Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Takes Forever To Startup And Constant Ie Popups


  • This topic is locked This topic is locked
49 replies to this topic

#1 megawatt

megawatt

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 PM

Posted 24 December 2007 - 11:21 AM

Im new but have been trying to clean up pc for about 4hr now
I have read before posting info and done all required scans per instructions . regbooster2 only removed the 15 free problems. Will someone please look at my logs for me and help me in any way.
what a way to start Christmas Eve. Thanks so much in advance. Rob
my log is so long


LOG


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:19 AM, on 12/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey .exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe .exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView .exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\dla\DLACTRLW .exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\toshiba\ivp\ism\pinger .exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Toshiba\Tvs\TvsTray .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched .exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon .exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\McAfee\Common Framework\UdaterUI .exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd .exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cleanmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Trend Micro\HijackThis\busted.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
F3 - REG:win.ini: load=C:\WINDOWS\system32\sstqr.exe
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: (no name) - {0B2D7958-99C1-4FAD-8192-66536594D60B} - C:\WINDOWS\system32\sstqr.dll
O2 - BHO: (no name) - {2B3CBDC2-8AB6-45B1-B59E-7B0DEE595917} - C:\WINDOWS\system32\byxyvus.dll (file missing)
O2 - BHO: (no name) - {4827707f-8f16-46ae-a40f-685dd41497b6} - C:\WINDOWS\system32\byuwdsl.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\DLACTRLW.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142882959\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZUxdm484YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/dsl_settings/...vzTCPConfig.CAB
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen10.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} (Confidence Online for Web Applications) - https://dnet.dom.com/llclient/dnetewpp/winx...et.com,CT=java+
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://dnet.dom.com/,DanaInfo=MAHOGANY.dom...va+iNotes6W.cab
O16 - DPF: {6E49B4EF-9FE5-44DF-8D04-445AA94F83DB} (Sony Network Camera Viewer Control) - http://70.107.225.104/program/SonyNetworkCameraViewer.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (Bl_camera Control) - http://24.148.122.144:5000/bl_camera.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://65.175.132.78/activex/AxisCamControl.cab
O16 - DPF: {A762E064-A885-40E4-AC10-671BB62DC2B2} (OFMailHTMLCtl Class) - https://dnet.dom.com/OF5/nsplugins/,DanaInf...ava+OFMailX.cab
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://www.dlink.com/products/livedemo/plugin/h263ctrl.cab
O16 - DPF: {B9940246-4344-4D1B-BD82-DBAF7E657FF9} (AudioClient Control) - http://p.viewnetcam.com:60001/SysCamInst.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://dnet.dom.com/dana-cached/setup/JuniperSetupSP1.cab
O20 - Winlogon Notify: byxyvus - byxyvus.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\prolyhduvo.html
O24 - Desktop Component 1: (no name) - http://mysite.verizon.net/imagelib/sitebui...me_flowers2.gif

--
End of file - 13651 bytes











Startup

StartupList report, 12/24/2007, 11:15:46 AM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\busted.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey .exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe .exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView .exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\dla\DLACTRLW .exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\toshiba\ivp\ism\pinger .exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Toshiba\Tvs\TvsTray .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched .exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon .exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\McAfee\Common Framework\UdaterUI .exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd .exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cleanmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Trend Micro\HijackThis\busted.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Robbie\Start Menu\Programs\Startup]
Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ATIPTA = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
THotkey = C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
AGRSMMSG = AGRSMMSG.exe
NDSTray.exe = NDSTray.exe
TPSMain = TPSMain.exe
PadTouch = C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
SmoothView = C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
dla = C:\WINDOWS\system32\dla\DLACTRLW.exe
Pinger = c:\toshiba\ivp\ism\pinger.exe /run
Tvs = C:\Program Files\Toshiba\Tvs\TvsTray.exe
TFncKy = TFncKy.exe
TDispVol = TDispVol.exe
RTHDCPL = RTHDCPL.EXE
Alcmtr = ALCMTR.EXE
HostManager = C:\Program Files\Common Files\AOL\1142882959\ee\AOLSoftware.exe
MSKDetectorExe = C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
QuickTime Task = "C:\Program Files\QuickTime\qttask .exe" -atboottime
SunJavaUpdateSched = "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
My Web Search Bar = rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
MyWebSearch Email Plugin = C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
Host Process = C:\WINDOWS\Fonts\svchost.exe
avgnt = "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
ShStatEXE = "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
McAfeeUpdaterUI = "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

TOSCDSPD = C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
Aim6 = "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
MyWebSearch Email Plugin = C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
Uniblue RegistryBooster 2 = C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=C:\WINDOWS\system32\sstqr.exe
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

MyWebSearch Search Assistant BHO - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL - {00A6FAF1-072E-44cf-8957-5838F569A31D}
(no name) - (no file) - {02478D38-C3F9-4efb-9B51-7695ECA05670}
(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
mwsBar BHO - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL - {07B18EA1-A523-4961-B6BB-170DE4475CCA}
(no name) - C:\WINDOWS\system32\sstqr.dll - {0B2D7958-99C1-4FAD-8192-66536594D60B}
(no name) - C:\WINDOWS\system32\byxyvus.dll (file missing) - {2B3CBDC2-8AB6-45B1-B59E-7B0DEE595917}
(no name) - C:\WINDOWS\system32\byuwdsl.dll (file missing) - {4827707f-8f16-46ae-a40f-685dd41497b6}
(no name) - C:\WINDOWS\System32\DLA\DLASHX_W.DLL - {5CA3D70E-1895-11CF-8E15-001234567890}
(no name) - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
scriptproxy - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll - {7DB2D5A0-7241-4E79-B68D-6309F01C5231}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}

--------------------------------------------------

Enumerating Download Program Files:

[vzTCPConfig]
CODEBASE = http://www2.verizon.net/help/dsl_settings/...vzTCPConfig.CAB
OSD = C:\WINDOWS\Downloaded Program Files\OSD22.OSD

[{15589FA1-C456-11CE-BF01-00AA0055595A}]
CODEBASE = http://w4s2.work4sure.com/c/ge/w4sgeen10.exe

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dll
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

[{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}]
CODEBASE = http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab

[YInstStarter Class]
InProcServer32 = C:\Program Files\Yahoo!\Common\yinsthelper.dll
CODEBASE = C:\Program Files\Yahoo!\Common\yinsthelper.dll

[Confidence Online for Web Applications]
InProcServer32 = C:\Documents and Settings\Robbie\Application Data\WholeSecurity\AXXPEE.dll
CODEBASE = https://dnet.dom.com/llclient/dnetewpp/winx...et.com,CT=java+

[iNotes6 Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\inotes6W.dll
CODEBASE = https://dnet.dom.com/,DanaInfo=MAHOGANY.dom...va+iNotes6W.cab

[Sony Network Camera Viewer Control]
InProcServer32 = C:\WINDOWS\system32\SONYNE~1.OCX
CODEBASE = http://70.107.225.104/program/SonyNetworkCameraViewer.cab

[Bl_camera Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\BL_CAM~1.OCX
CODEBASE = http://24.148.122.144:5000/bl_camera.cab

[CamImage Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\AxisCamControl.ocx
CODEBASE = http://65.175.132.78/activex/AxisCamControl.cab

[OFMailHTMLCtl Class]
InProcServer32 = C:\WINDOWS\system32\OFMailX.dll
CODEBASE = https://dnet.dom.com/OF5/nsplugins/,DanaInf...ava+OFMailX.cab

[VaPgCtrl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\VAPGDecoder.dll
CODEBASE = http://www.dlink.com/products/livedemo/plugin/h263ctrl.cab

[AudioClient Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\AUDIOC~1.OCX
CODEBASE = http://p.viewnetcam.com:60001/SysCamInst.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9d.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

[JuniperSetupSP1 Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\JUNIPE~1.OCX
CODEBASE = https://dnet.dom.com/dana-cached/setup/JuniperSetupSP1.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\DOCUME~1\Robbie\LOCALS~1\Temp\_iu14D2N.tmp|||A

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 13,452 bytes
Report generated in 0.094 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

BC AdBot (Login to Remove)

 


m

#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:48 PM

Posted 24 December 2007 - 11:22 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:
You do have a few stinkers in there.

