Login to Remove)

 


#2 sammielea

sammielea
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 10 November 2007 - 04:33 PM

Hi guys...after doing some reading through threads...i noticed i have the security toolbar 7.1 also... so i followed the following instructions from thois thread here to try get a head start...

http://www.bleepingcomputer.com/forums/ind...st&p=651309

Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.


If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.
Do NOT post the ComboFix-quarantined-files.txt unless I ask.



Heres the SDFix Report txt

SDFix: Version 1.114Run by Celeste Olson on Sat 11/10/2007 at 02:34 PMMicrosoft Windows XP [Version 5.1.2600]Running From: C:\SDFixSafe Mode:Checking Services: Restoring Windows Registry ValuesRestoring Windows Default Hosts FileRebooting...Normal Mode:Checking Files: Trojan Files Found:C:\WINDOWS\SYSTEM32\VTSQN.DLL - DeletedRemoving Temp Files...ADS Check:C:\WINDOWSNo streams found. C:\WINDOWS\system32No streams found. C:\WINDOWS\system32\svchost.exeNo streams found. C:\WINDOWS\system32\ntoskrnl.exeNo streams found.                                  Final Check:catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]Rootkit scan 2007-11-10 14:45:30Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...scanning hidden services & system hive ...scanning hidden registry entries ...[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]"TracesProcessed"=dword:00000023"TracesSuccessful"=dword:0000001dscanning hidden files ...scan completed successfullyhidden processes: 0hidden services: 0hidden files: 0Remaining Services:------------------Authorized Application Key Export:[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019""C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL""C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL""C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0""C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger""C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes""C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)""%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000""C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1""C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)""C:\\WINDOWS\\system32\\hqccfxnv.exe"="C:\\WINDOWS\\system32\\hqc""C:\\Program Files\\Ahead\\SIPPS\\SIPPS.exe"="C:\\Program Files\\Ahead\\SIPPS\\SIPPS.exe:*:Disabled:SIPPS""C:\\WINDOWS\\system32\\ggribmoy.exe"="C:\\WINDOWS\\system32\\ggr""C:\\WINDOWS\\system32\\dujbejke.exe"="C:\\WINDOWS\\system32\\duj""C:\\WINDOWS\\system32\\tyclnpnv.exe"="C:\\WINDOWS\\system32\\tyc""C:\\WINDOWS\\system32\\uloidvco.exe"="C:\\WINDOWS\\system32\\ulo""C:\\WINDOWS\\system32\\ouvpmrtt.exe"="C:\\WINDOWS\\system32\\ouv"[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019""C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL""C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL""C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0""C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)""%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000""C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1""C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"Remaining Files:---------------File Backups: - C:\SDFix\backups\backups.zipFiles with Hidden Attributes:Wed  5 Jul 2006            88 A.SHR --- "C:\i386\221D950AB6.sys"Tue  1 Aug 2006         2,828 A.SH. --- "C:\i386\KGyGaAvL.sys"Tue 27 Mar 2007     5,355,320 A..H. --- "C:\Program Files\Picasa2\setup.exe"Thu  8 Nov 2007            88 ..SHR --- "C:\WINDOWS\system32\221D950AB6.sys"Tue 16 Oct 2007        20,640 ..SH. --- "C:\WINDOWS\system32\anyiwbpl.dllbox"Thu 11 Oct 2007            56 ..SHR --- "C:\WINDOWS\system32\B60A951D22.sys"Fri 12 Oct 2007         6,789 ..SH. --- "C:\WINDOWS\system32\bbeeg.tmp"Fri 12 Oct 2007         6,465 ..SH. --- "C:\WINDOWS\system32\bbeeg.bak1"Sun 14 Oct 2007       693,712 ..SH. --- "C:\WINDOWS\system32\byepqjta.tmp"Tue 16 Oct 2007        20,640 ..SH. --- "C:\WINDOWS\system32\ceugjgkv.dllbox"Tue 16 Oct 2007       693,799 ..SH. --- "C:\WINDOWS\system32\ckvuoadc.tmp"Tue 16 Oct 2007       693,781 ..SH. --- "C:\WINDOWS\system32\ckvuoadc.tmp2"Sat 13 Oct 2007        20,506 ..SH. --- "C:\WINDOWS\system32\ctdzneck.dllbox"Tue 16 Oct 2007        20,640 ..SH. --- "C:\WINDOWS\system32\evosjltb.dllbox"Sat 13 Oct 2007        16,872 ..SH. --- "C:\WINDOWS\system32\gyhqkyoa.dllbox"Tue 16 Oct 2007        20,640 ..SH. --- "C:\WINDOWS\system32\ielwznnk.dllbox"Thu  8 Nov 2007         6,580 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"Fri 12 Oct 2007         6,682 ..SH. --- "C:\WINDOWS\system32\lnnmp.tmp"Sun 14 Oct 2007       524,095 ..SH. --- "C:\WINDOWS\system32\lnnmp.bak1"Sat 10 Nov 2007       443,871 ..SH. --- "C:\WINDOWS\system32\lnnmp.bak2"Tue 16 Oct 2007        20,640 ..SH. --- "C:\WINDOWS\system32\mywfcovu.dllbox"Sun 14 Oct 2007        20,506 ..SH. --- "C:\WINDOWS\system32\oibuzagi.dllbox"Wed 17 Oct 2007        20,640 ..SH. --- "C:\WINDOWS\system32\pcmssnen.dllbox"Sat 10 Nov 2007        20,640 ..SH. --- "C:\WINDOWS\system32\rutjuibx.dllbox"Fri  9 Nov 2007        20,640 ..SH. --- "C:\WINDOWS\system32\xjskeltm.dllbox"Tue 16 Oct 2007        20,640 ..SH. --- "C:\WINDOWS\system32\zgnxqhel.dllbox"Wed  5 Sep 2007             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"Sat 10 Nov 2007         4,286 A..H. --- "C:\Documents and Settings\Celeste Olson\Local Settings\Temp\ico1.tmp"Sat 10 Nov 2007         4,286 A..H. --- "C:\Documents and Settings\Celeste Olson\Local Settings\Temp\ico2.tmp"Sat 10 Nov 2007         4,286 A..H. --- "C:\Documents and Settings\Celeste Olson\Local Settings\Temp\ico3.tmp"Sat 10 Nov 2007         4,286 A..H. --- "C:\Documents and Settings\Celeste Olson\Local Settings\Temp\ico4.tmp"Sat 10 Nov 2007         4,286 A..H. --- "C:\Documents and Settings\Celeste Olson\Local Settings\Temp\ico5.tmp"Tue 30 Oct 2007        36,352 ...H. --- "C:\Documents and Settings\Celeste Olson\My Documents\Comp II\~WRL1462.tmp"Tue  6 Nov 2007        36,864 ...H. --- "C:\Documents and Settings\Celeste Olson\My Documents\Comp II\~WRL2587.tmp"Sun 28 Oct 2007        28,672 ...H. --- "C:\Documents and Settings\Celeste Olson\My Documents\Comp II\~WRL2802.tmp"Wed 24 Oct 2007        28,672 ...H. --- "C:\Documents and Settings\Celeste Olson\My Documents\Comp II\~WRL2815.tmp"Mon 29 Oct 2007        30,208 ...H. --- "C:\Documents and Settings\Celeste Olson\My Documents\Comp II\~WRL2863.tmp"Mon 29 Oct 2007        30,208 ...H. --- "C:\Documents and Settings\Celeste Olson\My Documents\Comp II\~WRL3462.tmp"Sun  1 Apr 2007        30,720 ...H. --- "C:\Documents and Settings\Celeste Olson\My Documents\Psychology\~WRL0754.tmp"Sun  1 Apr 2007        29,696 ...H. --- "C:\Documents and Settings\Celeste Olson\My Documents\Psychology\~WRL1330.tmp"Sat 31 Mar 2007        27,648 ...H. --- "C:\Documents and Settings\Celeste Olson\My Documents\Psychology\~WRL2255.tmp"Fri 30 Mar 2007        25,088 ...H. --- "C:\Documents and Settings\Celeste Olson\My Documents\Psychology\~WRL3115.tmp"Thu 11 Jan 2007        25,600 ...H. --- "C:\Documents and Settings\Celeste Olson\My Documents\Women in Business\~WRL4043.tmp"Mon  9 Apr 2007             8 A..H. --- "C:\Documents and Settings\Celeste Olson\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"Mon  9 Apr 2007             8 A..H. --- "C:\Documents and Settings\Celeste Olson\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"Mon  9 Apr 2007             8 A..H. --- "C:\Documents and Settings\Celeste Olson\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"Sun 15 Apr 2007             8 A..H. --- "C:\Documents and Settings\Celeste Olson\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"Tue  4 Sep 2007             8 A..H. --- "C:\Documents and Settings\Celeste Olson\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u5\lock.tmp"Finished!


