Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help With Security Toolbar 7.1


  • This topic is locked This topic is locked
5 replies to this topic

#1 aorose1972

aorose1972

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 19 November 2007 - 01:02 PM

HELP HELP, Iam having problems with a virus/malware. I have Security Toolbar 7.1 toolbar and lots of pop up boxes and new items in my taskbar. I cannot get rid of these. My software is having no effect. It is interfereing with using Trend Micro's free housecall software. I have run Hijack this and here is the information I received.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:00:30 PM, on 11/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\WarpSpeeder\BSTrayicon.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\whwjkkqs.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: WarpSpeeder Tray Icon.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - http://h30155.www3.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4816 bytes

Can someone please help. I am an online student and my computer is critical to me.

Thank you,

Angel

I read an earlier post on this subject and have already downloaded combofix. Here is the results from running that.

ComboFix 07-11-08.3 - Angel 2007-11-19 13:10:20.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.463 [GMT -5:00]
Running from: C:\Documents and Settings\Angel\Desktop\ComboFix.exe
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Angel\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Angel\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Angel\Favorites\Online Security Guide.lnk
C:\WINDOWS\system32\pqtss.ini
C:\WINDOWS\system32\pqtss.ini2
C:\WINDOWS\system32\sstqp.dll
C:\WINDOWS\system32\whwjkkqs.dllbox

.
((((((((((((((((((((((((( Files Created from 2007-10-19 to 2007-11-19 )))))))))))))))))))))))))))))))
.