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 megawatt

megawatt
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 PM

Posted 24 December 2007 - 03:47 PM

Ok Sam here she is
and also when I was first infected I tried to do a restore and there was no restore points for me to choose from so my system files may be wormed



ComboFix 07-12-21.4 - Robbie 2007-12-24 15:18:56.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.97 [GMT -5:00]
Running from: C:\Documents and Settings\Robbie\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\Robbie\Application Data\FunWebProducts
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\Shared\Cache\AvatarSmallBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\FunBuddyIconBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\internet explorer\msimg32.dll
C:\Program Files\Internet Explorer\prolyhduvo.html
C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
C:\Program Files\MyWebSearch\bar\1.bin\F3BROVLY.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV
C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\mwsoemon .exe
C:\Program Files\MyWebSearch\bar\1.bin\mwsoemon.exe
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
C:\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Cache\00077D5B
C:\Program Files\MyWebSearch\bar\Cache\000BDC22
C:\Program Files\MyWebSearch\bar\Cache\000BE0A6
C:\Program Files\MyWebSearch\bar\Cache\000BE355.bin
C:\Program Files\MyWebSearch\bar\Cache\000BE8E3.bin
C:\Program Files\MyWebSearch\bar\Cache\000BEA89.bin
C:\Program Files\MyWebSearch\bar\Cache\000BEB64.bin
C:\Program Files\MyWebSearch\bar\Cache\0096AB2A.bin
C:\Program Files\MyWebSearch\bar\Cache\012536BE.bin
C:\Program Files\MyWebSearch\bar\Cache\012538E1.bin
C:\Program Files\MyWebSearch\bar\Cache\01253B04.bin
C:\Program Files\MyWebSearch\bar\Cache\01253C2D.bin
C:\Program Files\MyWebSearch\bar\Cache\026D15EC
C:\Program Files\MyWebSearch\bar\Cache\files.ini
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\icons\CM.ICO
C:\Program Files\MyWebSearch\bar\icons\MFC.ICO
C:\Program Files\MyWebSearch\bar\icons\PSS.ICO
C:\Program Files\MyWebSearch\bar\icons\SMILEY.ICO
C:\Program Files\MyWebSearch\bar\icons\WB.ICO
C:\Program Files\MyWebSearch\bar\icons\ZWINKY.ICO
C:\Program Files\MyWebSearch\bar\Message\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\DOG.F3S
C:\Program Files\MyWebSearch\bar\Notifier\FISH.F3S
C:\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S
C:\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAID.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S
C:\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S
C:\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
C:\Program Files\network monitor
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\system32\b1
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rqtss.ini
C:\WINDOWS\system32\rqtss.ini2
C:\WINDOWS\system32\sstqr.dll
C:\winlogon.exe
C:\x.dat
C:\z.dat
C:\Program Files\MyWebSearch
C:\WINDOWS\Fonts\'

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\core


((((((((((((((((((((((((( Files Created from 2007-11-24 to 2007-12-24 )))))))))))))))))))))))))))))))
.

