Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Could Use A Little Help..


  • Please log in to reply
13 replies to this topic

#1 Xenoghost

Xenoghost

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 11 November 2007 - 05:18 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:10:05 PM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Ares Ultra\Ares Ultra.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ares ultra] "C:\Program Files\Ares Ultra\Ares Ultra.exe" -h
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares Ultra\chatServer.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4593 bytes

Seems mainly to be a DLL file called ssqnmkk.dll. Avira Is Constantly Popping up and asking what to do about it but no matter what i click it cant hurt this file whatsoever tried combofix SDFix AVG antispyware Avira does nothing against this. I even tried to delete the DLL with Pocket Killbox and it refused to go down no matter what i did. Just out of curiousity is this something new or common malware? Something i would just like to know

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 12 November 2007 - 10:00 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Xenoghost :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

You're running filesharing programs.
Many of these programs come bundled with unwanted components/malware.
If you wish to find out whether the one you're using does,click Here.

Even if you are using a so called "safe" program,it's only the program that's safe.
You will be sharing files from uncertified sources,and these are often infected.
The bad guys use filesharing programs as a major source to spread their crap.
I suggest you uninstall it/them,wether you do or not thats entirely up to you.

If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Disconnect from the Internet.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
*Note*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Now go to:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 Xenoghost

Xenoghost
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 14 November 2007 - 03:08 AM

ComboFix 07-11-08.3 - Owner 2007-11-14 1:49:50.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.142 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\lnnmp.bak1
C:\WINDOWS\system32\lnnmp.bak2
C:\WINDOWS\system32\lnnmp.ini
C:\WINDOWS\system32\lnnmp.tmp
C:\WINDOWS\system32\pmnnl.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))))))))
.

2007-11-14 01:37 85,056 --a------ C:\WINDOWS\system32\cwvkftky.dll
2007-11-14 01:31 81,472 --a------ C:\WINDOWS\system32\avwjybbs.dll
2007-11-12 16:39 81,472 --a------ C:\WINDOWS\system32\arijehwi.dll
2007-11-11 22:42 98,304 --a------ C:\WINDOWS\system32CmdLineExt.dll
2007-11-11 15:15 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-11 14:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-11-11 14:31 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-11-11 14:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2007-11-11 14:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\McAfee
2007-11-11 02:53 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-11 02:48 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-11 02:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2007-11-11 02:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-11 02:24 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-10 22:33 81,472 --a------ C:\WINDOWS\system32\uvsndpwh.dll
2007-11-10 22:30 85,056 --a------ C:\WINDOWS\system32\ihvpfxwr.dll
2007-11-09 22:54 77,888 --a------ C:\WINDOWS\system32\abaxjbvt.dll
2007-11-09 12:42 <DIR> d-------- C:\Program Files\Common Files\DirectX
2007-11-08 22:35 80,448 --a------ C:\WINDOWS\system32\kpualqcs.dll
2007-11-08 10:54 <DIR> d-------- C:\Program Files\Pcsx2
2007-11-07 22:34 79,936 --a------ C:\WINDOWS\system32\ovtgnprq.dll
2007-11-07 21:48 <DIR> d-------- C:\WINDOWS\profiles
2007-11-07 21:47 720,896 --a------ C:\WINDOWS\iun6002.exe
2007-11-07 21:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Nero
2007-11-07 20:59 <DIR> d-------- C:\Program Files\Nero
2007-11-07 20:59 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-11-07 20:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-11-07 19:07 <DIR> d-------- C:\Program Files\Illustrate
2007-11-07 19:07 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AccurateRip
2007-11-07 19:07 4,229,496 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2007-11-07 19:07 13,015 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2007-11-07 18:05 169,528 --a------ C:\WINDOWS\system32\wnaspi32.dll
2007-11-07 15:11 <DIR> d-------- C:\EPSONREG
2007-11-07 15:11 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Leadertech
2007-11-07 15:07 <DIR> d-------- C:\Program Files\epson
2007-11-07 15:07 79,679 --a------ C:\WINDOWS\system32\E_FLMADA.DLL
2007-11-07 15:07 64,000 --a------ C:\WINDOWS\system32\E_FBCBADA.DLL
2007-11-07 15:07 46,080 --a------ C:\WINDOWS\system32\escimgd.dll
2007-11-07 15:07 34,304 --a------ C:\WINDOWS\system32\E_FBCHADA.DLL
2007-11-07 15:07 29,696 --a------ C:\WINDOWS\system32\escwiad.dll
2007-11-07 15:07 22,016 --a------ C:\WINDOWS\system32\esccmd.dll
2007-11-07 10:26 <DIR> d-------- C:\Program Files\coverXP
2007-11-07 10:18 36,352 --------- C:\WINDOWS\system32\ssqnmkk.dll
2007-11-04 13:42 <DIR> d---s---- C:\Documents and Settings\Owner\UserData
2007-11-01 21:26 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-11-01 21:26 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-11-01 19:17 <DIR> d-------- C:\Program Files\Winamp
2007-11-01 19:17 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Winamp
2007-11-01 05:25 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\fltk.org
2007-11-01 02:11 <DIR> d-------- C:\Program Files\SlySoft
2007-11-01 02:08 1,875,110 --a------ C:\WINDOWS\system\cygwin1.dll
2007-11-01 02:08 66,048 --a------ C:\WINDOWS\system\cygz.dll
2007-10-31 21:46 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2007-10-31 21:43 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-10-31 21:34 <DIR> d-------- C:\Program Files\GameTap
2007-10-31 21:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GameTap
2007-10-31 21:33 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InstallShield
2007-10-30 17:17 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Hamachi
2007-10-30 17:16 25,280 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2007-10-30 16:19 0 --a------ C:\WINDOWS\PowerReg.dat
2007-10-30 16:18 <DIR> d-------- C:\Program Files\Common Files\PocketSoft
2007-10-30 16:18 182,272 --a------ C:\WINDOWS\patchw32.dll
2007-10-30 16:16 <DIR> d-------- C:\Program Files\Ubi Soft Games
2007-10-30 01:06 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2007-10-30 01:06 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SystemRequirementsLab
2007-10-30 00:53 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Petroglyph
2007-10-30 00:52 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-10-30 00:23 94,208 --a------ C:\WINDOWS\DIIUnin.exe
2007-10-30 00:23 35,346 --a------ C:\WINDOWS\DIIUnin.dat
2007-10-30 00:23 2,829 --a------ C:\WINDOWS\DIIUnin.pif
2007-10-30 00:16 <DIR> d-------- C:\Program Files\Diablo II
2007-10-29 23:49 <DIR> d-------- C:\WINDOWS\Sun
2007-10-29 17:56 <DIR> d-------- C:\Program Files\Steam
2007-10-29 16:43 <DIR> d-------- C:\Program Files\Microsoft Games
2007-10-29 15:43 30,720 --a------ C:\WINDOWS\system32\drivers\maplom.sys
2007-10-29 15:42 <DIR> d-------- C:\Program Files\Maplom
2007-10-29 12:22 45,208 --a------ C:\WINDOWS\system32\connwsp.dll
2007-10-28 22:44 <DIR> d-------- C:\Program Files\7-Zip
2007-10-28 21:34 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\gtk-2.0
2007-10-28 21:34 <DIR> d-------- C:\Documents and Settings\Owner\.thumbnails
2007-10-28 21:33 <DIR> d-------- C:\Documents and Settings\Owner\.gimp-2.4
2007-10-28 21:32 <DIR> d-------- C:\Program Files\GIMP-2.0
2007-10-28 21:29 <DIR> d-------- C:\Program Files\ASCII Art Generator
2007-10-28 12:21 <DIR> d-------- C:\Program Files\UseNeXT
2007-10-28 12:21 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\UseNeXT
2007-10-27 07:57 <DIR> d-------- C:\Program Files\World of Warcraft
2007-10-27 07:57 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-10-26 20:20 21,840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2007-10-26 20:20 17,212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2007-10-26 20:20 12,067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2007-10-26 13:16 <DIR> d-------- C:\Program Files\XLink Kai Evolution VII
2007-10-26 10:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\acccore
2007-10-26 10:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-10-26 10:30 <DIR> d-------- C:\Program Files\AIM6
2007-10-25 13:24 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-10-25 13:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Age of Empires 3
2007-10-25 13:02 <DIR> d-------- C:\Program Files\uTorrent
2007-10-25 13:02 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2007-10-25 12:49 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-10-25 08:02 <DIR> d-------- C:\Program Files\Stardock