2007-11-19 12:31 <DIR> d-------- C:\Documents and Settings\Angel\.housecall6.6
2007-11-19 12:02 94,480 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-19 11:59 <DIR> d-------- C:\Documents and Settings\Angel\Application Data\HouseCall 6.6
2007-11-19 11:18 2,316 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-19 11:12 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-19 10:46 85,056 --a------ C:\WINDOWS\system32\uemcvnvp.dll
2007-11-19 10:43 83,008 --a------ C:\WINDOWS\system32\vxhavvbu.dll
2007-11-19 10:41 145,984 --a------ C:\WINDOWS\system32\whwjkkqs.dll
2007-11-19 10:40 145,984 --a------ C:\WINDOWS\system32\iplsuwtv.dll
2007-11-19 10:40 71,232 --a------ C:\WINDOWS\system32\cwwmdfpy.exe
2007-11-18 18:51 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-17 23:46 <DIR> d-------- C:\Documents and Settings\Crystal\.housecall6.6
2007-11-17 08:17 <DIR> d-------- C:\Program Files\QdrDrive
2007-11-17 08:17 36,352 --a------ C:\WINDOWS\system32\ssqqrqn.dll
2007-11-17 08:17 35,840 --a------ C:\WINDOWS\mrofinu72.exe
2007-11-17 04:15 <DIR> d-------- C:\Documents and Settings\Angel\Application Data\Apple Computer
2007-11-16 11:37 <DIR> d-------- C:\WINDOWS\cache
2007-11-10 17:08 <DIR> d-------- C:\Program Files\iTunes
2007-11-10 17:08 <DIR> d-------- C:\Program Files\iPod
2007-11-10 17:08 <DIR> d-------- C:\Documents and Settings\Crystal\Application Data\Apple Computer
2007-11-10 17:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-10 17:04 <DIR> d-------- C:\Program Files\Apple Software Update
2007-11-10 17:03 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-11-10 17:03 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-11-09 08:58 <DIR> d-------- C:\Documents and Settings\The Boys\Application Data\MSN6
2007-11-08 11:10 <DIR> d-------- C:\Documents and Settings\Angel\Application Data\Share-to-Web Upload Folder
2007-11-06 20:09 <DIR> d-------- C:\Documents and Settings\Crystal\Application Data\Viewpoint
2007-11-04 16:38 <DIR> d-------- C:\Documents and Settings\Angel\Application Data\Viewpoint
2007-11-04 12:15 <DIR> d-------- C:\Program Files\QdrModule
2007-11-02 21:26 <DIR> d-------- C:\Documents and Settings\Crystal\Application Data\acccore
2007-11-02 16:16 <DIR> d-------- C:\Documents and Settings\Angel\Application Data\acccore
2007-11-02 16:11 <DIR> d-------- C:\Program Files\AIM6
2007-10-30 19:31 <DIR> d-------- C:\Program Files\QuickTime
2007-10-30 19:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-10-28 16:31 <DIR> d-------- C:\MWASPI
2007-10-28 16:31 30,208 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2007-10-28 16:31 8,096 --------- C:\WINDOWS\system32\drivers\MASPINT.SYS
2007-10-28 16:31 4,030 --------- C:\WINDOWS\system\WINASPI.DLL
2007-10-28 16:31 2,486 --------- C:\WINDOWS\system\AS16POST.BIN
2007-10-28 16:29 <DIR> d-------- C:\Program Files\PIXELA
2007-10-28 16:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\QuickTime
2007-10-28 16:24 28,672 --a------ C:\WINDOWS\system32\qttask.exe
2007-10-28 16:23 <DIR> d-------- C:\Program Files\FinePixViewer
2007-10-28 16:22 <DIR> d-------- C:\Program Files\REGSHAVE
2007-10-28 16:22 81,924 --------- C:\WINDOWS\system32\drivers\VC4CB104.SYS
2007-10-28 16:22 69,632 --a------ C:\WINDOWS\system32\Fregshex.dll
2007-10-28 16:22 65,536 --a------ C:\WINDOWS\system32\FINFCHECK.dll
2007-10-28 16:22 45,056 --a------ C:\WINDOWS\system32\FINFCOPY.dll
2007-10-28 16:22 45,056 --a------ C:\WINDOWS\system32\FCLKBTN.dll
2007-10-19 11:56 30 --a------ C:\WINDOWS\INTURS.DAT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-19 18:14 133,724 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-19 18:14 12,236,832 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-18 23:26 --------- d-----w C:\Program Files\Yahoo!
2007-11-02 21:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-11-02 21:11 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-02 21:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-28 21:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-28 21:22 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-17 16:11 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-16 23:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-10-16 00:59 --------- d-----w C:\Documents and Settings\Crystal\Application Data\Share-to-Web Upload Folder
2007-10-15 19:23 --------- d-----w C:\Documents and Settings\The Boys\Application Data\Share-to-Web Upload Folder
2007-10-15 02:55 --------- d-----w C:\Program Files\Hewlett-Packard
2007-10-13 16:29 --------- d-----w C:\Program Files\Google
2007-10-12 21:35 --------- d-----w C:\Program Files\Viewpoint
2007-10-11 17:51 --------- d-----w C:\Program Files\microsoft frontpage
2007-10-11 17:44 --------- d-----w C:\Documents and Settings\Angel\Application Data\Microsoft Web Folders
2007-10-10 03:25 --------- d-----w C:\Documents and Settings\Angel\Application Data\Yahoo!
2007-10-10 01:56 --------- d-----w C:\Documents and Settings\Crystal\Application Data\Yahoo!
2007-10-09 19:32 --------- d-----w C:\Documents and Settings\The Boys\Application Data\Yahoo!
2007-10-09 17:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-10-09 16:59 --------- d-----w C:\Documents and Settings\Angel\Application Data\MSN6
2007-10-09 16:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\MSN6
2007-10-09 14:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-10-09 14:43 --------- d-----w C:\Program Files\Lavasoft
2007-10-09 14:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-09 14:42 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-09 14:40 --------- d-----w C:\Program Files\Microsoft Games
2007-10-09 14:38 --------- d-----w C:\Program Files\Alwil Software
2007-10-09 14:28 --------- d-----w C:\Program Files\Intuit
2007-10-09 14:26 --------- d-----w C:\Program Files\BillP Studios
2007-10-09 14:23 --------- d-----w C:\Program Files\Java
2007-10-09 14:23 --------- d-----w C:\Program Files\Common Files\Java
2007-10-09 14:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2007-10-09 14:22 --------- d-----w C:\Program Files\Common Files\Jasc Software Inc
2007-10-09 14:22 --------- d-----w C:\Documents and Settings\Angel\Application Data\Jasc Software Inc
2007-10-09 14:21 --------- d-----w C:\Program Files\Jasc Software Inc
2007-10-09 14:18 --------- d-----w C:\Program Files\WarpSpeeder
2007-10-09 14:18 --------- d-----w C:\Program Files\AMD
2007-10-09 14:17 --------- d-----w C:\Program Files\Winflash
2007-10-09 14:17 --------- d-----w C:\Program Files\Driver
2007-10-09 14:09 --------- d-----w C:\Program Files\nVIDIA
2007-09-06 20:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-09-06 20:14 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2002-10-01 13:00:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 07:56:48 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 07:56:44 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-04 07:56:44 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 07:56:44 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 07:56:44 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll
2004-08-04 07:56:46 553,472 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 07:56:46 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-04 07:56:56 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-19_12.27.55.65 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-19 18:16:51 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_770.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-19 10:41 145984 --a------ C:\WINDOWS\system32\whwjkkqs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}]
2007-11-17 08:17 36352 --a------ C:\WINDOWS\system32\ssqqrqn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\whwjkkqs.dll [2007-11-19 10:41 145984]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [2004-06-03 21:05]
"WinPatrol"="C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe" [2004-03-18 15:27]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 15:14]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 00:06]
"Aim6"="" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Billminder.lnk - C:\QUICKENW\BILLMIND.EXE [2007-10-09 09:28:46]
Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [2002-01-09 21:53:14]
HPAiODevice(hp psc 700 series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe [2002-04-24 00:28:32]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56]
Quicken Startup.lnk - C:\QUICKENW\QWDLLS.EXE [2007-10-09 09:28:52]
WarpSpeeder Tray Icon.lnk - C:\Program Files\WarpSpeeder\BSTrayicon.exe [2007-10-09 09:18:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}"= C:\WINDOWS\system32\ssqqrqn.dll [2007-11-17 08:17 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqqrqn]
ssqqrqn.dll 2007-11-17 08:17 36352 C:\WINDOWS\system32\ssqqrqn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\whwjkkqs]
whwjkkqs.dll 2007-11-19 10:41 145984 C:\WINDOWS\system32\whwjkkqs.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\sstqp.dll

