Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Toolbar 7.1


  • This topic is locked This topic is locked
16 replies to this topic

#1 Devin-Squared

Devin-Squared

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 13 December 2007 - 12:29 PM

Hi my name is Devin and I am having a problem with my office computer. I have something called Security Toolbar 7.1 attached to my internet explorer and to my understanding it has something to do with a trojan named Zlob. I have not found any free ways to get rid of it and would appreciate your help. I have run all the required steps to be run before posting a log file, so now I am posting this to get your feed back. Thank you in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:32:17 PM, on 12/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\System32\uukaprkf.exe
C:\windows\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\windows\Explorer.EXE
C:\windows\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\windows\system32\rxsxjuya.dll
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [68b8ff21] rundll32.exe "C:\windows\system32\bkvmqgqk.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ProSmile.local
O17 - HKLM\Software\..\Telephony: DomainName = ProSmile.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ProSmile.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ProSmile.local
O23 - Service: DomainService - - C:\windows\System32\uukaprkf.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\WindowsUpdate\rteremej.html

--
End of file - 2581 bytes

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:18 PM

Posted 13 December 2007 - 02:02 PM

Hi,

Hi my name is Devin and I am having a problem with my office computer

Since you are posting a log from a Company owned computer... There are a few things that need attention first before we proceed with this..

* You must inform your Supervisor immediately.

This because of:
  • Most company machines are connected into a network at some time or other, and your infection may compromise the security of that network.
  • If sensitive material is compromised by an infection, your company could be held liable.
* Your Company must give permission for us to give you assistance.

This because of:
  • We are not here to replace your company's IT Department. If there's an IT Department, then they are responsible to deal with this.
  • There may be sensitive material on your computer that your company would not want revealed in an open forum.
Also, which I really don't understand for an Office computer is the fact that you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Devin-Squared

Devin-Squared
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 13 December 2007 - 02:22 PM

Yea I probably should of been clearer with what I meant by 'office.' It is my personal office at home, I am not on a network nor do I have an IT department. It's just me and my meager knowledge of computers. I was just looking for some help with this problem.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:18 PM

Posted 13 December 2007 - 02:35 PM

Ah, ok.

Well, in anyway, you really need an Antivirus though, because I understand that you use your computer for work and without any Security present, your system is wideopen for infection and all your data may be collected.

So please install the Antivirus I recommended and perform the full scan with it. Then reboot and post the log from the scan in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:18 PM

Posted 21 December 2007 - 11:48 AM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:18 PM

Posted 04 January 2008 - 02:36 AM

Thread reopened.

Please perform my steps, install Avira and perform a full scan with it.

Then post the log in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Devin-Squared

Devin-Squared
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 05 January 2008 - 10:10 AM

Thank you for reopening my topic. I ran the avira scan and got rid of what came up while scanning. Avira was then giving me an annoying problem because it could not get rid of one of the problem files, so I installed AVG free anti-virus software and got rid of what Avira could not. This is my most current scan with HijackThis. I really appreciate the help btw.

- Devin

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:10:24 AM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\windows\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\windows\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\windows\system32\ctfmon.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {178D4E6A-BA5A-4ECB-8521-F7B8393FDB97} - C:\windows\System32\nnnmnmm.dll (file missing)
O2 - BHO: (no name) - {44E2E190-3938-4428-B5D5-2894BCDBB4BA} - C:\windows\System32\byvsq.dll (file missing)
O2 - BHO: 0 - {5CAD637B-FA39-4502-B7B7-535D73B51901} - C:\Program Files\WindowsUpdate\qujaxip780.dll (file missing)
O2 - BHO: (no name) - {70D77A09-F604-470A-AEFA-B7A95CF804BB} - C:\Program Files\Common Files\mewof83122.dll (file missing)
O2 - BHO: {1a6a851c-7302-e648-8f04-026dcc8edb2b} - {b2bde8cc-d620-40f8-846e-2037c158a6a1} - C:\windows\system32\ftfjoiuv.dll (file missing)
O2 - BHO: (no name) - {B536F587-CC3E-4D45-AC81-58E65C7DE1BA} - C:\Program Files\Common Files\mewof4444.dll (file missing)
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [68b8ff21] rundll32.exe "C:\windows\system32\jfnthcef.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ProSmile.local
O17 - HKLM\Software\..\Telephony: DomainName = ProSmile.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ProSmile.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ProSmile.local
O20 - Winlogon Notify: nnnmnmm - nnnmnmm.dll (file missing)
O20 - Winlogon Notify: rxsxjuya - rxsxjuya.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DomainService - Unknown owner - C:\windows\System32\uukaprkf.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\WindowsUpdate\rteremej.html

--
End of file - 4443 bytes

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:18 PM

Posted 05 January 2008 - 10:28 AM

Hi,

* Download ComboFix from here.
**Save it to your desktop**

In case you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.