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-24 16:49 8,552 ----a-w C:\WINDOWS\system32\drivers\asctrm.sys
2007-09-24 15:05 132,904 ----a-w C:\WINDOWS\system32\drivers\imagesrv.sys
2007-09-24 15:05 11,304 ----a-w C:\WINDOWS\system32\drivers\imagedrv.sys
2007-09-20 15:59 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-09-20 15:55 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-09-20 15:55 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-11_15.28.22.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-30 00:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-11-08 22:59:01 136,704 ----a-w C:\WINDOWS\catchme.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bb65676-40ab-4de2-aace-3afef12feef3}]
2007-11-14 01:31 81472 --a------ C:\WINDOWS\system32\avwjybbs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]
2007-11-07 10:18 36352 --------- C:\WINDOWS\system32\ssqnmkk.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-24 14:27]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2004-07-12 02:50]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 21:51]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-07-12 02:50]
"nwiz"="nwiz.exe" [2004-07-12 02:50 C:\WINDOWS\system32\nwiz.exe]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 13:21]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-24 10:49]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 04:48]
"EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 21:00]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25]
"5c857d7f"="C:\WINDOWS\system32\cwvkftky.dll" [2007-11-14 01:37]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 09:20]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-29 08:11]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 15:35]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{634BBAB7-3F60-4426-944F-A62B9007F67F}"= C:\WINDOWS\system32\ssqnmkk.dll [2007-11-07 10:18 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqnmkk]
ssqnmkk.dll 2007-11-07 10:18 36352 C:\WINDOWS\system32\ssqnmkk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll 2001-12-20 22:34 24576 C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmnnl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^run_startmenu.cmd]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\run_startmenu.cmd
backup=C:\WINDOWS\pss\run_startmenu.cmdCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz]
"C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVMixerTray]
"C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
C:\Windows\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
C:\Program Files\Digital Media Reader\shwiconem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\_AntiSpyware]
C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{57-7D-DD-D0-ZN}]
C:\Documents and Settings\Owner\Local Settings\Temp\thinksnet.exe CHD003

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SPBBCSvc"=3 (0x3)
"SNDSrvc"=3 (0x3)
"SBService"=2 (0x2)
"SAVScan"=3 (0x3)
"PrismXL"=2 (0x2)
"NPFMntor"=2 (0x2)
"navapsvc"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McAfeeAntiSpyware"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"AOL ACS"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"StarWindService"=2 (0x2)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)

R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3;C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
R2 X4HSX32;X4HSX32;\??\C:\Program Files\GameTap\bin\Release\X4HSX32.Sys
R3 Maplom;Maplom;C:\WINDOWS\system32\drivers\Maplom.sys
S3 PsSdk30;PsSdk30;\??\C:\WINDOWS\system32\Drivers\PsSdk30.drv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-14 01:57:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-14 2:00:42 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-11 15:39
C:\ComboFix3.txt ... 2007-11-11 15:30
.
--- E O F ---





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:04:16 AM, on 11/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: {3feef21f-efa3-ecaa-2ed4-ba0467656bb0} - {0bb65676-40ab-4de2-aace-3afef12feef3} - C:\WINDOWS\system32\avwjybbs.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINDOWS\system32\ssqnmkk.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [5c857d7f] rundll32.exe "C:\WINDOWS\system32\cwvkftky.dll",b
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: ssqnmkk - C:\WINDOWS\SYSTEM32\ssqnmkk.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5115 bytes