Heres the ComboFix report txt

ComboFix 07-11-08.3 - Celeste Olson 2007-11-10 14:59:53.1 - NTFSx86Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.533 [GMT -6:00]Running from: C:\Documents and Settings\Celeste Olson\Desktop\ComboFix.exe * Created a new restore point.	Unable to gain System Privileges(((((((((((((((((((((((((((((((((((((((   Other Deletions   ))))))))))))))))))))))))))))))))))))))))))))))))).C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnkC:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnkC:\Documents and Settings\Celeste Olson\Desktop\Live Safety Center.lnkC:\Documents and Settings\Celeste Olson\Desktop\Online Security Guide.lnkC:\Documents and Settings\Celeste Olson\Favorites\Online Security Guide.lnkC:\Temp\xOeC:\WINDOWS\cookies.iniC:\WINDOWS\system32\anyiwbpl.dllboxC:\WINDOWS\system32\bbeeg.bak1C:\WINDOWS\system32\bbeeg.ini2C:\WINDOWS\system32\bbeeg.tmpC:\WINDOWS\system32\ceugjgkv.dllboxC:\WINDOWS\system32\ctdzneck.dllboxC:\WINDOWS\system32\evosjltb.dllboxC:\WINDOWS\system32\gyhqkyoa.dllboxC:\WINDOWS\system32\ielwznnk.dllboxC:\WINDOWS\system32\jfkpaxsw.dllC:\WINDOWS\system32\jhadpnch.dllC:\WINDOWS\system32\lnnmp.bak1C:\WINDOWS\system32\lnnmp.bak2C:\WINDOWS\system32\lnnmp.iniC:\WINDOWS\system32\lnnmp.ini2C:\WINDOWS\system32\lnnmp.tmpC:\WINDOWS\system32\lsqqmlmq.dllC:\WINDOWS\system32\mywfcovu.dllboxC:\WINDOWS\system32\oibuzagi.dllboxC:\WINDOWS\system32\pac.txtC:\WINDOWS\system32\pcmssnen.dllboxC:\WINDOWS\system32\pmnnl.dllC:\WINDOWS\system32\pwwkruof.dllC:\WINDOWS\system32\rliwldsa.dllC:\WINDOWS\system32\rutjuibx.dllboxC:\WINDOWS\system32\sfgkgtik.dllC:\WINDOWS\system32\vMW02aC:\WINDOWS\system32\xjskeltm.dllboxC:\WINDOWS\system32\zgnxqhel.dllbox.(((((((((((((((((((((((((((((((((((((((   Drivers/Services   ))))))))))))))))))))))))))))))))))))))))))))))))).-------\LEGACY_NPF(((((((((((((((((((((((((   Files Created from 2007-10-10 to 2007-11-10  ))))))))))))))))))))))))))))))).2007-11-10 14:58	81,472	--a------	C:\WINDOWS\system32\gqloapou.dll2007-11-10 14:56	85,056	--a------	C:\WINDOWS\system32\niktvoaw.dll2007-11-10 14:55	51,200	--a------	C:\WINDOWS\NirCmd.exe2007-11-10 14:33	<DIR>	d--------	C:\WINDOWS\ERUNT2007-11-10 13:11	81,472	--a------	C:\WINDOWS\system32\aksbplyl.dll2007-11-10 12:55	81,472	--a------	C:\WINDOWS\system32\cmxegwjx.dll2007-11-10 12:35	81,472	--a------	C:\WINDOWS\system32\xnxicbam.dll2007-11-10 12:19	81,472	--a------	C:\WINDOWS\system32\ejtdljed.dll2007-11-10 12:18	81,472	--a------	C:\WINDOWS\system32\yxvffwoo.dll2007-11-10 12:03	<DIR>	d--------	C:\Program Files\Yahoo!2007-11-10 12:03	<DIR>	d--------	C:\Program Files\CCleaner2007-11-10 12:02	664	--a------	C:\WINDOWS\system32\d3d9caps.dat2007-11-10 11:41	85,056	--a------	C:\WINDOWS\system32\sjhpsmpj.dll2007-11-10 11:38	81,472	--a------	C:\WINDOWS\system32\bhevsutb.dll2007-11-10 11:23	85,056	--a------	C:\WINDOWS\system32\wtmekthy.dll2007-11-10 11:23	81,472	--a------	C:\WINDOWS\system32\jkfxsgfi.dll2007-11-10 10:58	81,472	--a------	C:\WINDOWS\system32\gonwpanf.dll2007-11-10 10:12	81,472	--a------	C:\WINDOWS\system32\pjspvvim.dll2007-11-10 10:10	85,056	--a------	C:\WINDOWS\system32\cobbpwac.dll2007-11-10 10:04	145,780	--a------	C:\WINDOWS\system32\rutjuibx.dll2007-11-10 10:03	145,780	--a------	C:\WINDOWS\system32\rcscggog.dll2007-11-10 09:43	289,144	--a------	C:\WINDOWS\system32\VCCLSID.exe2007-11-10 09:43	25,600	--a------	C:\WINDOWS\system32\WS2Fix.exe2007-11-10 09:18	85,056	--a------	C:\WINDOWS\system32\ndppnbrr.dll2007-11-10 09:18	81,472	--a------	