2007-12-24 15:33 . 2007-12-24 15:33 323,072 --------- C:\WINDOWS\system32\sstqr.dll
2007-12-24 10:55 . 2007-12-24 10:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2007-12-24 10:35 . 2007-12-24 10:35 <DIR> d-------- C:\Documents and Settings\Robbie\Application Data\Uniblue
2007-12-24 10:29 . 2007-12-24 10:29 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-24 07:43 . 2007-12-24 07:43 326,656 --a------ C:\WINDOWS\system32\RCX47.tmp
2007-12-24 01:01 . 2007-12-24 02:24 <DIR> d-------- C:\QUARANTINE
2007-12-24 00:46 . 2007-12-24 09:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2007-12-24 00:40 . 2007-12-24 00:40 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2007-12-24 00:40 . 2006-11-17 03:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2007-12-24 00:40 . 2006-11-30 08:50 168,776 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-12-24 00:40 . 2006-11-30 08:50 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-12-24 00:40 . 2006-11-30 08:50 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2007-12-24 00:40 . 2006-11-30 08:50 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2007-12-24 00:40 . 2006-11-30 08:50 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-12-24 00:40 . 2006-11-17 03:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2007-12-24 00:38 . 2007-12-24 00:38 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-12-24 00:35 . 2007-12-24 00:35 <DIR> d-------- C:\temp\McAfee
2007-12-24 00:03 . 2007-12-24 00:03 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-24 00:03 . 2007-12-24 00:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2007-12-24 00:03 . 2007-12-24 00:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo
2007-12-24 00:03 . 2007-12-24 00:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2007-12-24 00:02 . 2007-12-24 00:02 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-12-23 22:32 . 2006-03-20 14:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2007-12-23 21:40 . 2007-12-24 00:02 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
2007-12-23 20:25 . 2007-12-23 20:25 326,656 --a------ C:\WINDOWS\system32\RCX3D.tmp
2007-12-23 19:48 . 2007-12-23 19:48 326,656 --a------ C:\WINDOWS\system32\RCX41.tmp
2007-12-23 18:37 . 2007-12-23 18:37 326,656 --a------ C:\WINDOWS\system32\RCX43.tmp
2007-12-23 17:26 . 2007-12-24 07:45 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-23 17:20 . 2007-12-24 15:35 326,656 --a------ C:\WINDOWS\system32\sstqr.exe
2007-12-23 17:16 . 2007-12-23 17:16 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-12-23 17:13 . 2007-12-23 19:26 <DIR> d--hs---- C:\WINDOWS\Um9iYmll
2007-12-23 17:13 . 2007-12-24 00:33 <DIR> d-------- C:\WINDOWS\system32\to9
2007-12-23 17:13 . 2007-12-24 00:33 <DIR> d-------- C:\WINDOWS\system32\dj2
2007-12-23 17:13 . 2007-12-23 17:23 <DIR> d-------- C:\WINDOWS\system32\bbc9
2007-12-23 17:13 . 2007-12-24 02:07 <DIR> d-------- C:\WINDOWS\system32\ardCo18
2007-12-23 17:13 . 2007-12-23 17:13 <DIR> d-------- C:\temp\cEeer12
2007-12-23 17:13 . 2007-12-23 17:39 367,616 --a------ C:\WINDOWS\mrofinu1000106.exe.tmp
2007-12-23 17:13 . 2007-12-23 17:13 134 --a------ C:\n.bat
2007-12-23 16:24 . 2007-12-23 16:24 <DIR> d-------- C:\Documents and Settings\Robbie\Application Data\ImgBurn
2007-12-23 16:20 . 2007-12-23 16:20 <DIR> d-------- C:\Program Files\ImgBurn
2007-12-23 15:48 . 2007-12-23 15:48 <DIR> d-------- C:\Program Files\7-Zip
2007-12-23 15:19 . 2007-12-23 15:19 <DIR> d-------- C:\Program Files\MSBuild
2007-12-23 15:18 . 2007-12-23 15:18 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-12-23 15:18 . 2007-12-23 15:18 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-12-23 15:17 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2007-12-23 15:12 . 2007-12-23 15:12 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-23 14:51 . 2007-12-23 14:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-17 18:48 . 2007-12-24 00:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-24 20:35 --------- d-----w C:\Program Files\QuickTime
2007-12-24 20:33 --------- d-----w C:\Program Files\AIM6
2007-12-24 12:44 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
2007-12-24 05:50 --------- d-----w C:\Program Files\Yahoo!
2007-12-24 05:48 --------- d-----w C:\Program Files\Google
2007-12-24 05:40 --------- d-----w C:\Program Files\McAfee
2007-12-24 05:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-24 05:31 --------- d-----w C:\Program Files\SpeedFan
2007-12-24 05:01 --------- d--h--r C:\Documents and Settings\All Users\Application Data\yahoo!
2007-12-24 05:01 --------- d-----w C:\Program Files\worldtvradio
2007-12-24 03:52 487,424 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\MSConfig.exe
2007-12-24 02:38 --------- d--h--r C:\Documents and Settings\Robbie\Application Data\yahoo!
2007-12-23 22:50 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-23 22:42 --------- d-----w C:\Program Files\CACE Technologies
2007-12-21 04:06 28,672 ----a-w C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-12-08 13:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-12-06 14:29 --------- d-----w C:\Program Files\OpenOffice.org 2.1
2007-12-06 14:27 --------- d-----w C:\Documents and Settings\Robbie\Application Data\OpenOffice.org2
2007-11-19 23:33 --------- d-----w C:\Documents and Settings\Robbie\Application Data\U3
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-30 01:33 --------- d-----w C:\Program Files\worldTVRT
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 15:18 --------- d-----w C:\Program Files\LEDSET
2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-24 06:47 96,760 ----a-w C:\WINDOWS\system32\dfshim.dll
2007-10-24 06:47 84,480 ----a-w C:\WINDOWS\system32\mscories.dll
2007-10-24 06:47 282,112 ----a-w C:\WINDOWS\system32\mscoree.dll
2007-10-24 06:47 158,720 ----a-w C:\WINDOWS\system32\mscorier.dll
2007-10-23 00:30 150 ----a-w C:\Documents and Settings\Robbie\Application Data\wklnhst.dat
2007-10-11 14:55 88,576 ----a-w C:\WINDOWS\system32\infocardapi.dll
2007-10-11 14:55 579,584 ----a-w C:\WINDOWS\system32\icardagt.exe
2007-10-11 14:55 11,776 ----a-w C:\WINDOWS\system32\icardres.dll
2007-10-09 18:03 779,800 ----a-w C:\WINDOWS\system32\PresentationNative_v0300.dll
2007-10-09 18:03 73,752 ----a-w C:\WINDOWS\system32\dxva2.dll
2007-10-09 18:03 493,080 ----a-w C:\WINDOWS\system32\evr.dll
2007-10-09 18:03 350,744 ----a-w C:\WINDOWS\system32\PresentationHost.exe
2007-10-09 18:03 33,304 ----a-w C:\WINDOWS\system32\PresentationHostProxy.dll
2007-10-09 18:03 161,304 ----a-w C:\WINDOWS\system32\UIAutomationCore.dll
2007-10-09 18:03 106,520 ----a-w C:\WINDOWS\system32\PresentationCFFRasterizerNative_v0300.dll
2007-10-09 18:03 1,986,072 ----a-w C:\WINDOWS\system32\milcore.dll
2007-10-09 17:58 16,896 ----a-w C:\WINDOWS\system32\tswpfwrp.exe
2006-12-29 02:20 92,064 ----a-w C:\Documents and Settings\Robbie\mqdmmdm.sys
2006-12-29 02:20 9,232 ----a-w C:\Documents and Settings\Robbie\mqdmmdfl.sys
2006-12-29 02:20 79,328 ----a-w C:\Documents and Settings\Robbie\mqdmserd.sys
2006-12-29 02:20 66,656 ----a-w C:\Documents and Settings\Robbie\mqdmbus.sys
2006-12-29 02:20 6,208 ----a-w C:\Documents and Settings\Robbie\mqdmcmnt.sys
2006-12-29 02:20 5,936 ----a-w C:\Documents and Settings\Robbie\mqdmwhnt.sys
2006-12-29 02:20 4,048 ----a-w C:\Documents and Settings\Robbie\mqdmcr.sys
2006-12-29 02:20 25,600 ----a-w C:\Documents and Settings\Robbie\usbsermptxp.sys
2006-12-29 02:20 22,768 ----a-w C:\Documents and Settings\Robbie\usbsermpt.sys
2005-07-29 21:24 472 --sha-r C:\WINDOWS\Um9iYmll\oA62sA55.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B3CBDC2-8AB6-45B1-B59E-7B0DEE595917}]
C:\WINDOWS\system32\byxyvus.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4827707f-8f16-46ae-a40f-685dd41497b6}]
C:\WINDOWS\system32\byuwdsl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F953CCB0-FD92-468A-836D-2298B717B7C3}]
2007-12-24 15:33 323072 --------- C:\WINDOWS\system32\sstqr.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2007-12-24 15:33]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" []
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-12-24 15:33]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-12-24 15:06]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2007-12-24 15:06]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-12-24 15:34]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-24 15:06]
"AGRSMMSG"="AGRSMMSG.exe" [2006-03-03 23:29 C:\WINDOWS\agrsmmsg.exe]
"NDSTray.exe"="NDSTray.exe" []
"TPSMain"="TPSMain.exe" [2005-06-01 00:00 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2007-12-24 15:06]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-12-24 15:06]
"dla"="C:\WINDOWS\system32\dla\DLACTRLW.exe" [2007-12-24 15:06]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2007-12-24 15:06]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2007-12-24 15:06]
"TFncKy"="TFncKy.exe" []
"TDispVol"="TDispVol.exe" [2005-03-11 18:03 C:\WINDOWS\system32\TDispVol.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-09 17:49 C:\WINDOWS\RTHDCPL.exe]
"HostManager"="C:\Program Files\Common Files\AOL\1142882959\ee\AOLSoftware.exe" [2007-12-24 15:34]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2007-12-24 15:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2007-12-24 15:35]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2007-12-24 15:35]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" []
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-12-24 15:06]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" []

C:\Documents and Settings\Robbie\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2004-06-12 00:57:52]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-12-24 00:46:10]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-03-20 13:55:20]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-12-03 11:10:00]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{2B3CBDC2-8AB6-45B1-B59E-7B0DEE595917}"= C:\WINDOWS\system32\byxyvus.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxyvus]
byxyvus.dll

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\sstqr.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\sstqr

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)

S3 ICam7fil;Intel® CS431 Audio Filter Driver;C:\WINDOWS\system32\drivers\icam7fil.sys [2001-07-31 15:34]
S3 Icam7USB;Intel® PC Camera CS431;C:\WINDOWS\system32\Drivers\ICAM7D2.SYS [2001-07-31 15:34]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-02-27 13:31]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-06-21 15:55]
S3 PhilCam8116;Logitech QuickCam Pro 3000 (08B0);C:\WINDOWS\system32\DRIVERS\CamDrO21.sys [2001-08-17 14:05]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77e7d262-96e9-11dc-9d65-0016e3564ba5}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-24 15:34:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\rqtss.ini 391 bytes
C:\WINDOWS\system32\rqtss.ini2 391 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\sstqr.dll
.
Completion time: 2007-12-24 15:38:48 - machine was rebooted
.
2007-12-24 03:15:43 --- E O F ---

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:48 PM

Posted 24 December 2007 - 10:12 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.


File::
C:\WINDOWS\system32\sstqr.dll
C:\WINDOWS\system32\RCX47.tmp
C:\WINDOWS\system32\RCX3D.tmp
C:\WINDOWS\system32\RCX41.tmp
C:\WINDOWS\system32\RCX43.tmp
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\sstqr.exe
C:\WINDOWS\system32\byxyvus.dll
C:\WINDOWS\system32\byuwdsl.dll
C:\WINDOWS\system32\rqtss.ini
C:\WINDOWS\system32\rqtss.ini2

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B3CBDC2-8AB6-45B1-B59E-7B0DEE595917}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4827707f-8f16-46ae-a40f-685dd41497b6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F953CCB0-FD92-468A-836D-2298B717B7C3}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{2B3CBDC2-8AB6-45B1-B59E-7B0DEE595917}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxyvus]
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.


================


Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.

Please post the log from DrWeb as well.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 megawatt

megawatt
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 PM

Posted 25 December 2007 - 02:15 AM

combofix second time

ComboFix 07-12-21.4 - Robbie 2007-12-24 23:52:35.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.107 [GMT -5:00]
Running from: C:\Documents and Settings\Robbie\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Robbie\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\byuwdsl.dll
C:\WINDOWS\system32\byxyvus.dll
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\RCX3D.tmp
C:\WINDOWS\system32\RCX41.tmp
C:\WINDOWS\system32\RCX43.tmp
C:\WINDOWS\system32\RCX47.tmp
C:\WINDOWS\system32\rqtss.ini
C:\WINDOWS\system32\rqtss.ini2
C:\WINDOWS\system32\sstqr.dll
C:\WINDOWS\system32\sstqr.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\RCX3D.tmp
C:\WINDOWS\system32\RCX41.tmp
C:\WINDOWS\system32\RCX43.tmp
C:\WINDOWS\system32\RCX47.tmp
C:\WINDOWS\system32\rqtss.ini
C:\WINDOWS\system32\rqtss.ini2
C:\WINDOWS\system32\sstqr.dll
C:\WINDOWS\system32\sstqr.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-25 to 2007-12-25 )))))))))))))))))))))))))))))))
.