K that dll is still there and its still popping up an alert for it everytime i open a file but i think you can probably help me get rid of it

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 14 November 2007 - 04:46 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\cwvkftky.dll
C:\WINDOWS\system32\avwjybbs.dll
C:\WINDOWS\system32\arijehwi.dll
C:\WINDOWS\system32\uvsndpwh.dll
C:\WINDOWS\system32\ihvpfxwr.dll
C:\WINDOWS\system32\abaxjbvt.dll
C:\WINDOWS\system32\kpualqcs.dll
C:\WINDOWS\system32\ovtgnprq.dll
C:\WINDOWS\system32\ssqnmkk.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bb65676-40ab-4de2-aace-3afef12feef3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"5c857d7f"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{634BBAB7-3F60-4426-944F-A62B9007F67F}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqnmkk]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{57-7D-DD-D0-ZN}]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#5 Xenoghost

Xenoghost
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 14 November 2007 - 04:08 PM

ComboFix 07-11-08.3 - Owner 2007-11-14 14:55:02.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.162 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ijkmp.bak1
C:\WINDOWS\system32\ijkmp.ini
C:\WINDOWS\system32\pmkji.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))))))))
.

2007-11-14 03:07 76,156 --a------ C:\WINDOWS\system32\ddcya.dll
2007-11-14 01:37 85,056 --a------ C:\WINDOWS\system32\cwvkftky.dll
2007-11-14 01:31 81,472 --a------ C:\WINDOWS\system32\avwjybbs.dll
2007-11-12 16:39 81,472 --a------ C:\WINDOWS\system32\arijehwi.dll
2007-11-11 22:42 98,304 --a------ C:\WINDOWS\system32CmdLineExt.dll
2007-11-11 15:15 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-11 14:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-11-11 14:31 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-11-11 14:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2007-11-11 14:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\McAfee
2007-11-11 02:53 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-11 02:48 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-11 02:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2007-11-11 02:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-11 02:24 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-10 22:33 81,472 --a------ C:\WINDOWS\system32\uvsndpwh.dll
2007-11-10 22:30 85,056 --a------ C:\WINDOWS\system32\ihvpfxwr.dll
2007-11-09 22:54 77,888 --a------ C:\WINDOWS\system32\abaxjbvt.dll
2007-11-09 12:42 <DIR> d-------- C:\Program Files\Common Files\DirectX
2007-11-08 22:35 80,448 --a------ C:\WINDOWS\system32\kpualqcs.dll
2007-11-08 10:54 <DIR> d-------- C:\Program Files\Pcsx2
2007-11-07 22:34 79,936 --a------ C:\WINDOWS\system32\ovtgnprq.dll
2007-11-07 21:48 <DIR> d-------- C:\WINDOWS\profiles
2007-11-07 21:47 720,896 --a------ C:\WINDOWS\iun6002.exe
2007-11-07 21:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Nero
2007-11-07 20:59 <DIR> d-------- C:\Program Files\Nero
2007-11-07 20:59 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-11-07 20:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-11-07 19:07 <DIR> d-------- C:\Program Files\Illustrate
2007-11-07 19:07 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AccurateRip
2007-11-07 19:07 4,229,496 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2007-11-07 19:07 13,015 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2007-11-07 18:05 169,528 --a------ C:\WINDOWS\system32\wnaspi32.dll
2007-11-07 15:11 <DIR> d-------- C:\EPSONREG
2007-11-07 15:11 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Leadertech
2007-11-07 15:07 <DIR> d-------- C:\Program Files\epson
2007-11-07 15:07 79,679 --a------ C:\WINDOWS\system32\E_FLMADA.DLL
2007-11-07 15:07 64,000 --a------ C:\WINDOWS\system32\E_FBCBADA.DLL
2007-11-07 15:07 46,080 --a------ C:\WINDOWS\system32\escimgd.dll
2007-11-07 15:07 34,304 --a------ C:\WINDOWS\system32\E_FBCHADA.DLL
2007-11-07 15:07 29,696 --a------ C:\WINDOWS\system32\escwiad.dll
2007-11-07 15:07 22,016 --a------ C:\WINDOWS\system32\esccmd.dll
2007-11-07 10:26 <DIR> d-------- C:\Program Files\coverXP
2007-11-07 10:18 36,352 --------- C:\WINDOWS\system32\ssqnmkk.dll
2007-11-04 13:42 <DIR> d---s---- C:\Documents and Settings\Owner\UserData
2007-11-01 21:26 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-11-01 21:26 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-11-01 19:17 <DIR> d-------- C:\Program Files\Winamp
2007-11-01 19:17 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Winamp
2007-11-01 05:25 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\fltk.org
2007-11-01 02:11 <DIR> d-------- C:\Program Files\SlySoft
2007-11-01 02:08 1,875,110 --a------ C:\WINDOWS\system\cygwin1.dll
2007-11-01 02:08 66,048 --a------ C:\WINDOWS\system\cygz.dll
2007-10-31 21:46 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2007-10-31 21:43 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-10-31 21:34 <DIR> d-------- C:\Program Files\GameTap
2007-10-31 21:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GameTap
2007-10-31 21:33 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InstallShield
2007-10-30 17:17 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Hamachi
2007-10-30 17:16 25,280 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2007-10-30 16:19 0 --a------ C:\WINDOWS\PowerReg.dat
2007-10-30 16:18 <DIR> d-------- C:\Program Files\Common Files\PocketSoft
2007-10-30 16:18 182,272 --a------ C:\WINDOWS\patchw32.dll
2007-10-30 16:16 <DIR> d-------- C:\Program Files\Ubi Soft Games
2007-10-30 01:06 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2007-10-30 01:06 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SystemRequirementsLab
2007-10-30 00:53 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Petroglyph
2007-10-30 00:52 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-10-30 00:23 94,208 --a------ C:\WINDOWS\DIIUnin.exe
2007-10-30 00:23 35,346 --a------ C:\WINDOWS\DIIUnin.dat
2007-10-30 00:23 2,829 --a------ C:\WINDOWS\DIIUnin.pif
2007-10-30 00:16 <DIR> d-------- C:\Program Files\Diablo II
2007-10-29 23:49 <DIR> d-------- C:\WINDOWS\Sun
2007-10-29 17:56 <DIR> d-------- C:\Program Files\Steam
2007-10-29 16:43 <DIR> d-------- C:\Program Files\Microsoft Games
2007-10-29 15:43 30,720 --a------ C:\WINDOWS\system32\drivers\maplom.sys
2007-10-29 15:42 <DIR> d-------- C:\Program Files\Maplom
2007-10-29 12:22 45,208 --a------ C:\WINDOWS\system32\connwsp.dll