In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix, please disable your scanner and redownload Combofix again. Because some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.


* Doubleclick combofix.exe
Follow the prompts.
Note - Your internet connection will be terminated while ComboFix runs. Do Not attempt to re-enable it. Should ComboFix terminate prematurely, restart the computer to restore connectivity.
Don't click on the window while the fix is running, because that will cause your system to hang.
In case you see a sed.cfexe error with the option to send a report or not, choose "don't send".

When finished and after reboot (in case it rebooted), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Devin-Squared

Devin-Squared
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 05 January 2008 - 12:05 PM

Here is my my combofix log as well as my new hijackthis log:

ComboFix 08-01-05.8 - Administrator 2008-01-05 11:51:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.160 [GMT -8:00]Running from: C:\Temp\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Administrator\ResErrors.log
C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\QBDataServiceUser17\Application Data\NetMon
C:\Documents and Settings\QBDataServiceUser17\Application Data\NetMon\domains.txt
C:\Documents and Settings\QBDataServiceUser17\Application Data\NetMon\log.txt
C:\Program Files\folder.js\
C:\Program Files\ini.ini\
C:\Program Files\Temporary
C:\Program Files\WindowsUpdate\rteremej.html
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\xOe
C:\Temp\xOe\tOasF.log
C:\UGA6P
C:\windows\cookies.ini
C:\windows\IA
C:\windows\IA\KE.vbs
C:\windows\system32\a8
C:\windows\system32\mcrh.tmp
C:\windows\system32\pac.txt
C:\windows\system32\rxrlrhcj.exe
C:\windows\system32\rxsxjuya.dllbox
C:\windows\system32\vMW02a

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FMTR
-------\LEGACY_NWSAPAGENT
-------\DomainService
-------\nm
-------\NwSapAgent


((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))
.