2007-12-24 10:55 . 2007-12-24 10:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2007-12-24 10:35 . 2007-12-24 10:35 <DIR> d-------- C:\Documents and Settings\Robbie\Application Data\Uniblue
2007-12-24 10:29 . 2007-12-24 10:29 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-24 01:01 . 2007-12-24 02:24 <DIR> d-------- C:\QUARANTINE
2007-12-24 00:46 . 2007-12-24 09:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2007-12-24 00:40 . 2007-12-24 00:40 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2007-12-24 00:40 . 2006-11-17 03:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2007-12-24 00:40 . 2006-11-30 08:50 168,776 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-12-24 00:40 . 2006-11-30 08:50 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-12-24 00:40 . 2006-11-30 08:50 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2007-12-24 00:40 . 2006-11-30 08:50 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2007-12-24 00:40 . 2006-11-30 08:50 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-12-24 00:40 . 2006-11-17 03:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2007-12-24 00:38 . 2007-12-24 00:38 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-12-24 00:35 . 2007-12-24 00:35 <DIR> d-------- C:\temp\McAfee
2007-12-24 00:03 . 2007-12-24 00:03 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-24 00:03 . 2007-12-24 00:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2007-12-24 00:03 . 2007-12-24 00:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo
2007-12-24 00:03 . 2007-12-24 00:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2007-12-24 00:02 . 2007-12-24 00:02 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-12-23 22:32 . 2006-03-20 14:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2007-12-23 21:40 . 2007-12-24 00:02 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
2007-12-23 17:16 . 2007-12-23 17:16 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-12-23 17:13 . 2007-12-23 19:26 <DIR> d--hs---- C:\WINDOWS\Um9iYmll
2007-12-23 17:13 . 2007-12-24 00:33 <DIR> d-------- C:\WINDOWS\system32\to9
2007-12-23 17:13 . 2007-12-24 00:33 <DIR> d-------- C:\WINDOWS\system32\dj2
2007-12-23 17:13 . 2007-12-23 17:23 <DIR> d-------- C:\WINDOWS\system32\bbc9
2007-12-23 17:13 . 2007-12-24 02:07 <DIR> d-------- C:\WINDOWS\system32\ardCo18
2007-12-23 17:13 . 2007-12-23 17:13 <DIR> d-------- C:\temp\cEeer12
2007-12-23 17:13 . 2007-12-23 17:39 367,616 --a------ C:\WINDOWS\mrofinu1000106.exe.tmp
2007-12-23 17:13 . 2007-12-23 17:13 134 --a------ C:\n.bat
2007-12-23 16:24 . 2007-12-23 16:24 <DIR> d-------- C:\Documents and Settings\Robbie\Application Data\ImgBurn
2007-12-23 16:20 . 2007-12-23 16:20 <DIR> d-------- C:\Program Files\ImgBurn
2007-12-23 15:48 . 2007-12-23 15:48 <DIR> d-------- C:\Program Files\7-Zip
2007-12-23 15:19 . 2007-12-23 15:19 <DIR> d-------- C:\Program Files\MSBuild
2007-12-23 15:18 . 2007-12-23 15:18 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-12-23 15:18 . 2007-12-23 15:18 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-12-23 15:17 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2007-12-23 15:12 . 2007-12-23 15:12 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-23 14:51 . 2007-12-23 14:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-17 18:48 . 2007-12-24 00:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-25 05:02 --------- d-----w C:\Program Files\AIM6
2007-12-25 04:53 --------- d-----w C:\Program Files\QuickTime
2007-12-24 05:50 --------- d-----w C:\Program Files\Yahoo!
2007-12-24 05:48 --------- d-----w C:\Program Files\Google
2007-12-24 05:40 --------- d-----w C:\Program Files\McAfee
2007-12-24 05:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-24 05:31 --------- d-----w C:\Program Files\SpeedFan
2007-12-24 05:01 --------- d--h--r C:\Documents and Settings\All Users\Application Data\yahoo!
2007-12-24 05:01 --------- d-----w C:\Program Files\worldtvradio
2007-12-24 02:38 --------- d--h--r C:\Documents and Settings\Robbie\Application Data\yahoo!
2007-12-23 22:50 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-23 22:42 --------- d-----w C:\Program Files\CACE Technologies
2007-12-21 04:06 28,672 ----a-w C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-12-08 13:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-12-06 14:29 --------- d-----w C:\Program Files\OpenOffice.org 2.1
2007-12-06 14:27 --------- d-----w C:\Documents and Settings\Robbie\Application Data\OpenOffice.org2
2007-11-19 23:33 --------- d-----w C:\Documents and Settings\Robbie\Application Data\U3
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-30 01:33 --------- d-----w C:\Program Files\worldTVRT
2007-10-29 15:18 --------- d-----w C:\Program Files\LEDSET
2007-10-23 00:30 150 ----a-w C:\Documents and Settings\Robbie\Application Data\wklnhst.dat
2006-12-29 02:20 92,064 ----a-w C:\Documents and Settings\Robbie\mqdmmdm.sys
2006-12-29 02:20 9,232 ----a-w C:\Documents and Settings\Robbie\mqdmmdfl.sys
2006-12-29 02:20 79,328 ----a-w C:\Documents and Settings\Robbie\mqdmserd.sys
2006-12-29 02:20 66,656 ----a-w C:\Documents and Settings\Robbie\mqdmbus.sys
2006-12-29 02:20 6,208 ----a-w C:\Documents and Settings\Robbie\mqdmcmnt.sys
2006-12-29 02:20 5,936 ----a-w C:\Documents and Settings\Robbie\mqdmwhnt.sys
2006-12-29 02:20 4,048 ----a-w C:\Documents and Settings\Robbie\mqdmcr.sys
2006-12-29 02:20 25,600 ----a-w C:\Documents and Settings\Robbie\usbsermptxp.sys
2006-12-29 02:20 22,768 ----a-w C:\Documents and Settings\Robbie\usbsermpt.sys
2005-07-29 21:24 472 --sha-r C:\WINDOWS\Um9iYmll\oA62sA55.vbs
.

((((((((((((((((((((((((((((( snapshot@2007-12-24_15.37.44.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-24 20:34:11 122,940 ----a-w C:\WINDOWS\system32\DLA\DLACTRLW .exe
+ 2007-12-25 05:02:34 122,940 ----a-w C:\WINDOWS\system32\DLA\DLACTRLW .exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15D5EB0E-8AD0-45D6-B6A8-A9A423FB5F4C}]
2007-12-25 00:01 323072 --a------ C:\WINDOWS\system32\sstqr.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2007-12-24 15:33]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" []
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-12-25 00:02]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-12-24 15:06]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2007-12-24 15:06]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-12-25 00:02]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-24 15:06]
"AGRSMMSG"="AGRSMMSG.exe" [2006-03-03 23:29 C:\WINDOWS\agrsmmsg.exe]
"NDSTray.exe"="NDSTray.exe" []
"TPSMain"="TPSMain.exe" [2005-06-01 00:00 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2007-12-24 15:06]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-12-24 15:06]
"dla"="C:\WINDOWS\system32\dla\DLACTRLW.exe" [2007-12-24 15:06]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2007-12-24 23:53]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2007-12-24 15:06]
"TFncKy"="TFncKy.exe" []
"TDispVol"="TDispVol.exe" [2005-03-11 18:03 C:\WINDOWS\system32\TDispVol.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-09 17:49 C:\WINDOWS\RTHDCPL.exe]
"HostManager"="C:\Program Files\Common Files\AOL\1142882959\ee\AOLSoftware.exe" [2007-12-24 23:53]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2007-12-24 23:53]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2007-12-25 00:03]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2007-12-25 00:03]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" []
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-12-24 15:06]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" []