2007-10-28 22:44 <DIR> d-------- C:\Program Files\7-Zip
2007-10-28 21:34 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\gtk-2.0
2007-10-28 21:34 <DIR> d-------- C:\Documents and Settings\Owner\.thumbnails
2007-10-28 21:33 <DIR> d-------- C:\Documents and Settings\Owner\.gimp-2.4
2007-10-28 21:32 <DIR> d-------- C:\Program Files\GIMP-2.0
2007-10-28 21:29 <DIR> d-------- C:\Program Files\ASCII Art Generator
2007-10-28 12:21 <DIR> d-------- C:\Program Files\UseNeXT
2007-10-28 12:21 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\UseNeXT
2007-10-27 07:57 <DIR> d-------- C:\Program Files\World of Warcraft
2007-10-27 07:57 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-10-26 20:20 21,840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2007-10-26 20:20 17,212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2007-10-26 20:20 12,067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2007-10-26 13:16 <DIR> d-------- C:\Program Files\XLink Kai Evolution VII
2007-10-26 10:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\acccore
2007-10-26 10:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-10-26 10:30 <DIR> d-------- C:\Program Files\AIM6
2007-10-25 13:24 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-10-25 13:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Age of Empires 3
2007-10-25 13:02 <DIR> d-------- C:\Program Files\uTorrent
2007-10-25 13:02 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2007-10-25 12:49 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-24 16:49 8,552 ----a-w C:\WINDOWS\system32\drivers\asctrm.sys
2007-09-24 15:05 132,904 ----a-w C:\WINDOWS\system32\drivers\imagesrv.sys
2007-09-24 15:05 11,304 ----a-w C:\WINDOWS\system32\drivers\imagedrv.sys
2007-09-20 15:59 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-09-20 15:55 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-09-20 15:55 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-11_15.28.22.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-30 00:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-11-08 22:59:01 136,704 ----a-w C:\WINDOWS\catchme.exe
- 2006-12-19 21:52:18 8,453,632 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
+ 2007-10-26 03:36:51 8,454,656 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
- 2007-09-28 03:19:40 18,089,592 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2007-11-02 07:12:57 18,238,072 ----a-w C:\WINDOWS\system32\MRT.exe
- 2006-12-19 21:52:18 8,453,632 ----a-w C:\WINDOWS\system32\shell32.dll
+ 2007-10-26 03:36:51 8,454,656 ----a-w C:\WINDOWS\system32\shell32.dll
- 2005-06-28 17:20:23 13,536 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-03-06 01:22:33 14,048 ------w C:\WINDOWS\system32\spmsg.dll
- 2007-08-21 10:20:02 115,712 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2007-10-29 10:26:53 115,712 ----a-w C:\WINDOWS\system32\xpsp3res.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]
2007-11-07 10:18 36352 --------- C:\WINDOWS\system32\ssqnmkk.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-24 14:27]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2004-07-12 02:50]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 21:51]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-07-12 02:50]
"nwiz"="nwiz.exe" [2004-07-12 02:50 C:\WINDOWS\system32\nwiz.exe]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 13:21]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-24 10:49]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 04:48]
"EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 21:00]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 09:20]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-29 08:11]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 15:35]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{634BBAB7-3F60-4426-944F-A62B9007F67F}"= C:\WINDOWS\system32\ssqnmkk.dll [2007-11-07 10:18 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqnmkk]
ssqnmkk.dll 2007-11-07 10:18 36352 C:\WINDOWS\system32\ssqnmkk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll 2001-12-20 22:34 24576 C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^run_startmenu.cmd]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\run_startmenu.cmd
backup=C:\WINDOWS\pss\run_startmenu.cmdCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz]
"C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVMixerTray]
"C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
C:\Windows\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
C:\Program Files\Digital Media Reader\shwiconem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\_AntiSpyware]
C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SPBBCSvc"=3 (0x3)
"SNDSrvc"=3 (0x3)
"SBService"=2 (0x2)
"SAVScan"=3 (0x3)
"PrismXL"=2 (0x2)
"NPFMntor"=2 (0x2)
"navapsvc"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McAfeeAntiSpyware"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"AOL ACS"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"StarWindService"=2 (0x2)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)

R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3;C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
R2 X4HSX32;X4HSX32;\??\C:\Program Files\GameTap\bin\Release\X4HSX32.Sys
R3 Maplom;Maplom;C:\WINDOWS\system32\drivers\Maplom.sys
S3 PsSdk30;PsSdk30;\??\C:\WINDOWS\system32\Drivers\PsSdk30.drv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-14 15:00:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-14 15:03:15 - machine was rebooted
.
--- E O F ---






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:07:40 PM, on 11/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINDOWS\system32\ssqnmkk.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: ssqnmkk - C:\WINDOWS\SYSTEM32\ssqnmkk.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4848 bytes

still there i swear this file is like indestructable

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 14 November 2007 - 04:18 PM

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths inside the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\system32\ddcya.dll
C:\WINDOWS\system32\cwvkftky.dll
C:\WINDOWS\system32\avwjybbs.dll
C:\WINDOWS\system32\arijehwi.dll
C:\WINDOWS\system32\uvsndpwh.dll
C:\WINDOWS\system32\ihvpfxwr.dll
C:\WINDOWS\system32\abaxjbvt.dll
C:\WINDOWS\system32\kpualqcs.dll
C:\WINDOWS\system32\ovtgnprq.dll
C:\WINDOWS\system32\ssqnmkk.dll

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.


Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge the imformation into the registry,then restart your pc.

REGEDIT4
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{634BBAB7-3F60-4426-944F-A62B9007F67F}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqnmkk]


Also post a new Hijackthis log please.
Posted Image
Posted Image

#7 Xenoghost

Xenoghost
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 14 November 2007 - 06:12 PM

File/Folder C:\WINDOWS\system32\ddcya.dll not found.
File/Folder C:\WINDOWS\system32\cwvkftky.dll not found.
File/Folder C:\WINDOWS\system32\avwjybbs.dll not found.
File/Folder C:\WINDOWS\system32\arijehwi.dll not found.
File/Folder C:\WINDOWS\system32\uvsndpwh.dll not found.
File/Folder C:\WINDOWS\system32\ihvpfxwr.dll not found.
File/Folder C:\WINDOWS\system32\abaxjbvt.dll not found.
File/Folder C:\WINDOWS\system32\kpualqcs.dll not found.
File/Folder C:\WINDOWS\system32\ovtgnprq.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ssqnmkk.dll
C:\WINDOWS\system32\ssqnmkk.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\ssqnmkk.dll scheduled to be moved on reboot.

Created on 11/14/2007 16:57:44

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:02:31 PM, on 11/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4B58DB9F-50AB-4DA9-9462-E94DA9383B5A} - C:\WINDOWS\system32\geedc.dll
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINDOWS\system32\ssqnmkk.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: ssqnmkk - C:\WINDOWS\SYSTEM32\ssqnmkk.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 2870 bytes


all of the ones that say not found were actually moved sucessfully but when it asked to reboot it OTmoveIt never reopened upon reboot so i did it a second time and posted the results of that one also my HJT log might have changed around a little bit because i edited my msconfig there were too many things popping up upon startup so it might be a little smaller now but ssqnmkk.dll still refuses to go quietly

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 14 November 2007 - 06:20 PM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following text inside the quote box below:

Files to delete:
C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\ssqnmkk.dll

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.

Double click on Combofix.exe again and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Also post a new Hijackthis log.
Posted Image
Posted Image

#9 Xenoghost

Xenoghost
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 14 November 2007 - 06:44 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:35:26 PM, on 11/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4B58DB9F-50AB-4DA9-9462-E94DA9383B5A} - C:\WINDOWS\system32\geedc.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: ssqnmkk - ssqnmkk.dll (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 2407 bytes



ComboFix 07-11-08.3 - Owner 2007-11-14 17:29:08.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.222 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt

.
((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))))))))
.