C:\WINDOWS\system32\ionxcvit.dll2007-11-10 09:15	142,854	--a------	C:\WINDOWS\system32\qeglkudw.dll2007-11-09 21:38	<DIR>	d--------	C:\Documents and Settings\Celeste Olson\Application Data\Grisoft2007-11-09 21:38	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Grisoft2007-11-09 21:38	10,872	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys2007-11-09 21:07	<DIR>	d--------	C:\Documents and Settings\Celeste Olson\.housecall6.62007-11-09 20:47	77,888	--a------	C:\WINDOWS\system32\yjtiopqe.dll2007-11-09 20:42	142,860	--a------	C:\WINDOWS\system32\xablmylh.dll2007-11-09 18:52	77,888	--a------	C:\WINDOWS\system32\qobkkkjo.dll2007-10-17 08:44	288,417	--a------	C:\WINDOWS\system32\SrchSTS.exe2007-10-17 08:44	53,248	--a------	C:\WINDOWS\system32\Process.exe2007-10-17 08:44	51,200	--a------	C:\WINDOWS\system32\dumphive.exe2007-10-16 14:57	<DIR>	d--------	C:\Program Files\PestPatrol2007-10-16 14:57	<DIR>	d--------	C:\Documents and Settings\Celeste Olson\Application Data\Lavasoft2007-10-16 13:35	340,032	--a------	C:\WINDOWS\system32\opifgaif.dll2007-10-16 13:32	340,032	--a------	C:\WINDOWS\system32\ongcmrua.dll2007-10-16 13:28	340,032	--a------	C:\WINDOWS\system32\wwxfgfqt.dll2007-10-16 13:14	1,520	--a------	C:\WINDOWS\system32\tmp.reg2007-10-12 15:38	24,064	--a------	C:\WINDOWS\system32\msxml3a.dll2007-10-12 11:54	<DIR>	d--------	C:\Temp2007-10-10 10:53	584,192	---------	C:\WINDOWS\system32\dllcache\rpcrt4.dll2007-10-10 10:53	63,488	---------	C:\WINDOWS\system32\dllcache\icardie.dll.((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))).2007-11-10 21:12	---------	d-----w	C:\Program Files\Symantec AntiVirus2007-11-10 18:05	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy2007-11-10 15:35	---------	d-----w	C:\Documents and Settings\Celeste Olson\Application Data\AdobeUM2007-11-10 15:31	---------	d-----w	C:\Program Files\Windows Live Toolbar2007-11-09 05:26	6,580	--sha-w	C:\WINDOWS\system32\KGyGaAvL.sys2007-10-16 20:59	---------	d-----w	C:\Program Files\Common Files\InstallShield2007-10-16 19:10	---------	d---a-w	C:\Documents and Settings\All Users\Application Data\TEMP2007-10-09 03:58	---------	d-----w	C:\Documents and Settings\Celeste Olson\Application Data\HP2007-10-09 03:48	---------	d-----w	C:\Documents and Settings\All Users\Application Data\WEBREG2007-10-09 03:47	---------	d-----w	C:\Program Files\Common Files\HP2007-10-09 03:46	---------	d-----w	C:\Program Files\HP2007-10-09 03:44	---------	d-----w	C:\Documents and Settings\All Users\Application Data\HP2007-10-09 03:42	---------	d-----w	C:\Documents and Settings\All Users\Application Data\HPSSUPPLY2007-10-09 03:41	---------	d-----w	C:\Program Files\Hewlett-Packard2007-10-09 03:41	---------	d-----w	C:\Program Files\Common Files\Hewlett-Packard2007-10-09 03:39	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Hewlett-Packard2007-09-23 07:20	---------	d-----w	C:\Program Files\MSN Messenger2007-09-23 06:12	805	----a-w	C:\WINDOWS\system32\drivers\SYMEVENT.INF2007-09-23 06:12	8,014	----a-w	C:\WINDOWS\system32\drivers\SYMEVENT.CAT2007-09-23 06:12	48,768	----a-w	C:\WINDOWS\system32\S32EVNT1.DLL2007-09-23 06:12	110,952	----a-w	C:\WINDOWS\system32\drivers\SYMEVENT.SYS2007-09-23 06:12	---------	d-----w	C:\Program Files\Symantec2007-09-23 06:12	---------	d-----w	C:\Program Files\Common Files\Symantec Shared2007-09-23 06:12	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Symantec2007-08-21 06:15	683,520	----a-w	C:\WINDOWS\system32\inetcomm.dll2007-08-21 06:15	683,520	------w	C:\WINDOWS\system32\dllcache\inetcomm.dll2007-08-20 