C:\Documents and Settings\Robbie\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2004-06-12 00:57:52]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-12-24 00:46:10]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-03-20 13:55:20]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-12-03 11:10:00]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\sstqr.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\sstqr

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)

S3 ICam7fil;Intel® CS431 Audio Filter Driver;C:\WINDOWS\system32\drivers\icam7fil.sys [2001-07-31 15:34]
S3 Icam7USB;Intel® PC Camera CS431;C:\WINDOWS\system32\Drivers\ICAM7D2.SYS [2001-07-31 15:34]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-02-27 13:31]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-06-21 15:55]
S3 PhilCam8116;Logitech QuickCam Pro 3000 (08B0);C:\WINDOWS\system32\DRIVERS\CamDrO21.sys [2001-08-17 14:05]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77e7d262-96e9-11dc-9d65-0016e3564ba5}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-25 00:01:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\sstqr.exe 326656 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\sstqr.dll
-> C:\WINDOWS\system32\TDispVol.dll
.
Completion time: 2007-12-25 0:07:03 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-24 15:38
.
2007-12-24 03:15:43 --- E O F ---




second hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:26:52 AM, on 12/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey .exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe .exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView .exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\dla\DLACTRLW .exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\toshiba\ivp\ism\pinger .exe
C:\Program Files\Toshiba\Tvs\TvsTray .exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd .exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aim6 .exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\busted.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\system32\sstqr.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15D5EB0E-8AD0-45D6-B6A8-A9A423FB5F4C} - C:\WINDOWS\system32\sstqr.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\DLACTRLW.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142882959\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZUxdm484YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/dsl_settings/...vzTCPConfig.CAB
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen10.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} (Confidence Online for Web Applications) - https://dnet.dom.com/llclient/dnetewpp/winx...et.com,CT=java+
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://dnet.dom.com/,DanaInfo=MAHOGANY.dom...va+iNotes6W.cab
O16 - DPF: {6E49B4EF-9FE5-44DF-8D04-445AA94F83DB} (Sony Network Camera Viewer Control) - http://70.107.225.104/program/SonyNetworkCameraViewer.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (Bl_camera Control) - http://24.148.122.144:5000/bl_camera.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://65.175.132.78/activex/AxisCamControl.cab
O16 - DPF: {A762E064-A885-40E4-AC10-671BB62DC2B2} (OFMailHTMLCtl Class) - https://dnet.dom.com/OF5/nsplugins/,DanaInf...ava+OFMailX.cab
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://www.dlink.com/products/livedemo/plugin/h263ctrl.cab
O16 - DPF: {B9940246-4344-4D1B-BD82-DBAF7E657FF9} (AudioClient Control) - http://p.viewnetcam.com:60001/SysCamInst.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://dnet.dom.com/dana-cached/setup/JuniperSetupSP1.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12022 bytes



second hijackthis startup log


StartupList report, 12/25/2007, 12:29:25 AM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\busted.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey .exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe .exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView .exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\dla\DLACTRLW .exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\toshiba\ivp\ism\pinger .exe
C:\Program Files\Toshiba\Tvs\TvsTray .exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd .exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aim6 .exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\busted.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Robbie\Start Menu\Programs\Startup]
Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ATIPTA = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
THotkey = C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
AGRSMMSG = AGRSMMSG.exe
NDSTray.exe = NDSTray.exe
TPSMain = TPSMain.exe
PadTouch = C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
SmoothView = C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
dla = C:\WINDOWS\system32\dla\DLACTRLW.exe
Pinger = c:\toshiba\ivp\ism\pinger.exe /run
Tvs = C:\Program Files\Toshiba\Tvs\TvsTray.exe
TFncKy = TFncKy.exe
TDispVol = TDispVol.exe
RTHDCPL = RTHDCPL.EXE
HostManager = C:\Program Files\Common Files\AOL\1142882959\ee\AOLSoftware.exe
MSKDetectorExe = C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
QuickTime Task = "C:\Program Files\QuickTime\qttask .exe" -atboottime
SunJavaUpdateSched = "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
avgnt = "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
ShStatEXE = "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
McAfeeUpdaterUI = "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

TOSCDSPD = C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
Aim6 = "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
Uniblue RegistryBooster 2 = C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=C:\WINDOWS\system32\sstqr.exe
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINDOWS\system32\sstqr.dll - {15D5EB0E-8AD0-45D6-B6A8-A9A423FB5F4C}
(no name) - C:\WINDOWS\System32\DLA\DLASHX_W.DLL - {5CA3D70E-1895-11CF-8E15-001234567890}
(no name) - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
scriptproxy - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll - {7DB2D5A0-7241-4E79-B68D-6309F01C5231}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}

--------------------------------------------------

Enumerating Download Program Files:

[vzTCPConfig]
CODEBASE = http://www2.verizon.net/help/dsl_settings/...vzTCPConfig.CAB
OSD = C:\WINDOWS\Downloaded Program Files\OSD22.OSD

[{15589FA1-C456-11CE-BF01-00AA0055595A}]
CODEBASE = http://w4s2.work4sure.com/c/ge/w4sgeen10.exe

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dll
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

[{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}]
CODEBASE = http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab

[YInstStarter Class]
InProcServer32 = C:\Program Files\Yahoo!\Common\yinsthelper.dll
CODEBASE = C:\Program Files\Yahoo!\Common\yinsthelper.dll

[Confidence Online for Web Applications]
InProcServer32 = C:\Documents and Settings\Robbie\Application Data\WholeSecurity\AXXPEE.dll
CODEBASE = https://dnet.dom.com/llclient/dnetewpp/winx...et.com,CT=java+

[iNotes6 Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\inotes6W.dll
CODEBASE = https://dnet.dom.com/,DanaInfo=MAHOGANY.dom...va+iNotes6W.cab

[Sony Network Camera Viewer Control]
InProcServer32 = C:\WINDOWS\system32\SONYNE~1.OCX
CODEBASE = http://70.107.225.104/program/SonyNetworkCameraViewer.cab

[Bl_camera Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\BL_CAM~1.OCX
CODEBASE = http://24.148.122.144:5000/bl_camera.cab

[CamImage Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\AxisCamControl.ocx
CODEBASE = http://65.175.132.78/activex/AxisCamControl.cab

[OFMailHTMLCtl Class]
InProcServer32 = C:\WINDOWS\system32\OFMailX.dll
CODEBASE = https://dnet.dom.com/OF5/nsplugins/,DanaInf...ava+OFMailX.cab

[VaPgCtrl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\VAPGDecoder.dll
CODEBASE = http://www.dlink.com/products/livedemo/plugin/h263ctrl.cab

[AudioClient Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\AUDIOC~1.OCX
CODEBASE = http://p.viewnetcam.com:60001/SysCamInst.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9d.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

[JuniperSetupSP1 Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\JUNIPE~1.OCX
CODEBASE = https://dnet.dom.com/dana-cached/setup/JuniperSetupSP1.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 12,162 bytes
Report generated in 0.078 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#6 megawatt

megawatt
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 PM

Posted 25 December 2007 - 02:36 AM

forum wont let me upload cureit drweb.csv
do I need to save it with different extension

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:48 PM

Posted 25 December 2007 - 05:08 PM

forum wont let me upload cureit drweb.csv
do I need to save it with different extension