2007-11-14 15:13 6,473 ---hs---- C:\WINDOWS\system32\cdeeg.bak1
2007-11-11 22:42 98,304 --a------ C:\WINDOWS\system32CmdLineExt.dll
2007-11-11 15:15 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-11 14:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-11-11 14:31 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-11-11 14:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2007-11-11 14:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\McAfee
2007-11-11 02:53 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-11 02:48 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-11 02:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2007-11-11 02:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-11 02:24 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-09 12:42 <DIR> d-------- C:\Program Files\Common Files\DirectX
2007-11-08 10:54 <DIR> d-------- C:\Program Files\Pcsx2
2007-11-07 21:48 <DIR> d-------- C:\WINDOWS\profiles
2007-11-07 21:47 720,896 --a------ C:\WINDOWS\iun6002.exe
2007-11-07 21:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Nero
2007-11-07 20:59 <DIR> d-------- C:\Program Files\Nero
2007-11-07 20:59 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-11-07 20:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-11-07 19:07 <DIR> d-------- C:\Program Files\Illustrate
2007-11-07 19:07 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AccurateRip
2007-11-07 19:07 4,229,496 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2007-11-07 19:07 13,015 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2007-11-07 18:05 169,528 --a------ C:\WINDOWS\system32\wnaspi32.dll
2007-11-07 15:11 <DIR> d-------- C:\EPSONREG
2007-11-07 15:11 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Leadertech
2007-11-07 15:07 <DIR> d-------- C:\Program Files\epson
2007-11-07 15:07 79,679 --a------ C:\WINDOWS\system32\E_FLMADA.DLL
2007-11-07 15:07 64,000 --a------ C:\WINDOWS\system32\E_FBCBADA.DLL
2007-11-07 15:07 46,080 --a------ C:\WINDOWS\system32\escimgd.dll
2007-11-07 15:07 34,304 --a------ C:\WINDOWS\system32\E_FBCHADA.DLL
2007-11-07 15:07 29,696 --a------ C:\WINDOWS\system32\escwiad.dll
2007-11-07 15:07 22,016 --a------ C:\WINDOWS\system32\esccmd.dll
2007-11-07 10:26 <DIR> d-------- C:\Program Files\coverXP
2007-11-04 13:42 <DIR> d---s---- C:\Documents and Settings\Owner\UserData
2007-11-03 13:08 <DIR> d-------- C:\BootDreams
2007-11-01 21:26 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-11-01 21:26 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-11-01 19:17 <DIR> d-------- C:\Program Files\Winamp
2007-11-01 19:17 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Winamp
2007-11-01 05:25 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\fltk.org
2007-11-01 02:11 <DIR> d-------- C:\Program Files\SlySoft
2007-11-01 02:08 1,875,110 --a------ C:\WINDOWS\system\cygwin1.dll
2007-11-01 02:08 66,048 --a------ C:\WINDOWS\system\cygz.dll
2007-10-31 21:46 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2007-10-31 21:43 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-10-31 21:34 <DIR> d-------- C:\Program Files\GameTap
2007-10-31 21:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GameTap
2007-10-31 21:33 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InstallShield
2007-10-30 17:17 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Hamachi
2007-10-30 17:16 25,280 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2007-10-30 16:19 0 --a------ C:\WINDOWS\PowerReg.dat
2007-10-30 16:18 <DIR> d-------- C:\Program Files\Common Files\PocketSoft
2007-10-30 16:18 182,272 --a------ C:\WINDOWS\patchw32.dll
2007-10-30 16:16 <DIR> d-------- C:\Program Files\Ubi Soft Games
2007-10-30 01:06 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2007-10-30 01:06 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SystemRequirementsLab
2007-10-30 00:53 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Petroglyph
2007-10-30 00:52 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-10-30 00:23 94,208 --a------ C:\WINDOWS\DIIUnin.exe
2007-10-30 00:23 35,346 --a------ C:\WINDOWS\DIIUnin.dat
2007-10-30 00:23 2,829 --a------ C:\WINDOWS\DIIUnin.pif
2007-10-30 00:16 <DIR> d-------- C:\Program Files\Diablo II
2007-10-29 23:49 <DIR> d-------- C:\WINDOWS\Sun
2007-10-29 17:56 <DIR> d-------- C:\Program Files\Steam
2007-10-29 16:43 <DIR> d-------- C:\Program Files\Microsoft Games
2007-10-29 15:43 30,720 --a------ C:\WINDOWS\system32\drivers\maplom.sys
2007-10-29 15:42 <DIR> d-------- C:\Program Files\Maplom
2007-10-29 12:22 45,208 --a------ C:\WINDOWS\system32\connwsp.dll
2007-10-28 22:44 <DIR> d-------- C:\Program Files\7-Zip
2007-10-28 21:34 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\gtk-2.0
2007-10-28 21:34 <DIR> d-------- C:\Documents and Settings\Owner\.thumbnails
2007-10-28 21:33 <DIR> d-------- C:\Documents and Settings\Owner\.gimp-2.4
2007-10-28 21:32 <DIR> d-------- C:\Program Files\GIMP-2.0
2007-10-28 21:29 <DIR> d-------- C:\Program Files\ASCII Art Generator
2007-10-28 12:21 <DIR> d-------- C:\Program Files\UseNeXT
2007-10-28 12:21 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\UseNeXT
2007-10-27 07:57 <DIR> d-------- C:\Program Files\World of Warcraft
2007-10-27 07:57 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-10-26 20:20 21,840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2007-10-26 20:20 17,212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2007-10-26 20:20 12,067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2007-10-26 13:16 <DIR> d-------- C:\Program Files\XLink Kai Evolution VII
2007-10-26 10:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\acccore
2007-10-26 10:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-10-26 10:30 <DIR> d-------- C:\Program Files\AIM6
2007-10-25 13:24 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-10-25 13:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Age of Empires 3
2007-10-25 13:02 <DIR> d-------- C:\Program Files\uTorrent
2007-10-25 13:02 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2007-10-25 12:49 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-10-25 08:02 <DIR> d-------- C:\Program Files\Stardock
2007-10-25 08:02 <DIR> d-------- C:\Program Files\Common Files\Stardock
2007-10-25 08:02 36,864 --a------ C:\WINDOWS\system32\wbsys.dll
2007-10-24 19:12 <DIR> d-------- C:\Program Files\Project64 1.6
2007-10-24 18:39 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\CyberLink
2007-10-24 16:14 <DIR> d-------- C:\Program Files\Google
2007-10-24 16:03 <DIR> d-------- C:\Program Files\LucasArts
2007-10-24 15:33 <DIR> d-------- C:\Program Files\Alcohol Soft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-24 16:49 8,552 ----a-w C:\WINDOWS\system32\drivers\asctrm.sys
2007-09-24 15:05 132,904 ----a-w C:\WINDOWS\system32\drivers\imagesrv.sys
2007-09-24 15:05 11,304 ----a-w C:\WINDOWS\system32\drivers\imagedrv.sys
2007-09-20 15:59 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-09-20 15:55 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-09-20 15:55 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-11_15.28.22.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-30 00:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-11-08 22:59:01 136,704 ----a-w C:\WINDOWS\catchme.exe
- 2006-12-19 21:52:18 8,453,632 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
+ 2007-10-26 03:36:51 8,454,656 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
- 2007-09-28 03:19:40 18,089,592 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2007-11-02 07:12:57 18,238,072 ----a-w C:\WINDOWS\system32\MRT.exe
- 2006-12-19 21:52:18 8,453,632 ----a-w C:\WINDOWS\system32\shell32.dll
+ 2007-10-26 03:36:51 8,454,656 ----a-w C:\WINDOWS\system32\shell32.dll
- 2005-06-28 17:20:23 13,536 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-03-06 01:22:33 14,048 ------w C:\WINDOWS\system32\spmsg.dll
- 2007-08-21 10:20:02 115,712 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2007-10-29 10:26:53 115,712 ----a-w C:\WINDOWS\system32\xpsp3res.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4B58DB9F-50AB-4DA9-9462-E94DA9383B5A}]
C:\WINDOWS\system32\geedc.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-24 14:27]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-07-12 02:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-29 08:11]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqnmkk]
ssqnmkk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll 2001-12-20 22:34 24576 C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^run_startmenu.cmd]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\run_startmenu.cmd
backup=C:\WINDOWS\pss\run_startmenu.cmdCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX4800 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz]
"C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVMixerTray]
"C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
C:\Windows\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
C:\Program Files\Digital Media Reader\shwiconem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\_AntiSpyware]
C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SPBBCSvc"=3 (0x3)
"SNDSrvc"=3 (0x3)
"SBService"=2 (0x2)
"SAVScan"=3 (0x3)
"PrismXL"=2 (0x2)
"NPFMntor"=2 (0x2)
"navapsvc"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McAfeeAntiSpyware"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"AOL ACS"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"StarWindService"=2 (0x2)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"NMIndexingService"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)

R2 X4HSX32;X4HSX32;\??\C:\Program Files\GameTap\bin\Release\X4HSX32.Sys
R3 Maplom;Maplom;C:\WINDOWS\system32\drivers\Maplom.sys
S3 PsSdk30;PsSdk30;\??\C:\WINDOWS\system32\Drivers\PsSdk30.drv
S4 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3;C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-14 17:30:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-14 17:31:16
.
--- E O F ---




I accidentally deleted the avenger log but I remember clearly it saying the geedc.dll and ssqnmkk.dll were deleted sucessfully and i think that cleared it up but do you see anything wrong still? let me know also is there any corruptions in my registry because i cannot share files with my other computers it alwasy says not accessable or you do not have permission and for some reason its sharedocs folder shows up under (The Internet) section and not the (Local Network) section of other computers

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 14 November 2007 - 06:57 PM

Please double-click OTMoveIt.exe to run it.
Copy the file paths inside the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\system32\cdeeg.bak1

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.