2008-01-05 11:49 . 2008-01-05 11:49 1,494,956 --a------ C:\Temp\ComboFix.exe
2008-01-05 11:49 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-03 17:35 . 2008-01-03 17:35 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-01-03 17:35 . 2008-01-03 17:35 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2008-01-03 17:30 . 2008-01-03 17:30 805,321 --ahs---- C:\WINDOWS\system32\dduuroct.ini
2008-01-02 13:43 . 2008-01-02 13:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-01-02 13:42 . 2008-01-02 13:42 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-02 13:41 . 2008-01-02 13:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-02 13:41 . 2008-01-02 13:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-02 13:37 . 2008-01-02 13:37 31,768,752 --a------ C:\Temp\avg75free_516a1225.exe
2008-01-02 13:16 . 2008-01-02 13:08 481,855 --ahs---- C:\WINDOWS\system32\qsvyb.ini
2008-01-02 12:45 . 2008-01-02 18:49 485,234 --ahs---- C:\WINDOWS\system32\qsvyb.ini2
2008-01-02 12:25 . 2008-01-02 12:25 1,031,398 --ahs---- C:\WINDOWS\system32\fechtnfj.ini
2008-01-02 12:25 . 2008-01-02 12:45 481,855 --ahs---- C:\WINDOWS\system32\qsvyb.tmp
2007-12-31 15:04 . 2002-04-15 21:11 67,866 --------- C:\WINDOWS\system32\drivers\netwlan5.img
2007-12-31 15:04 . 2004-08-04 00:56 11,776 --a------ C:\WINDOWS\system32\spnpinst.exe
2007-12-31 15:04 . 2004-08-02 14:20 7,208 --a------ C:\WINDOWS\system32\secupd.sig
2007-12-31 15:04 . 2004-08-02 14:20 4,569 --a------ C:\WINDOWS\system32\secupd.dat
2007-12-31 14:05 . 2007-12-31 14:05 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-31 14:05 . 2007-12-31 14:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-12-31 13:33 . 2005-10-20 14:20 1,082,368 --a------ C:\WINDOWS\system32\esent.dll
2007-12-31 12:55 . 2007-12-21 16:10 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-12-31 12:55 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-12-30 19:12 . 2007-12-30 19:13 <DIR> d-------- C:\WINDOWS\system32\bits
2007-12-30 19:03 . 2004-08-03 23:56 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2007-12-30 19:03 . 2004-08-03 23:56 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2007-12-30 19:03 . 2004-08-03 23:56 8,192 --a------ C:\WINDOWS\system32\bitsprx2.dll
2007-12-30 19:03 . 2004-08-03 23:56 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll
2007-12-30 18:44 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-12-30 18:44 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-12-30 18:44 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2007-12-30 18:44 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-12-30 18:44 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2007-12-30 18:44 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2007-12-30 18:44 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-12-30 18:44 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-12-30 18:44 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2007-12-30 17:27 . 2007-12-31 13:02 793,752 --ahs---- C:\WINDOWS\system32\adatmpif.ini
2007-12-28 20:41 . 2007-12-28 20:41 2 --a------ C:\WINDOWS\msoffice.ini
2007-12-28 19:42 . 2003-03-03 08:24 33,792 --a------ C:\WINDOWS\ieuninst.exe
2007-12-28 18:08 . 2007-12-28 20:11 789,788 --ahs---- C:\WINDOWS\system32\hagwbtna.ini
2007-12-19 18:49 . 2006-08-21 01:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-12-19 18:49 . 2006-08-21 01:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-12-19 18:49 . 2006-08-21 04:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-12-13 14:49 . 2008-01-02 13:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-12-13 10:40 . 2007-07-09 05:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-12-13 09:51 . 2007-12-13 13:40 854,535 --ahs---- C:\WINDOWS\system32\kqgqmvkb.ini
2007-12-12 16:31 . 2007-12-13 09:49 781,256 --ahs---- C:\WINDOWS\system32\ytkhxixe.ini
2007-12-12 14:37 . 2004-08-03 23:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-12-12 14:30 . 2007-12-12 14:30 <DIR> d-------- C:\WINDOWS\provisioning
2007-12-12 14:30 . 2007-12-12 14:30 <DIR> d-------- C:\WINDOWS\peernet
2007-12-12 14:21 . 2007-12-12 14:21 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-12-12 14:04 . 2007-12-12 14:04 <DIR> d-------- C:\WINDOWS\EHome
2007-12-12 13:27 . 2007-12-12 16:27 859,050 --ahs---- C:\WINDOWS\system32\gpgckthi.ini
2007-12-11 13:16 . 2007-12-12 13:21 793,102 --ahs---- C:\WINDOWS\system32\vjdidxkx.ini
2007-12-11 13:11 . 2007-12-11 13:11 914,332 --ahs---- C:\WINDOWS\system32\wioaysfn.ini
2007-12-10 10:01 . 2007-12-11 13:10 851,325 --ahs---- C:\WINDOWS\system32\gjgddodn.ini
2007-12-08 11:31 . 2007-12-10 09:55 891,635 --ahs---- C:\WINDOWS\system32\gvqeydyq.ini
2007-12-06 16:45 . 2007-12-08 11:25 860,632 --ahs---- C:\WINDOWS\system32\uijgxgqt.ini
2007-12-05 12:46 . 2007-12-05 12:46 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-05 12:46 . 2007-12-05 12:46 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-01 00:25 --------- d-----w C:\Program Files\Yahoo!
2007-12-31 21:25 66 ----a-w C:\Program Files\ini.ini
2007-12-31 01:23 --------- d-----w C:\Program Files\Common Files\AOL
2007-12-29 04:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-29 04:42 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AOL
2007-12-29 03:44 --------- d-----w C:\Program Files\PC Doctor for Windows NT
2007-12-29 03:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-13 19:27 --------- d-----w C:\Program Files\Symantec
2007-12-13 19:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-13 10:25 20,480 ----a-w C:\windows\system32\drivers\secdrv.sys
2007-06-14 09:22 2,231 ----a-w C:\Program Files\folder.js
2003-11-21 05:19 20,928 ---ha-w C:\Program Files\inv9.GID
2003-11-21 04:47 420,056 ----a-w C:\Program Files\inventory planner.EXE
2003-07-15 19:57 32,392 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
1998-05-13 23:09 3,615 ----a-w C:\Program Files\Inv9.cnt
1998-05-13 23:09 287,077 ----a-w C:\Program Files\Inv9.hlp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{44E2E190-3938-4428-B5D5-2894BCDBB4BA}]
C:\windows\System32\byvsq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CAD637B-FA39-4502-B7B7-535D73B51901}]
C:\Program Files\WindowsUpdate\qujaxip780.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{70D77A09-F604-470A-AEFA-B7A95CF804BB}]
C:\Program Files\Common Files\mewof83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b2bde8cc-d620-40f8-846e-2037c158a6a1}]
C:\windows\system32\ftfjoiuv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B536F587-CC3E-4D45-AC81-58E65C7DE1BA}]
C:\Program Files\Common Files\mewof4444.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" [ ]
"68b8ff21"="C:\windows\system32\jfnthcef.dll" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-02 13:51 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-02 13:41 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnmnmm]
nnnmnmm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rxsxjuya]
rxsxjuya.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Inc Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DataViz Inc Messenger.lnk
backup=C:\windows\pss\DataViz Inc Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Name Grabber.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Name Grabber.lnk
backup=C:\windows\pss\Name Grabber.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Database Server Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Database Server Manager.lnk
backup=C:\windows\pss\QuickBooks Database Server Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\68b8ff21]
C:\windows\System32\antbwgah.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
C:\PROGRA~1\AOL9~1.0\AOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
C:\windows\avp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2003-09-01 18:52 376912 C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-09-25 16:52 50736 C:\Program Files\Common Files\AOL\1141496361\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-06-24 14:16 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTSMMSG]
--a------ 2001-10-16 19:06 45056 C:\WINDOWS\LTSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 08:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-01-14 17:27 77824 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\windows\tsitra1000106.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
C:\Program Files\Common Files\AVSystemCare\bm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-04-13 02:48 36975 C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.8.5\webbuying.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DomainService"=2 (0x2)
"AOL ACS"=2 (0x2)
"iPodService"=3 (0x3)
"Alerter"=3 (0x3)
"6to4"=2 (0x2)
"DefWatch"=2 (0x2)
"QBFCService"=3 (0x3)
"MDM"=2 (0x2)
"cmdService"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"QuickBooksDB17"=2 (0x2)