R0 nvp2p;NVIDIA PCI to PCI Bridge Filter;C:\WINDOWS\system32\DRIVERS\nvp2p.sys
R1 BIOS;BIOS;\??\C:\WINDOWS\system32\drivers\BIOS.sys
R1 BS_I2cIo;BS_I2cIo;\??\C:\WINDOWS\system32\drivers\BS_I2cIo.sys
R2 mrtRate;mrtRate;C:\WINDOWS\system32\drivers\mrtRate.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f48aee8-764b-11dc-b786-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-17 19:53:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-19 13:17:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\whwjkkqs.dllbox

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2007-11-19 13:18:35 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-19 12:28
.
--- E O F ---

And the results from rerunning Hijack this after combo fix

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:21:28 PM, on 11/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\WarpSpeeder\BSTrayicon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\whwjkkqs.dll
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\ssqqrqn.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\whwjkkqs.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: WarpSpeeder Tray Icon.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - http://h30155.www3.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O20 - Winlogon Notify: ssqqrqn - C:\WINDOWS\SYSTEM32\ssqqrqn.dll
O20 - Winlogon Notify: whwjkkqs - C:\WINDOWS\SYSTEM32\whwjkkqs.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5473 bytes

Edited by aorose1972, 19 November 2007 - 01:23 PM.


BC AdBot (Login to Remove)

 


m

#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:43 PM

Posted 19 November 2007 - 01:21 PM

Hello Angel,

Most probably you are dealing with a version of Vundo which targets HijackThis, so HijackThis doesn't show its related entries in a log. This one is particularly nasty, so we'll need to work hard at it. :thumbsup:
Please navigate to your HijackThis folder. Rename your hijackthis.exe to analyse.exe
Reboot.
Then doubleclick analyse.exe and post the log from it in your next reply. (this will be a HijackThis log of course)

Thanks.
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 aorose1972

aorose1972
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 19 November 2007 - 01:30 PM

Did the rename and reboot here is the new file log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:26:55 PM, on 11/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\WarpSpeeder\BSTrayicon.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Trend Micro\HijackThis\analyse.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoflt07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\whwjkkqs.dll
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\ssqqrqn.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\whwjkkqs.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: WarpSpeeder Tray Icon.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - http://h30155.www3.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O20 - Winlogon Notify: ssqqrqn - C:\WINDOWS\SYSTEM32\ssqqrqn.dll
O20 - Winlogon Notify: whwjkkqs - C:\WINDOWS\SYSTEM32\whwjkkqs.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5405 bytes

#4 aorose1972

aorose1972
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 19 November 2007 - 02:42 PM

Did I do this correctly?

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:43 PM

Posted 30 November 2007 - 10:29 AM

Hello,

I apologize for my delayed reply. :thumbsup: I had to move without warning and had no choice. Can you please tell how your computer is running? And yes, you did that perfectly. :blink:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:43 PM

Posted 10 December 2007 - 10:53 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users