21:34	3,584,512	----a-w	C:\WINDOWS\system32\dllcache\mshtml.dll2007-08-20 10:04	824,832	----a-w	C:\WINDOWS\system32\dllcache\wininet.dll2007-08-20 10:04	671,232	----a-w	C:\WINDOWS\system32\dllcache\mstime.dll2007-08-20 10:04	6,058,496	------w	C:\WINDOWS\system32\dllcache\ieframe.dll2007-08-20 10:04	52,224	------w	C:\WINDOWS\system32\dllcache\msfeedsbs.dll2007-08-20 10:04	477,696	----a-w	C:\WINDOWS\system32\dllcache\mshtmled.dll2007-08-20 10:04	459,264	------w	C:\WINDOWS\system32\dllcache\msfeeds.dll2007-08-20 10:04	44,544	------w	C:\WINDOWS\system32\dllcache\iernonce.dll2007-08-20 10:04	384,512	------w	C:\WINDOWS\system32\dllcache\iedkcs32.dll2007-08-20 10:04	383,488	------w	C:\WINDOWS\system32\dllcache\ieapfltr.dll2007-08-20 10:04	27,648	----a-w	C:\WINDOWS\system32\dllcache\jsproxy.dll2007-08-20 10:04	267,776	------w	C:\WINDOWS\system32\dllcache\iertutil.dll2007-08-20 10:04	232,960	------w	C:\WINDOWS\system32\dllcache\webcheck.dll2007-08-20 10:04	230,400	------w	C:\WINDOWS\system32\dllcache\ieaksie.dll2007-08-20 10:04	214,528	----a-w	C:\WINDOWS\system32\dllcache\dxtrans.dll2007-08-20 10:04	193,024	----a-w	C:\WINDOWS\system32\dllcache\msrating.dll2007-08-20 10:04	153,088	------w	C:\WINDOWS\system32\dllcache\ieakeng.dll2007-08-20 10:04	132,608	----a-w	C:\WINDOWS\system32\dllcache\extmgr.dll2007-08-20 10:04	124,928	------w	C:\WINDOWS\system32\dllcache\advpack.dll2007-08-20 10:04	105,984	------w	C:\WINDOWS\system32\dllcache\url.dll2007-08-20 10:04	102,400	------w	C:\WINDOWS\system32\dllcache\occache.dll2007-08-20 10:04	1,152,000	----a-w	C:\WINDOWS\system32\dllcache\urlmon.dll2007-08-17 10:21	625,152	------w	C:\WINDOWS\system32\dllcache\iexplore.exe2007-08-17 10:20	63,488	------w	C:\WINDOWS\system32\dllcache\ie4uinit.exe2007-08-17 10:20	13,824	------w	C:\WINDOWS\system32\dllcache\ieudinit.exe2007-08-17 07:34	161,792	------w	C:\WINDOWS\system32\dllcache\ieakui.dll.(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2506751e-75e4-44c7-b64d-50345444a510}]2007-11-10 14:59	81472	--a------	C:\WINDOWS\system32\gqloapou.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5482EB0F-175B-4DA9-A329-1C6345BA7E30}][HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9d71d7a7-f0b4-43d3-aaff-e72ef9b83b44}]2007-11-10 11:38	81472	--a------	C:\WINDOWS\system32\bhevsutb.dll[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]2007-11-10 10:04	145780	--a------	C:\WINDOWS\system32\rutjuibx.dll[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\rutjuibx.dll [2007-11-10 10:04 145780][HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}][HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\rutjuibx.dll [2007-11-10 10:04 145780][HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"vptray"="C:\PROGRA~1\SYMANT~1\\vptray.exe" [2007-03-14 19:49]"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25]"60176dba"="C:\WINDOWS\system32\niktvoaw.dll" [2007-11-10 14:56][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]"DisableRegistryTools"=0 (0x0)[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgghhgg] hgghhgg.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rutjuibx] rutjuibx.dll 2007-11-10 10:04 145780 C:\WINDOWS\system32\rutjuibx.dll[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmnnl.dll[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnkbackup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Clean Access Agent.lnk]path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Clean Access Agent.lnkbackup=C:\WINDOWS\pss\Clean Access Agent.