R2 QuickBooksDB17;QuickBooksDB17;C:\PROGRA~1\Intuit\QUICKB~2\QBDBMgrN.exe [2006-09-13 10:32]
R3 ALiIRDA;ALi Infrared Device Driver;C:\windows\system32\DRIVERS\alifir.sys [2001-08-17 05:49]
R3 CONAN;CONAN;C:\windows\system32\drivers\o2mmb.sys [2002-09-25 23:43]
R3 LucentSoftModem;Lucent Technologies Soft Modem;C:\windows\system32\DRIVERS\LTSM.sys [2001-10-16 19:06]
S2 SuniUSB;Suni Imaging USB Service;C:\windows\system32\DRIVERS\SuniUSB.sys [2003-05-09 08:37]
S3 LCcfltr;Logitech USB Filter Driver;C:\windows\system32\drivers\lccfltr.sys [2002-11-08 01:50]
S3 Phil8116;Suni Imaging Microsystem VGA Digital Camera; Video;C:\windows\system32\DRIVERS\CamDrC21.sys []
S3 PRISM;Intersil PRISM Wireless LAN Driver;C:\windows\system32\DRIVERS\PRISMNDS.sys [2002-06-16 17:26]

.
Contents of the 'Scheduled Tasks' folder
"2003-10-14 19:16:43 C:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1057690422.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 12:02:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-05 12:04:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-05 20:04:18
.
2008-01-05 00:00:52 --- E O F ---




HIJACKTHIS:::