Just copy the text from the report and paste it into your next reply.
Don't try to attach the file.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 megawatt

megawatt
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 PM

Posted 25 December 2007 - 08:57 PM

inst.exe;C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4000.1.4;Probably BACKDOOR.Trojan;;
inst.exe;C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\SUDS\CACHE\4024.2.4;Probably BACKDOOR.Trojan;;
inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\AIMSUD338;Probably BACKDOOR.Trojan;;
inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4024;Probably BACKDOOR.Trojan;;
setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131;Probably BACKDOOR.Trojan;;
inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.2.78.1;Probably BACKDOOR.Trojan;;
winlogon.exe.vir\data001;C:\qoobox\Quarantine\C\winlogon.exe.vir;Tool.FirePassword;;
winlogon.exe.vir\data002;C:\qoobox\Quarantine\C\winlogon.exe.vir;Tool.Netpass;;
winlogon.exe.vir\data003;C:\qoobox\Quarantine\C\winlogon.exe.vir;Tool.PassView;;
winlogon.exe.vir;C:\qoobox\Quarantine\C;Archive contains infected objects;Moved.;
msimg32.dll.vir;C:\qoobox\Quarantine\C\Program Files\Internet Explorer;Adware.Funweb;;
F3BROVLY.DLL.vir;C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin;Adware.Websearch;;
F3DTACTL.DLL.vir;C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin;Adware.Funweb;;
F3HISTSW.DLL.vir;C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin;Adware.Msearch;;
F3HTTPCT.DLL.vir;C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin;Trojan.Isbar.438;Deleted.;
F3IMSTUB.DLL.vir;C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin;Adware.Funweb;;
F3POPSWT.DLL.vir;C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin;Adware.Funweb;;
F3PSSAVR.SCR.vir;C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin;Adware.Msearch;;
F3REPROX.DLL.vir;C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin;Adware.Funweb;;
F3RESTUB.DLL.vir;C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin;Adware.Msearch;;
F3SCHMON.EXE.vir;C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin;Adware.Msearch;;
F3SCRCTR.DLL.vir;C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin;Trojan.DownLoader.7028;Deleted.;
F3SHLLVW.DLL.vir;C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin;Adware.Funweb;;
F3WPHOOK.DLL.vir;C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin;Adware.Msearch;;
M3HTML.DLL.vir;C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin;Adware.Websearch;;
M3IDLE.DLL.vir;C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin;Adware.MWS;;
M3MSG.DLL.vir;C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin;Adware.Websearch;;
M3OUTLCN.DLL.vir;C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin;Adware.Msearch;;
M3PLUGIN.DLL.vir;C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin;Adware.Msearch;;
M3SKIN.DLL.vir;C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin;Adware.Websearch;;
M3SLSRCH.EXE.vir;C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin;Adware.Websearch;;
M3SRCHMN.EXE.vir;C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin;Adware.Websearch;;
MWSBAR.DLL.vir;C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin;Adware.Websearch;;
mwsoemon .exe.vir;C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin;Adware.Websearch;;
mwsoemon.exe.vir\data001;C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\mwsoemon.exe.vir;Adware.Websearch;;
mwsoemon.exe.vir;C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin;Archive contains infected objects;Moved.;
MWSOEPLG.DLL.vir;C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin;Adware.Websearch;;
MWSOESTB.DLL.vir;C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin;Adware.MWS;;
NPMYWEBS.DLL.vir;C:\qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin;Adware.Websearch;;
MWSSRCAS.DLL.vir;C:\qoobox\Quarantine\C\Program Files\MyWebSearch\SrchAstt\1.bin;Adware.Websearch;;
f3PSSavr.scr.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Adware.Msearch;;
Process.exe;C:\SDFix\apps;Tool.Prockill;;
A0026636.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP302;BackDoor.Vomba;Deleted.;
A0026637.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP302;Trojan.Click.origin;Incurable.Moved.;
A0028526.EXE;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP316;Adware.Websearch;;
A0028558.exe\data001;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP317\A0028558.exe;Adware.Websearch;;
A0028558.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP317;Archive contains infected objects;Moved.;
A0028575.exe\data001;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP317\A0028575.exe;Trojan.DownLoader.38055;;
A0028575.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP317;Archive contains infected objects;Moved.;
A0028609.exe\data001;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP317\A0028609.exe;Adware.Websearch;;
A0028609.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP317;Archive contains infected objects;Moved.;
A0028645.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP317;Adware.Websearch;;
A0028901.exe\data001;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP318\A0028901.exe;Adware.Websearch;;
A0028901.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP318;Archive contains infected objects;Moved.;
A0028942.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP318;Adware.Websearch;;
A0028990.exe\data001;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP318\A0028990.exe;Adware.Websearch;;
A0028990.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP318;Archive contains infected objects;Moved.;
A0029987.exe\data001;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP318\A0029987.exe;Adware.Websearch;;
A0029987.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP318;Archive contains infected objects;Moved.;
A0030017.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP318;Adware.Websearch;;
A0030055.exe\data001;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP318\A0030055.exe;Adware.Websearch;;
A0030055.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP318;Archive contains infected objects;Moved.;
A0030091.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP318;Adware.Websearch;;
A0030117.exe\data001;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP318\A0030117.exe;Adware.Websearch;;
A0030117.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP318;Archive contains infected objects;Moved.;
A0030153.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP318;Adware.Websearch;;
A0030178.exe\data001;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP318\A0030178.exe;Adware.Websearch;;
A0030178.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP318;Archive contains infected objects;Moved.;
A0030210.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP318;Adware.Websearch;;
A0030226.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP319;Adware.Websearch;;
A0030234.exe\data001;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP319\A0030234.exe;Adware.Websearch;;
A0030234.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP319;Archive contains infected objects;Moved.;
A0030317.exe\data001;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP319\A0030317.exe;Adware.Websearch;;
A0030317.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP319;Archive contains infected objects;Moved.;
A0030354.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP319;Adware.Websearch;;
A0030535.exe\data001;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP319\A0030535.exe;Adware.Websearch;;
A0030535.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP319;Archive contains infected objects;Moved.;
A0030568.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP319;Adware.Websearch;;
A0030590.exe\data001;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP319\A0030590.exe;Adware.Websearch;;
A0030590.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP319;Archive contains infected objects;Moved.;
A0030621.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP319;Adware.Websearch;;
A0030749.exe\data001;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP319\A0030749.exe;Adware.Websearch;;
A0030749.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP319;Archive contains infected objects;Moved.;
A0030780.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP319;Adware.Websearch;;
A0030797.exe\data001;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP319\A0030797.exe;Adware.Websearch;;
A0030797.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP319;Archive contains infected objects;Moved.;
A0030834.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP319;Adware.Websearch;;
A0030855.exe\data001;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP319\A0030855.exe;Adware.Websearch;;
A0030855.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP319;Archive contains infected objects;Moved.;
A0030891.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP319;Adware.Websearch;;
A0030907.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP319;Tool.Cain;;
A0030958.exe\data001;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP320\A0030958.exe;Adware.Websearch;;
A0030958.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP320;Archive contains infected objects;Moved.;
A0030989.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP320;Adware.Websearch;;
A0031022.exe\data001;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP320\A0031022.exe;Adware.Websearch;;
A0031022.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP320;Archive contains infected objects;Moved.;
A0031051.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP320;Adware.Websearch;;
A0031075.exe\data001;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP320\A0031075.exe;Adware.Websearch;;
A0031075.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP320;Archive contains infected objects;Moved.;
A0031100.exe\data001;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP320\A0031100.exe;Adware.Websearch;;
A0031100.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP320;Archive contains infected objects;Moved.;
A0031130.exe\data001;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP320\A0031130.exe;Adware.Websearch;;
A0031130.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP320;Archive contains infected objects;Moved.;
A0031168.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP320;Adware.Websearch;;
A0031185.exe\data001;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP320\A0031185.exe;Adware.Websearch;;
A0031185.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP320;Archive contains infected objects;Moved.;
A0031215.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP320;Adware.Websearch;;
A0031235.exe\data001;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP320\A0031235.exe;Adware.Websearch;;
A0031235.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP320;Archive contains infected objects;Moved.;
A0031269.exe\data001;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP321\A0031269.exe;Adware.Websearch;;
A0031269.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP321;Archive contains infected objects;Moved.;
A0031300.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP321;Adware.Websearch;;
A0031366.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP321;Tool.Prockill;;
A0031691.exe\data001;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP321\A0031691.exe;Adware.Websearch;;
A0031691.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP321;Archive contains infected objects;Moved.;
A0032736.exe\data001;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP322\A0032736.exe;Adware.Websearch;;
A0032736.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP322;Archive contains infected objects;Moved.;
A0032767.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP322;Adware.Websearch;;
A0032899.exe\data001;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP322\A0032899.exe;Adware.Websearch;;
A0032899.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP322;Archive contains infected objects;Moved.;
A0032932.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP322;Adware.Websearch;;
A0033108.exe\data001;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP322\A0033108.exe;Adware.Websearch;;
A0033108.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP322;Archive contains infected objects;Moved.;
A0033140.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP322;Adware.Websearch;;
A0033161.exe\data001;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP322\A0033161.exe;Adware.Websearch;;
A0033161.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP322;Archive contains infected objects;Moved.;
A0033193.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP322;Adware.Websearch;;
A0033210.exe\data001;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP323\A0033210.exe;Adware.Websearch;;
A0033210.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP323;Archive contains infected objects;Moved.;
A0034159.exe\data001;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP324\A0034159.exe;Adware.Websearch;;
A0034159.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP324;Archive contains infected objects;Moved.;
A0034193.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP324;Adware.Websearch;;
A0034219.exe\data001;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP325\A0034219.exe;Adware.Websearch;;
A0034219.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP325;Archive contains infected objects;Moved.;
A0034223.DLL;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP326;Adware.Websearch;;
A0034225.DLL;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP326;Adware.Funweb;;
A0034226.DLL;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP326;Adware.Msearch;;
A0034227.DLL;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP326;Trojan.Isbar.438;Deleted.;
A0034228.DLL;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP326;Adware.Funweb;;
A0034229.DLL;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP326;Adware.Funweb;;
A0034230.SCR;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP326;Adware.Msearch;;
A0034231.DLL;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP326;Adware.Funweb;;
A0034232.DLL;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP326;Adware.Msearch;;
A0034233.EXE;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP326;Adware.Msearch;;
A0034234.DLL;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP326;Trojan.DownLoader.7028;Deleted.;
A0034235.DLL;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP326;Adware.Funweb;;
A0034236.DLL;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP326;Adware.Msearch;;
A0034238.DLL;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP326;Adware.Websearch;;
A0034239.DLL;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP326;Adware.MWS;;
A0034241.DLL;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP326;Adware.Websearch;;
A0034243.DLL;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP326;Adware.Msearch;;
A0034244.DLL;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP326;Adware.Msearch;;
A0034245.DLL;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP326;Adware.Websearch;;
A0034247.EXE;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP326;Adware.Websearch;;
A0034248.EXE;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP326;Adware.Websearch;;
A0034249.DLL;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP326;Adware.Websearch;;
A0034250.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP326;Adware.Websearch;;
A0034251.exe\data001;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP326\A0034251.exe;Adware.Websearch;;
A0034251.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP326;Archive contains infected objects;Moved.;
A0034252.DLL;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP326;Adware.Websearch;;
A0034253.DLL;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP326;Adware.MWS;;
A0034254.DLL;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP326;Adware.Websearch;;
A0034262.DLL;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP326;Adware.Websearch;;
A0034263.dll;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP326;Adware.Funweb;;
A0034264.scr;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP326;Adware.Msearch;;
A0034265.exe\data001;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP326\A0034265.exe;Tool.FirePassword;;
A0034265.exe\data002;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP326\A0034265.exe;Tool.Netpass;;
A0034265.exe\data003;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP326\A0034265.exe;Tool.PassView;;
A0034265.exe;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP326;Archive contains infected objects;Moved.;
A0034272.DLL;C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP326;Adware.Websearch;;
mrofinu1000106.exe.tmp\data001;C:\WINDOWS\mrofinu1000106.exe.tmp;Trojan.DownLoader.38055;;
mrofinu1000106.exe.tmp;C:\WINDOWS;Archive contains infected objects;Moved.;