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnkbackup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnkbackup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TrayMin700.exe.lnk]path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TrayMin700.exe.lnkbackup=C:\WINDOWS\pss\TrayMin700.exe.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\60176dba]rundll32.exe "C:\WINDOWS\system32\ylfflrph.dll",b[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cleanup]c:\program files\mcafee.com\shared\mcappins.exe /v=3 /cleanup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]C:\WINDOWS\system32\ctfmon.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDC]C:\WINDOWS\system32\hqccfxnv.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]C:\Program Files\Dell\QuickSet\quickset.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]"C:\Program Files\DellSupport\DSAgnt.exe" /startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]C:\WINDOWS\system32\hkcmd.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]C:\WINDOWS\system32\igfxpers.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]C:\WINDOWS\system32\igfxtray.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]"C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]"C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]"C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]"C:\Program Files\iTunes\iTunesHelper.exe"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]C:\Program Files\NetWaiting\netWaiting.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]"C:\Program Files\Dell\Media Experience\PCMService.exe"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\phc700]C:\WINDOWS\vphc700.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]C:\Program Files\Picasa2\PicasaMediaDetector.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]"C:\Program Files\QuickTime\qttask.exe" -atboottime[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]"C:\Program Files\Spyware Doctor\SDTrayApp.exe"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchIndexer]rundll32.exe "C:\WINDOWS\system32\fspdfpbl.dll",sitypnow[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowLOMControl][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]stsystra.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]"C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"WMPNetworkSvc"=3 (0x3)"WLANKEEPER"=2 (0x2)"S24EventMonitor"=2 (0x2)"RegSrvc"=2 (0x2)"NICCONFIGSVC"=2 (0x2)"MioNet"=2 (0x2)"MDM"=2 (0x2)"idsvc"=3 (0x3)"gusvc"=3 (0x3)"EvtEng"=2 (0x2)"DSBrokerService"=3 (0x3)S3 phc700;USB PC Camera (phc700);C:\WINDOWS\system32\DRIVERS\phc700.sysS4 MioNet;MioNet Service;"C:\Program Files\MioNet\MioNetManager.exe" -s "C:\Program Files\MioNet\wrapper.conf"[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]HPZ12	Pml Driver HPZ12 Net Driver HPZ12hpdevmgmt	hpqcxs08 hpqddsvc[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{45c30155-57e7-11db-8d77-00038a000015}]\Shell\AutoRun\command - E:\LaunchU3.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9e98c8d6-7be5-11dc-8dd2-0015c50e0caf}]\Shell\AutoRun\command - ddos.exe.**************************************************************************catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]Rootkit scan 2007-11-10 15:13:28Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfully hidden files: 0 **************************************************************************.Completion time: 2007-11-10 15:15:24 - machine was rebooted.	--- E O F ---