Posted Image

Please double-click OTMoveIt.exe to run it.
Click on the 'Cleanup' button Posted Image
When you do this a text file named cleanup.txt will be downloaded from the internet.
If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
When the 'Confirm' box appears click 'Yes'.
Restart your pc when prompted.

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {4B58DB9F-50AB-4DA9-9462-E94DA9383B5A} - C:\WINDOWS\system32\geedc.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O20 - Winlogon Notify: ssqnmkk - ssqnmkk.dll (file missing)

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.

Please run the F-Secure online virus/spyware scan using Internet Explorer:
http://support.f-secure.com/enu/home/ols.shtml
Follow the directions in the F-Secure page for proper Installation.
Accept the License Agreement.
Once the ActiveX installs,Click ‘Custom Scan’ and be sure the following are checked:
1.Scan whole System
2.Scan all files
3.Scan whole system for rootkits
4.Scan whole system for spyware
5.Scan inside archives
6.Use advanced heuristics
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.

Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#11 Xenoghost

Xenoghost
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 14 November 2007 - 08:50 PM

I cant seem to load the F-Secure Online W/internet explorer this seems to be a common problem on all my PC's IE and Firefox have to be switched and used regularly because each are picky about what pages they like to load i know this is not a normal problem its probably a configuration problem but i havent the foggiest why they act like this

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/14/2007 at 07:13 PM

Application Version : 3.9.1008

Core Rules Database Version : 3344
Trace Rules Database Version: 1345

Scan type : Complete Scan
Total Scan Time : 00:33:59

Memory items scanned : 316
Memory threats detected : 0
Registry items scanned : 5273
Registry threats detected : 0
File items scanned : 26907
File threats detected : 127