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:48 PM

Posted 26 December 2007 - 09:04 AM

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\system32\sstqr.exe
O2 - BHO: (no name) - {15D5EB0E-8AD0-45D6-B6A8-A9A423FB5F4C} - C:\WINDOWS\system32\sstqr.dll
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZUxdm484YYUS
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe



===============




Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\WINDOWS\system32\sstqr.exe
    C:\WINDOWS\system32\sstqr.dll
    C:\WINDOWS\system32\sstqr.ini
    C:\WINDOWS\system32\sstqr.ini2
    C:\WINDOWS\system32\rqtss.ini
    C:\WINDOWS\system32\rqtss.ini2



  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Close OTMoveIt
  • Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.
In that case, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log (where "********_******" is the "date_time")




Please post a new combofix log also.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 megawatt

megawatt
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 PM

Posted 26 December 2007 - 10:01 AM

Sam before I go any further and dont want to mess up
in hjthis you said check mark
O2 - BHO: (no name) - {15D5EB0E-8AD0-45D6-B6A8-A9A423FB5F4C} - C:\WINDOWS\system32\sstqr.dll

dont see the same numbers. The one that is there now is
O2 - BHO: (no name) - {2CD991EC-825C-4203-A979-D19CBC54FE3E} - C:\WINDOWS\system32\sstqr.dll
do these numbers sometimes change

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:48 PM

Posted 26 December 2007 - 10:06 AM

Yes, they can change. The filename at the end is the important part. That's a malicious file.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 megawatt

megawatt
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 PM

Posted 26 December 2007 - 10:30 AM

ok

I checked marked O2 - BHO: (no name) - {2CD991EC-825C-4203-A979-D19CBC54FE3E} - C:\WINDOWS\system32\sstqr.dll

and click fix it and removed it but and ran anther scan and it come back. should I continue wit your downloads and leave it there till later

#13 megawatt

megawatt
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 PM

Posted 26 December 2007 - 11:31 AM

MOVEIT LOG

C:\WINDOWS\system32\sstqr.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\sstqr.dll
C:\WINDOWS\system32\sstqr.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\sstqr.dll scheduled to be moved on reboot.
File/Folder C:\WINDOWS\system32\sstqr.ini not found.
File/Folder C:\WINDOWS\system32\sstqr.ini2 not found.
C:\WINDOWS\system32\rqtss.ini moved successfully.
C:\WINDOWS\system32\rqtss.ini2 moved successfully.

Created on 12/26/2007 10:42:10



COMBOFIX LOG

ComboFix 07-12-21.4 - Robbie 2007-12-26 11:01:32.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.37 [GMT -5:00]
Running from: C:\Documents and Settings\Robbie\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\rqtss.ini
C:\WINDOWS\system32\rqtss.ini2
C:\WINDOWS\system32\sstqr.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-26 to 2007-12-26 )))))))))))))))))))))))))))))))
.