And Finally...A NEW Hijackthis report


Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:19:17 PM, on 11/10/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16544)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\Program Files\Symantec AntiVirus\DefWatch.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Symantec AntiVirus\SavRoam.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Symantec AntiVirus\Rtvscan.exeC:\PROGRA~1\SYMANT~1\vptray.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Documents and Settings\Celeste Olson\My Documents\hijackthis\HiJackThis.exeO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: {015a4445-4305-d46b-7c44-4e57e1576052} - {2506751e-75e4-44c7-b64d-50345444a510} - C:\WINDOWS\system32\gqloapou.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO2 - BHO: (no name) - {5482EB0F-175B-4DA9-A329-1C6345BA7E30} - (no file)O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: (no name) - {9d71d7a7-f0b4-43d3-aaff-e72ef9b83b44} - C:\WINDOWS\system32\bhevsutb.dllO2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\rutjuibx.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\rutjuibx.dllO4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exeO4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKLM\..\Run: [60176dba] rundll32.exe "C:\WINDOWS\system32\niktvoaw.dll",bO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dllO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url="http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab"]http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab[/url]O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - [url="http://install.augie.edu/sav10/webinst/webinst.cab"]http://install.augie.edu/sav10/webinst/webinst.cab[/url]O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - [url="http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab"]http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab[/url]O20 - Winlogon Notify: hgghhgg - hgghhgg.dll (file missing)O20 - Winlogon Notify: rutjuibx - C:\WINDOWS\SYSTEM32\rutjuibx.dllO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exeO23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeO23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe--End of file - 6012 bytes


After doing all the above there is still icon showing in taskbar (yellow triangle) and still getting popups.....

Thanks in advance :thumbsup:

#3 sammielea

sammielea
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 11 November 2007 - 02:14 PM

Hi guys... Not trying to bump the topic but wanted to add latest info to the post as to what ive done to try get rid of problem....


From reading through other threads and looking through my log files....i determined that my problem was related to this (hopefully)

O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\rutjuibx.dll

O20 - Winlogon Notify: rutjuibx - C:\WINDOWS\SYSTEM32\rutjuibx.dll


So, i went into system32 folder and i had 2 files with that name.. rutjuibx.dllbox(hidden file) and rutjuibx.dll i was unable to rename/delete as it waqs being used...so grabbed Unlocker App and used that...rather than delete i renamed (in case) then both...rebooted and got a one time error sumtin to do with winlogon (not sure) anyways, rebooted again ( no errors ) and did all the antivirus / antispyware scans again and nothing was picked up...more importantly. i have lost that stupid yello triangle from the task bar and have gotten no more popups....

If anyone could please look through my very latest log file and veryfy if i still need to delete / action entires id greatly appreciate it...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:12:58 PM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Celeste Olson\My Documents\hijackthis\HiJackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {015a4445-4305-d46b-7c44-4e57e1576052} - {2506751e-75e4-44c7-b64d-50345444a510} - C:\WINDOWS\system32\gqloapou.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9d71d7a7-f0b4-43d3-aaff-e72ef9b83b44} - C:\WINDOWS\system32\bhevsutb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [60176dba] rundll32.exe "C:\WINDOWS\system32\niktvoaw.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://install.augie.edu/sav10/webinst/webinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6034 bytes

Thanks in advance....