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:09:47 PM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\windows\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\windows\Explorer.EXE
C:\windows\system32\ctfmon.exe
C:\windows\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {44E2E190-3938-4428-B5D5-2894BCDBB4BA} - C:\windows\System32\byvsq.dll (file missing)
O2 - BHO: 0 - {5CAD637B-FA39-4502-B7B7-535D73B51901} - C:\Program Files\WindowsUpdate\qujaxip780.dll (file missing)
O2 - BHO: (no name) - {70D77A09-F604-470A-AEFA-B7A95CF804BB} - C:\Program Files\Common Files\mewof83122.dll (file missing)
O2 - BHO: {1a6a851c-7302-e648-8f04-026dcc8edb2b} - {b2bde8cc-d620-40f8-846e-2037c158a6a1} - C:\windows\system32\ftfjoiuv.dll (file missing)
O2 - BHO: (no name) - {B536F587-CC3E-4D45-AC81-58E65C7DE1BA} - C:\Program Files\Common Files\mewof4444.dll (file missing)
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [68b8ff21] rundll32.exe "C:\windows\system32\jfnthcef.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-997987417-2720296727-3431213774-1006\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'QBDataServiceUser17')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ProSmile.local
O17 - HKLM\Software\..\Telephony: DomainName = ProSmile.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ProSmile.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ProSmile.local
O20 - Winlogon Notify: nnnmnmm - nnnmnmm.dll (file missing)
O20 - Winlogon Notify: rxsxjuya - rxsxjuya.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~2\QBDBMgrN.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 4401 bytes

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:18 PM

Posted 05 January 2008 - 12:24 PM

Hi,

Let's deal with the rest now..

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\dduuroct.ini
C:\WINDOWS\system32\qsvyb.ini
C:\WINDOWS\system32\qsvyb.ini2
C:\WINDOWS\system32\fechtnfj.ini
C:\WINDOWS\system32\qsvyb.tmp
C:\WINDOWS\system32\adatmpif.ini
C:\WINDOWS\system32\hagwbtna.ini
C:\WINDOWS\system32\kqgqmvkb.ini
C:\WINDOWS\system32\ytkhxixe.ini
C:\WINDOWS\system32\gpgckthi.ini
C:\WINDOWS\system32\vjdidxkx.ini
C:\WINDOWS\system32\wioaysfn.ini
C:\WINDOWS\system32\gjgddodn.ini
C:\WINDOWS\system32\gvqeydyq.ini
C:\WINDOWS\system32\uijgxgqt.ini

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{44E2E190-3938-4428-B5D5-2894BCDBB4BA}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CAD637B-FA39-4502-B7B7-535D73B51901}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{70D77A09-F604-470A-AEFA-B7A95CF804BB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b2bde8cc-d620-40f8-846e-2037c158a6a1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B536F587-CC3E-4D45-AC81-58E65C7DE1BA}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SNM"=-
"68b8ff21"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnmnmm]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rxsxjuya]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\68b8ff21]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DomainService"=-
"cmdService"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Devin-Squared

Devin-Squared
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 05 January 2008 - 12:58 PM

Ok I ran the script like you instructed and the computer restarted again, but this time combofix did not come back on and give me a log file. So I just ran hijackthis so you can at least see this log file:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:01, on 2008-01-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\windows\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\windows\system32\ctfmon.exe
C:\windows\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\windows\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {44E2E190-3938-4428-B5D5-2894BCDBB4BA} - C:\windows\System32\byvsq.dll (file missing)
O2 - BHO: 0 - {5CAD637B-FA39-4502-B7B7-535D73B51901} - C:\Program Files\WindowsUpdate\qujaxip780.dll (file missing)
O2 - BHO: (no name) - {70D77A09-F604-470A-AEFA-B7A95CF804BB} - C:\Program Files\Common Files\mewof83122.dll (file missing)
O2 - BHO: {1a6a851c-7302-e648-8f04-026dcc8edb2b} - {b2bde8cc-d620-40f8-846e-2037c158a6a1} - C:\windows\system32\ftfjoiuv.dll (file missing)
O2 - BHO: (no name) - {B536F587-CC3E-4D45-AC81-58E65C7DE1BA} - C:\Program Files\Common Files\mewof4444.dll (file missing)
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [68b8ff21] rundll32.exe "C:\windows\system32\jfnthcef.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-997987417-2720296727-3431213774-1006\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'QBDataServiceUser17')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ProSmile.local
O17 - HKLM\Software\..\Telephony: DomainName = ProSmile.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ProSmile.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ProSmile.local
O20 - Winlogon Notify: nnnmnmm - nnnmnmm.dll (file missing)
O20 - Winlogon Notify: rxsxjuya - rxsxjuya.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~2\QBDBMgrN.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 4397 bytes

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:18 PM

Posted 05 January 2008 - 01:23 PM

Hi,

Please read my instructions again and perform them, because it looks like you made a mistake here.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Devin-Squared

Devin-Squared
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 05 January 2008 - 01:47 PM

Well I repeated your instructions again, but this time it gave me a log(im guessing it just hiccuped the first time).