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@clickaider[2].txt
C:\Documents and Settings\Owner\Cookies\owner@traffic.buyservices[1].txt
C:\Documents and Settings\Owner\Cookies\owner@redorbit[1].txt
C:\Documents and Settings\Owner\Cookies\owner@network.triadmedianetwork[2].txt
C:\Documents and Settings\Owner\Cookies\owner@cgm.adbureau[2].txt
C:\Documents and Settings\Owner\Cookies\owner@a.websponsors[2].txt
C:\Documents and Settings\Owner\Cookies\owner@edge.ru4[1].txt
C:\Documents and Settings\Owner\Cookies\owner@protect.spyguardpro[1].txt
C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt
C:\Documents and Settings\Owner\Cookies\owner@cgi-bin[3].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.zanox[1].txt
C:\Documents and Settings\Owner\Cookies\owner@try.screensavers[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adecn[1].txt
C:\Documents and Settings\Owner\Cookies\owner@media.adrevolver[1].txt
C:\Documents and Settings\Owner\Cookies\owner@bs.serving-sys[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.adbrite[1].txt
C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[1].txt
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfkyklczaho.stats.esomniture[2].txt
C:\Documents and Settings\Owner\Cookies\owner@lw.cdmediaworld[1].txt
C:\Documents and Settings\Owner\Cookies\owner@51911977[2].txt
C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt
C:\Documents and Settings\Owner\Cookies\owner@spyguardpro[2].txt
C:\Documents and Settings\Owner\Cookies\owner@findwhat[1].txt
C:\Documents and Settings\Owner\Cookies\owner@click-fr[1].txt
C:\Documents and Settings\Owner\Cookies\owner@tremor.adbureau[2].txt
C:\Documents and Settings\Owner\Cookies\owner@directtrack[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ehg-tigerdirect2.hitbox[2].txt
C:\Documents and Settings\Owner\Cookies\owner@media6degrees[1].txt
C:\Documents and Settings\Owner\Cookies\owner@revenue[2].txt
C:\Documents and Settings\Owner\Cookies\owner@h.starware[1].txt
C:\Documents and Settings\Owner\Cookies\owner@login.tracking101[3].txt
C:\Documents and Settings\Owner\Cookies\owner@www.launchitmedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@realmedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@tacoda[5].txt
C:\Documents and Settings\Owner\Cookies\owner@adserver.easyad[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adserver[1].txt
C:\Documents and Settings\Owner\Cookies\owner@da-tracking[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.zam[2].txt
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt
C:\Documents and Settings\Owner\Cookies\owner@bluestreak[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.toonamijetstream[1].txt
C:\Documents and Settings\Owner\Cookies\owner@clicksor[3].txt
C:\Documents and Settings\Owner\Cookies\owner@www.upspiral[1].txt
C:\Documents and Settings\Owner\Cookies\owner@statcounter[3].txt
C:\Documents and Settings\Owner\Cookies\owner@login.revenueloop[2].txt
C:\Documents and Settings\Owner\Cookies\owner@specificclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.gametap[1].txt
C:\Documents and Settings\Owner\Cookies\owner@zedo[1].txt
C:\Documents and Settings\Owner\Cookies\owner@eas.apm.emediate[2].txt
C:\Documents and Settings\Owner\Cookies\owner@screensavers[2].txt
C:\Documents and Settings\Owner\Cookies\owner@usenext[1].txt
C:\Documents and Settings\Owner\Cookies\owner@cgi-bin[1].txt
C:\Documents and Settings\Owner\Cookies\owner@apmebf[1].txt
C:\Documents and Settings\Owner\Cookies\owner@reunioncom.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@fastclick[3].txt
C:\Documents and Settings\Owner\Cookies\owner@adlegend[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.addynamix[1].txt
C:\Documents and Settings\Owner\Cookies\owner@m1.webstats.motigo[1].txt
C:\Documents and Settings\Owner\Cookies\owner@eyewonder[1].txt
C:\Documents and Settings\Owner\Cookies\owner@richmedia.yahoo[1].txt
C:\Documents and Settings\Owner\Cookies\owner@interclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.burstbeacon[1].txt
C:\Documents and Settings\Owner\Cookies\owner@buycom.122.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
C:\Documents and Settings\Owner\Cookies\owner@i.screensavers[1].txt
C:\Documents and Settings\Owner\Cookies\owner@anat.tacoda[2].txt
C:\Documents and Settings\Owner\Cookies\owner@tgn.122.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@toplist[1].txt
C:\Documents and Settings\Owner\Cookies\owner@lynxtrack[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adbrite[2].txt
C:\Documents and Settings\Owner\Cookies\owner@html[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adstats.cdfreaks[2].txt
C:\Documents and Settings\Owner\Cookies\owner@statse.webtrendslive[2].txt
C:\Documents and Settings\Owner\Cookies\owner@servedby.adxpower[2].txt
C:\Documents and Settings\Owner\Cookies\owner@profitistic.directtrack[2].txt
C:\Documents and Settings\Owner\Cookies\owner@weborama[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@3.adbrite[2].txt
C:\Documents and Settings\Owner\Cookies\owner@hitbox[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adopt.euroclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@burstnet[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adrevolver[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adrevolver[5].txt
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ad[2].txt
C:\Documents and Settings\Owner\Cookies\owner@konami.122.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ehg-globalgamingleague.hitbox[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.burstnet[5].txt
C:\Documents and Settings\Owner\Cookies\owner@casalemedia[2].txt
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atwola[1].txt
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6whlouocpiap.stats.esomniture[2].txt
C:\Documents and Settings\Owner\Cookies\owner@overture[1].txt
C:\Documents and Settings\Owner\Cookies\owner@main[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.ppctracking[1].txt
C:\Documents and Settings\Owner\Cookies\owner@upspiral[2].txt
C:\Documents and Settings\Owner\Cookies\owner@try.starware[2].txt
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@1072720508[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt
C:\Documents and Settings\Owner\Cookies\owner@anad.tacoda[2].txt
C:\Documents and Settings\Owner\Cookies\owner@serving-sys[1].txt
C:\Documents and Settings\Owner\Cookies\owner@media.sensis.com[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adcentriconline[2].txt
C:\Documents and Settings\Owner\Cookies\owner@azjmp[1].txt
C:\Documents and Settings\Owner\Cookies\owner@enhance[2].txt
C:\Documents and Settings\Owner\Cookies\owner@2.go.globaladsales[2].txt
C:\Documents and Settings\Owner\Cookies\owner@incentreward.directtrack[2].txt
C:\Documents and Settings\Owner\Cookies\owner@goclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@clickbank[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.try2findclicks[1].txt
C:\Documents and Settings\Owner\Cookies\owner@collective-media[1].txt
C:\Documents and Settings\Owner\Cookies\owner@counter.mycomputer[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.realtechnetwork[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adserver.nathell[1].txt
C:\Documents and Settings\Owner\Cookies\owner@smartadserver[1].txt
C:\Documents and Settings\Owner\Cookies\owner@reduxads.valuead[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adrevolver[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adserver[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adsrevenue[1].txt
C:\Documents and Settings\Owner\Cookies\owner@apmebf[2].txt
C:\Documents and Settings\Owner\Cookies\owner@azjmp[2].txt
C:\Documents and Settings\Owner\Cookies\owner@banner[2].txt
C:\Documents and Settings\Owner\Cookies\owner@clicksor[1].txt
C:\Documents and Settings\Owner\Cookies\owner@cracks[1].txt
C:\Documents and Settings\Owner\Cookies\owner@interclick[2].txt


C:\WINDOWS\system32\cdeeg.bak1 moved successfully.

Created on 11/14/2007 18:05:40

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 14 November 2007 - 09:37 PM

Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
• Scan using the following Anti-Virus database:
• Standard
• Scan Options:
• Scan Archives
• Scan Mail Bases
• Click OK
• Now under select a target to scan:
• Select My Computer
• This will start the program and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button:
• Save the file to your desktop.
Copy and paste the contents of that file into your next reply.
Posted Image
Posted Image

#13 Xenoghost

Xenoghost
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 14 November 2007 - 10:59 PM

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, November 14, 2007 9:58:50 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/11/2007
Kaspersky Anti-Virus database records: 431068
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\

Scan Statistics:
Total number of scanned objects: 64146
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:54:26

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\yadjutlh.default\cert8.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\yadjutlh.default\history.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\yadjutlh.default\key3.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\yadjutlh.default\parent.lock Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\yadjutlh.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\yadjutlh.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\yadjutlh.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\yadjutlh.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\yadjutlh.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\yadjutlh.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP68\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SD6742616.tmp Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP68\change.log Object is locked skipped

Scan process completed.

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 15 November 2007 - 08:21 AM

Let me know how your pc is running now.
Please do the following:

Please double-click OTMoveIt.exe to run it.
Click on the 'Cleanup' button Posted Image
When you do this a text file named cleanup.txt will be downloaded from the internet.
If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
When the 'Confirm' box appears click 'Yes'.
Restart your pc when prompted.

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

You should take the time to read and follow the information found in the links below,to help you prevent any possible future infections and stay safe and secure while online:

Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

How to prevent Malware:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

So how did I get infected in the first place:
http://forums.spybot.info/showthread.php?t=279

Malware Cleanup Programs and Preventative Procedures:
http://russelltexas.com/malware/allclear.htm
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users