#4 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 24 November 2007 - 05:20 AM

Hi,

The forums are really busy, that explains why logs get behind. If you still need some help, please start with posting a new hijackthislog in this thread. Don't start with a new thread.
Then I'll take a look.

Regards,

Rosty.
Posted Image
Proud member of ASAP since 2007

#5 sammielea

sammielea
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 24 November 2007 - 12:20 PM

hay... i "think" i managed to clean it up...or at least the popups have stopped.....that last log i posted above, i was just looking for confirmation that in fact nothing esle was hiding on me... :thumbsup:

thanks for teh reply btw...

#6 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 24 November 2007 - 05:11 PM

hay... i "think" i managed to clean it up...or at least the popups have stopped.....that last log i posted above, i was just looking for confirmation that in fact nothing esle was hiding on me... :thumbsup:

thanks for teh reply btw...


Please post a new HijackThis log!!! Your last log isn't clean :blink: .
Posted Image
Proud member of ASAP since 2007

#7 sammielea

sammielea
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 25 November 2007 - 12:48 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:12:58 PM, on 11/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Celeste Olson\My Documents\hijackthis\HiJackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {015a4445-4305-d46b-7c44-4e57e1576052} - {2506751e-75e4-44c7-b64d-50345444a510} - C:\WINDOWS\system32\gqloapou.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9d71d7a7-f0b4-43d3-aaff-e72ef9b83b44} - C:\WINDOWS\system32\bhevsutb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [60176dba] rundll32.exe "C:\WINDOWS\system32\niktvoaw.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://install.augie.edu/sav10/webinst/webinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6014 bytes



#8 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 25 November 2007 - 03:52 AM

Hi,
thanks for the new log!!

Please open HijackThis, click do a scan only and place a check next to the following entries:

O2 - BHO: {015a4445-4305-d46b-7c44-4e57e1576052} - {2506751e-75e4-44c7-b64d-50345444a510} - C:\WINDOWS\system32\gqloapou.dll
O2 - BHO: (no name) - {9d71d7a7-f0b4-43d3-aaff-e72ef9b83b44} - C:\WINDOWS\system32\bhevsutb.dll
O4 - HKLM\..\Run: [60176dba] rundll32.exe "C:\WINDOWS\system32\niktvoaw.dll",b

Close all other Windows and browsers,except HijackThis,and click Fix Checked.Exit HijackThis.

Please delete these files using Windows Explorer(if present):

C:\WINDOWS\system32\gqloapou.dll
C:\WINDOWS\system32\bhevsutb.dll
C:\WINDOWS\system32\niktvoaw.dll

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web ,you saved previously,and a new HijackThis log in your next reply.
Note: please post the logs using the add reply button.

Edited by Rosty, 25 November 2007 - 03:53 AM.

Posted Image
Proud member of ASAP since 2007

#9 sammielea

sammielea
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 26 November 2007 - 12:06 PM

Hi rosty....

thanks again for the reply.... however, im afraid i no longer have the pc in question...my friend returned home to florida yesterday before i had another chance to run any more testes... BUT i will be sure to mail him ure suggestions right away....

also, may i ask... DrWeb...is that just a soft u prefer or is it sumtin that can kill the specific infections he had? just curious...as ive never heard of Drweb before today....

again...thanks for ure assistance....much appreciated

#10 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 26 November 2007 - 12:51 PM

Hi,
sad to hear you don't have the PC anymore with you.

also, may i ask... DrWeb...is that just a soft u prefer or is it sumtin that can kill the specific infections he had? just curious...as ive never heard of Drweb before today....

DrWebCureIt can remove and delete infected files from your system. It can also shows what infection you are dealing with.
Posted Image
Proud member of ASAP since 2007

#11 sammielea

sammielea
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 26 November 2007 - 01:42 PM

the pc in question had a corp version of symantec antivirus (updated after initial scans with spyware removers).... in ure opinion is DrWeb able to get rid of the infections better than wat he had?

#12 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 26 November 2007 - 02:41 PM

Hi,

DrWebCureIt is not a scanner to use without knowledge of what is marked in it. So, do not remove your normaly AntiVirusscanner.
Posted Image
Proud member of ASAP since 2007




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users