ComboFix 08-01-05.8 - Administrator 2008-01-05 13:33:31.3 - NTFSx86
Running from: C:\Temp\ComboFix.exe
Command switches used :: C:\Temp\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\adatmpif.ini
C:\WINDOWS\system32\dduuroct.ini
C:\WINDOWS\system32\fechtnfj.ini
C:\WINDOWS\system32\gjgddodn.ini
C:\WINDOWS\system32\gpgckthi.ini
C:\WINDOWS\system32\gvqeydyq.ini
C:\WINDOWS\system32\hagwbtna.ini
C:\WINDOWS\system32\kqgqmvkb.ini
C:\WINDOWS\system32\qsvyb.ini
C:\WINDOWS\system32\qsvyb.ini2
C:\WINDOWS\system32\qsvyb.tmp
C:\WINDOWS\system32\uijgxgqt.ini
C:\WINDOWS\system32\vjdidxkx.ini
C:\WINDOWS\system32\wioaysfn.ini
C:\WINDOWS\system32\ytkhxixe.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\folder.js\
C:\Program Files\ini.ini\
C:\WINDOWS\system32\adatmpif.ini
C:\WINDOWS\system32\dduuroct.ini
C:\WINDOWS\system32\fechtnfj.ini
C:\WINDOWS\system32\gjgddodn.ini
C:\WINDOWS\system32\gpgckthi.ini
C:\WINDOWS\system32\gvqeydyq.ini
C:\WINDOWS\system32\hagwbtna.ini
C:\WINDOWS\system32\kqgqmvkb.ini
C:\WINDOWS\system32\qsvyb.ini
C:\WINDOWS\system32\qsvyb.ini2
C:\WINDOWS\system32\qsvyb.tmp
C:\WINDOWS\system32\uijgxgqt.ini
C:\WINDOWS\system32\vjdidxkx.ini
C:\WINDOWS\system32\wioaysfn.ini
C:\WINDOWS\system32\ytkhxixe.ini

.
((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))
.