2007-12-26 10:47 . 2007-12-26 11:02 326,656 --a------ C:\WINDOWS\system32\sstqr.exe
2007-12-25 00:39 . 2007-12-25 00:39 <DIR> d-------- C:\Documents and Settings\Robbie\DoctorWeb
2007-12-24 10:55 . 2007-12-24 10:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2007-12-24 10:35 . 2007-12-24 10:35 <DIR> d-------- C:\Documents and Settings\Robbie\Application Data\Uniblue
2007-12-24 10:29 . 2007-12-24 10:29 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-24 01:01 . 2007-12-24 02:24 <DIR> d-------- C:\QUARANTINE
2007-12-24 00:46 . 2007-12-26 09:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2007-12-24 00:40 . 2007-12-24 00:40 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2007-12-24 00:40 . 2006-11-17 03:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2007-12-24 00:40 . 2006-11-30 08:50 168,776 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-12-24 00:40 . 2006-11-30 08:50 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-12-24 00:40 . 2006-11-30 08:50 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2007-12-24 00:40 . 2006-11-30 08:50 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2007-12-24 00:40 . 2006-11-30 08:50 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-12-24 00:40 . 2006-11-17 03:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2007-12-24 00:38 . 2007-12-24 00:38 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-12-24 00:35 . 2007-12-24 00:35 <DIR> d-------- C:\temp\McAfee
2007-12-24 00:03 . 2007-12-24 00:03 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-24 00:03 . 2007-12-24 00:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2007-12-24 00:03 . 2007-12-24 00:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo
2007-12-24 00:03 . 2007-12-24 00:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2007-12-24 00:02 . 2007-12-24 00:02 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-12-23 22:32 . 2006-03-20 14:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2007-12-23 21:40 . 2007-12-24 00:02 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
2007-12-23 17:16 . 2007-12-23 17:16 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-12-23 17:13 . 2007-12-23 19:26 <DIR> d--hs---- C:\WINDOWS\Um9iYmll
2007-12-23 17:13 . 2007-12-24 00:33 <DIR> d-------- C:\WINDOWS\system32\to9
2007-12-23 17:13 . 2007-12-24 00:33 <DIR> d-------- C:\WINDOWS\system32\dj2
2007-12-23 17:13 . 2007-12-23 17:23 <DIR> d-------- C:\WINDOWS\system32\bbc9
2007-12-23 17:13 . 2007-12-24 02:07 <DIR> d-------- C:\WINDOWS\system32\ardCo18
2007-12-23 17:13 . 2007-12-23 17:13 <DIR> d-------- C:\temp\cEeer12
2007-12-23 17:13 . 2007-12-23 17:13 134 --a------ C:\n.bat
2007-12-23 16:24 . 2007-12-23 16:24 <DIR> d-------- C:\Documents and Settings\Robbie\Application Data\ImgBurn
2007-12-23 16:20 . 2007-12-23 16:20 <DIR> d-------- C:\Program Files\ImgBurn
2007-12-23 15:48 . 2007-12-23 15:48 <DIR> d-------- C:\Program Files\7-Zip
2007-12-23 15:19 . 2007-12-23 15:19 <DIR> d-------- C:\Program Files\MSBuild
2007-12-23 15:18 . 2007-12-23 15:18 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-12-23 15:18 . 2007-12-23 15:18 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-12-23 15:17 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2007-12-23 15:12 . 2007-12-23 15:12 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-23 14:51 . 2007-12-23 14:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-17 18:48 . 2007-12-24 00:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-26 16:02 --------- d-----w C:\Program Files\QuickTime
2007-12-26 16:01 --------- d-----w C:\Program Files\AIM6
2007-12-24 05:50 --------- d-----w C:\Program Files\Yahoo!
2007-12-24 05:48 --------- d-----w C:\Program Files\Google
2007-12-24 05:40 --------- d-----w C:\Program Files\McAfee
2007-12-24 05:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-24 05:31 --------- d-----w C:\Program Files\SpeedFan
2007-12-24 05:01 --------- d--h--r C:\Documents and Settings\All Users\Application Data\yahoo!
2007-12-24 05:01 --------- d-----w C:\Program Files\worldtvradio
2007-12-24 02:38 --------- d--h--r C:\Documents and Settings\Robbie\Application Data\yahoo!
2007-12-23 22:50 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-23 22:42 --------- d-----w C:\Program Files\CACE Technologies
2007-12-21 04:06 28,672 ----a-w C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-12-08 13:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-12-06 14:29 --------- d-----w C:\Program Files\OpenOffice.org 2.1
2007-12-06 14:27 --------- d-----w C:\Documents and Settings\Robbie\Application Data\OpenOffice.org2
2007-11-19 23:33 --------- d-----w C:\Documents and Settings\Robbie\Application Data\U3
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-30 01:33 --------- d-----w C:\Program Files\worldTVRT
2007-10-29 15:18 --------- d-----w C:\Program Files\LEDSET
2007-10-23 00:30 150 ----a-w C:\Documents and Settings\Robbie\Application Data\wklnhst.dat
2006-12-29 02:20 92,064 ----a-w C:\Documents and Settings\Robbie\mqdmmdm.sys
2006-12-29 02:20 9,232 ----a-w C:\Documents and Settings\Robbie\mqdmmdfl.sys
2006-12-29 02:20 79,328 ----a-w C:\Documents and Settings\Robbie\mqdmserd.sys
2006-12-29 02:20 66,656 ----a-w C:\Documents and Settings\Robbie\mqdmbus.sys
2006-12-29 02:20 6,208 ----a-w C:\Documents and Settings\Robbie\mqdmcmnt.sys
2006-12-29 02:20 5,936 ----a-w C:\Documents and Settings\Robbie\mqdmwhnt.sys
2006-12-29 02:20 4,048 ----a-w C:\Documents and Settings\Robbie\mqdmcr.sys
2006-12-29 02:20 25,600 ----a-w C:\Documents and Settings\Robbie\usbsermptxp.sys
2006-12-29 02:20 22,768 ----a-w C:\Documents and Settings\Robbie\usbsermpt.sys
2005-07-29 21:24 472 --sha-r C:\WINDOWS\Um9iYmll\oA62sA55.vbs
.

((((((((((((((((((((((((((((( snapshot@2007-12-24_15.37.44.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 12:00:00 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
+ 2007-12-26 16:15:49 343,552 ----a-w C:\WINDOWS\system32\ctfmon.exe
- 2007-12-24 20:34:11 122,940 ----a-w C:\WINDOWS\system32\DLA\DLACTRLW .exe
+ 2007-12-26 16:16:11 122,940 ----a-w C:\WINDOWS\system32\DLA\DLACTRLW .exe
- 2007-12-24 20:06:28 476,160 ----a-w C:\WINDOWS\system32\DLA\DLACTRLW.exe
+ 2007-12-26 15:47:33 476,160 ----a-w C:\WINDOWS\system32\DLA\DLACTRLW.exe
- 2007-12-23 20:37:31 169,096 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2007-12-26 14:42:53 166,712 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF69D22D-7CCA-4B8F-AA9F-413E690F049B}]
2007-12-26 11:15 323072 --a------ C:\WINDOWS\system32\sstqr.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2007-12-26 11:15]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" []
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-12-26 11:16]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-12-26 10:47]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2007-12-26 10:47]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-12-26 11:16]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-26 10:47]
"AGRSMMSG"="AGRSMMSG.exe" [2006-03-03 23:29 C:\WINDOWS\agrsmmsg.exe]
"NDSTray.exe"="NDSTray.exe" []
"TPSMain"="TPSMain.exe" [2005-06-01 00:00 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2007-12-26 10:47]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-12-26 10:47]
"dla"="C:\WINDOWS\system32\dla\DLACTRLW.exe" [2007-12-26 10:47]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2007-12-26 10:47]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2007-12-26 10:47]
"TFncKy"="TFncKy.exe" []
"TDispVol"="TDispVol.exe" [2005-03-11 18:03 C:\WINDOWS\system32\TDispVol.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-09 17:49 C:\WINDOWS\RTHDCPL.exe]
"HostManager"="C:\Program Files\Common Files\AOL\1142882959\ee\AOLSoftware.exe" [2007-12-26 11:02]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2007-12-26 11:02]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2007-12-26 11:17]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2007-12-26 10:47]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" []
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-12-24 15:06]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-12-24 00:46:10]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-03-20 13:55:20]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\sstqr.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\sstqr

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)

S3 ICam7fil;Intel® CS431 Audio Filter Driver;C:\WINDOWS\system32\drivers\icam7fil.sys [2001-07-31 15:34]
S3 Icam7USB;Intel® PC Camera CS431;C:\WINDOWS\system32\Drivers\ICAM7D2.SYS [2001-07-31 15:34]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-02-27 13:31]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-06-21 15:55]
S3 PhilCam8116;Logitech QuickCam Pro 3000 (08B0);C:\WINDOWS\system32\DRIVERS\CamDrO21.sys [2001-08-17 14:05]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77e7d262-96e9-11dc-9d65-0016e3564ba5}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-26 11:15:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\sstqr.dll
-> C:\WINDOWS\system32\TDispVol.dll
.
Completion time: 2007-12-26 11:20:18 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-25 00:07
C:\ComboFix3.txt ... 2007-12-24 15:38
.
2007-12-24 03:15:43 --- E O F ---

#14 megawatt

megawatt
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 PM

Posted 27 December 2007 - 11:17 AM

Im also getting this message when I try to log on to ny employers secure site it runs a online checker and this microsoft box pops up

suspicious process found
process name: explorer.exe
classification: embedded

process name:lsass.exe
classification: embedded

#15 megawatt

megawatt
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 PM

Posted 27 December 2007 - 11:39 AM

I think im losing ground here, internet explorer windows keep freezing up sometimes and causing cpu to max out at 100% untill they unfreeze or I use task mag. to close them
I have best start putting my pics. and stuff on cd its just so hard to remenber what to save.

Thanks again Rob




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users