2008-01-05 11:49 . 2008-01-05 11:49 1,494,956 --a------ C:\Temp\ComboFix.exe
2008-01-05 11:49 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-03 17:35 . 2008-01-03 17:35 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-01-03 17:35 . 2008-01-03 17:35 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2008-01-02 13:43 . 2008-01-02 13:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-01-02 13:42 . 2008-01-02 13:42 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-02 13:41 . 2008-01-02 13:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-02 13:41 . 2008-01-02 13:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-02 13:37 . 2008-01-02 13:37 31,768,752 --a------ C:\Temp\avg75free_516a1225.exe
2007-12-31 15:04 . 2002-04-15 21:11 67,866 --------- C:\WINDOWS\system32\drivers\netwlan5.img
2007-12-31 15:04 . 2004-08-04 00:56 11,776 --a------ C:\WINDOWS\system32\spnpinst.exe
2007-12-31 15:04 . 2004-08-02 14:20 7,208 --a------ C:\WINDOWS\system32\secupd.sig
2007-12-31 15:04 . 2004-08-02 14:20 4,569 --a------ C:\WINDOWS\system32\secupd.dat
2007-12-31 14:05 . 2007-12-31 14:05 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-31 14:05 . 2007-12-31 14:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-12-31 13:33 . 2005-10-20 14:20 1,082,368 --a------ C:\WINDOWS\system32\esent.dll
2007-12-31 12:55 . 2007-12-21 16:10 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-12-31 12:55 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-12-30 19:12 . 2007-12-30 19:13 <DIR> d-------- C:\WINDOWS\system32\bits
2007-12-30 19:03 . 2004-08-03 23:56 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2007-12-30 19:03 . 2004-08-03 23:56 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2007-12-30 19:03 . 2004-08-03 23:56 8,192 --a------ C:\WINDOWS\system32\bitsprx2.dll
2007-12-30 19:03 . 2004-08-03 23:56 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll
2007-12-30 18:44 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-12-30 18:44 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-12-30 18:44 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2007-12-30 18:44 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-12-30 18:44 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2007-12-30 18:44 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2007-12-30 18:44 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-12-30 18:44 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-12-30 18:44 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2007-12-28 20:41 . 2007-12-28 20:41 2 --a------ C:\WINDOWS\msoffice.ini
2007-12-28 19:42 . 2003-03-03 08:24 33,792 --a------ C:\WINDOWS\ieuninst.exe
2007-12-19 18:49 . 2006-08-21 01:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-12-19 18:49 . 2006-08-21 01:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-12-19 18:49 . 2006-08-21 04:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-12-13 14:49 . 2008-01-02 13:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2007-12-13 10:40 . 2007-07-09 05:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-12-12 14:37 . 2004-08-03 23:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-12-12 14:30 . 2007-12-12 14:30 <DIR> d-------- C:\WINDOWS\provisioning
2007-12-12 14:30 . 2007-12-12 14:30 <DIR> d-------- C:\WINDOWS\peernet
2007-12-12 14:21 . 2007-12-12 14:21 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-12-12 14:04 . 2007-12-12 14:04 <DIR> d-------- C:\WINDOWS\EHome
2007-12-05 12:46 . 2007-12-05 12:46 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-05 12:46 . 2007-12-05 12:46 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-01 00:25 --------- d-----w C:\Program Files\Yahoo!
2007-12-31 21:25 66 ----a-w C:\Program Files\ini.ini
2007-12-31 01:23 --------- d-----w C:\Program Files\Common Files\AOL
2007-12-29 04:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-29 04:42 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AOL
2007-12-29 03:44 --------- d-----w C:\Program Files\PC Doctor for Windows NT
2007-12-29 03:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-13 19:27 --------- d-----w C:\Program Files\Symantec
2007-12-13 19:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-13 10:25 20,480 ----a-w C:\windows\system32\drivers\secdrv.sys
2007-06-14 09:22 2,231 ----a-w C:\Program Files\folder.js
2003-11-21 05:19 20,928 ---ha-w C:\Program Files\inv9.GID
2003-11-21 04:47 420,056 ----a-w C:\Program Files\inventory planner.EXE
2003-07-15 19:57 32,392 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
1998-05-13 23:09 3,615 ----a-w C:\Program Files\Inv9.cnt
1998-05-13 23:09 287,077 ----a-w C:\Program Files\Inv9.hlp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-02 13:51 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-02 13:41 219136]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Inc Messenger.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DataViz Inc Messenger.lnk
backup=C:\windows\pss\DataViz Inc Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Name Grabber.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Name Grabber.lnk
backup=C:\windows\pss\Name Grabber.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Database Server Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Database Server Manager.lnk
backup=C:\windows\pss\QuickBooks Database Server Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
C:\PROGRA~1\AOL9~1.0\AOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2003-09-01 18:52 376912 C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-09-25 16:52 50736 C:\Program Files\Common Files\AOL\1141496361\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-06-24 14:16 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTSMMSG]
--a------ 2001-10-16 19:06 45056 C:\WINDOWS\LTSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 08:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-01-14 17:27 77824 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-04-13 02:48 36975 C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
"iPodService"=3 (0x3)
"Alerter"=3 (0x3)
"6to4"=2 (0x2)
"DefWatch"=2 (0x2)
"QBFCService"=3 (0x3)
"MDM"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"QuickBooksDB17"=2 (0x2)

R2 QuickBooksDB17;QuickBooksDB17;C:\PROGRA~1\Intuit\QUICKB~2\QBDBMgrN.exe [2006-09-13 10:32]
R3 ALiIRDA;ALi Infrared Device Driver;C:\windows\system32\DRIVERS\alifir.sys [2001-08-17 05:49]
R3 CONAN;CONAN;C:\windows\system32\drivers\o2mmb.sys [2002-09-25 23:43]
R3 LucentSoftModem;Lucent Technologies Soft Modem;C:\windows\system32\DRIVERS\LTSM.sys [2001-10-16 19:06]
S2 SuniUSB;Suni Imaging USB Service;C:\windows\system32\DRIVERS\SuniUSB.sys [2003-05-09 08:37]
S3 LCcfltr;Logitech USB Filter Driver;C:\windows\system32\drivers\lccfltr.sys [2002-11-08 01:50]
S3 Phil8116;Suni Imaging Microsystem VGA Digital Camera; Video;C:\windows\system32\DRIVERS\CamDrC21.sys []
S3 PRISM;Intersil PRISM Wireless LAN Driver;C:\windows\system32\DRIVERS\PRISMNDS.sys [2002-06-16 17:26]

.
Contents of the 'Scheduled Tasks' folder
"2003-10-14 19:16:43 C:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1057690422.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 13:44:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-05 13:46:54 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-01-05 21:46:20
ComboFix2.txt 2008-01-05 20:04:52
.
2008-01-05 00:00:52 --- E O F ---


New Hijack This Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:51:43 PM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\windows\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\windows\Explorer.EXE
C:\windows\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-997987417-2720296727-3431213774-1006\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'QBDataServiceUser17')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ProSmile.local
O17 - HKLM\Software\..\Telephony: DomainName = ProSmile.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ProSmile.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ProSmile.local
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~2\QBDBMgrN.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 3513 bytes

Edited by Devin-Squared, 05 January 2008 - 01:49 PM.


#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:18 PM

Posted 06 January 2008 - 01:59 AM

Hi,

Navigate to and delete the following files:

C:\Program Files\ini.ini
C:\Program Files\folder.js

Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\system32\windrv.sys

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.

Also, * Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log in your next reply as well and also let me know how things are now.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 Devin-Squared

Devin-Squared
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 07 January 2008 - 02:48 PM

Ok I deleted those files, used both of those scans, and these are the logs from both. My computer is running sooo much better. The security toolbar is gone from my IE, the pop-ups are gone, and the computer just seems to be back to a normal state. You have been a Godsend.


Antivirus Version Last Update Result
AhnLab-V3 2008.1.8.10 2008.01.07 -
AntiVir 7.6.0.46 2008.01.07 -
Authentium 4.93.8 2008.01.06 -
Avast 4.7.1098.0 2008.01.07 -
AVG 7.5.0.516 2008.01.07 -
BitDefender 7.2 2008.01.07 -
CAT-QuickHeal 9.00 2008.01.07 -
ClamAV 0.91.2 2008.01.07 -
DrWeb 4.44.0.09170 2008.01.07 -
eSafe 7.0.15.0 2008.01.06 -
eTrust-Vet 31.3.5438 2008.01.07 -
Ewido 4.0 2008.01.07 -
FileAdvisor 1 2008.01.07 -
Fortinet 3.14.0.0 2008.01.07 -
F-Prot 4.4.2.54 2008.01.06 -
F-Secure 6.70.13030.0 2008.01.07 -
Ikarus T3.1.1.15 2008.01.07 -
Kaspersky 7.0.0.125 2008.01.07 -
McAfee 5201 2008.01.07 -
Microsoft 1.3109 2008.01.07 -
NOD32v2 2770 2008.01.07 -
Norman 5.80.02 2008.01.04 -
Panda 9.0.0.4 2008.01.07 -
Prevx1 V2 2008.01.07 -
Rising 20.26.02.00 2008.01.07 -
Sophos 4.24.0 2008.01.07 -
Sunbelt 2.2.907.0 2008.01.05 -
Symantec 10 2008.01.07 -
TheHacker 6.2.9.183 2008.01.07 -
VBA32 3.12.2.5 2008.01.07 -
VirusBuster 4.3.26:9 2008.01.07 -
Webwasher-Gateway 6.6.2 2008.01.07 -
Additional information
File size: 1152 bytes
MD5: 26daf4d70b8b4d1b10e1a2e620464bc8
SHA1: 3ace481d4c5018d1ec49c014874c29afebdac145
PEiD: -



# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2770 (20080107)
# vers_arch_module=1.060 (20071228)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=1028200930649243858fe987653f3149
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-01-07 10:38:40
# local_time=2008-01-07 02:38:40 (-0800, Pacific Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=280083
# found=5
# scan_time=4386
C:\QooBox\Quarantine\C\Documents and Settings\Administrator\Desktop\Live Safety Center.lnk.vir Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk.vir Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk.vir Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk.vir Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\rxrlrhcj.exe.vir Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users