Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log: Pleae Help Diagnose


  • Please log in to reply
13 replies to this topic

#1 woobie7

woobie7

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 17 January 2008 - 11:15 AM

--------------------------------------------------------------------------------

I am working with a PC that has malware on it. I have tried cleaning it up with Spybot and AdWare with no success. SpyBot was not able to remove half of the things found. At this time, the browser has a mind of its own and system resources are so low, to open a Windows Explorer window could take up to 10 minutes. Help.

Here is the HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:22:27 PM, on 1/14/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\lpcywinp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd .exe
C:\windows\system\hpsysdrv .exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon06.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon .exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\winshow .exe
C:\WINDOWS\mrofinu77.exe
C:\WINDOWS\troy44.exe
C:\WINDOWS\System32\kwinsldq.exe
C:\WINDOWS\troy44.exe
C:\WINDOWS\Gwang.exe
C:\WINDOWS\win32072272026865.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11 .exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2 .exe
C:\WINDOWS\System32\hphmon06 .exe
C:\Program Files\Cookie Washer\aolwasher.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32 .exe
C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
C:\Program Files\Common Files\?racle\w?crtupd.exe
C:\Program Files\kernel\kernel.exe
C:\Program Files\QdrPack\QdrPack11.exe
C:\WINDOWS\mrofinu77 .exe
C:\WINDOWS\troy44 .exe
C:\Program Files\Router\Router.exe
C:\WINDOWS\winshow .exe
C:\WINDOWS\Gwang .exe
C:\WINDOWS\System32\kwinsldq .exe
C:\WINDOWS\troy44 .exe
C:\SIERRA\CardStudio\PLNRnote.exe
C:\WINDOWS\win32072272026865 .exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
C:\Program Files\Cookie Washer\aolwasher .exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\kernel\kernel .exe
C:\Program Files\QdrPack\QdrPack11 .exe
C:\Program Files\Router\Router .exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Tiger Technologies\DeskFlag\deskflag.exe
C:\Program Files\Spruce\X_Spruce.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\SoftwareDistribution\Download\eb5ff0ae9fdaa24285c4924997a7aa90\u pdate\update.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\win320652272026862008.exe
C:\Program Files\Internet Explorer Assistant\InternetExplorerAssistant.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\is-OHSJM.tmp\InternetExplorerAssistant.tmp
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe
c:\windows\system32\dwdsrngt.exe
C:\DOCUME~1\Owner\MYDOCU~1\ASEMBL~1\netdde.exe
c:\windows\system32\dwdsrngt .exe
C:\DOCUME~1\Owner\MYDOCU~1\ASEMBL~1\netdde.exe
C:\DOCUME~1\Owner\MYDOCU~1\ASEMBL~1\netdde .exe
c:\windows\system32\dwdsrngt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www6.comcast.net/a/
F3 - REG:win.ini: load=C:\WINDOWS\System32\ssqrr.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\lpcywinp.exe,C:\WINDOWS\system32\userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\Hewlett-Packard\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\System32\hphmon06.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow .exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A28452DA 545E9B1894E754BE54C29159A7DBE80DC744B6CDE3F516CAC59B6
O4 - HKLM\..\Run: [troy44] C:\WINDOWS\troy44.exe
O4 - HKLM\..\Run: [{F8-82-24-4B-ZN}] c:\windows\system32\dwdsrngt .exe .exe .exe .exe .exe CHD001
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\kwinsldq .exe .exe .exe .exe .exe CHD001
O4 - HKLM\..\Run: [troy44 ] C:\WINDOWS\troy44 .exe
O4 - HKLM\..\Run: [TMT] C:\WINDOWS\Gwang.exe
O4 - HKLM\..\Run: [win32072272026865] C:\WINDOWS\win32072272026865.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ccWasher] c:\Program Files\Cookie Washer\aolwasher.exe /0
O4 - HKCU\..\Run: [Notn] "C:\DOCUME~1\Owner\MYDOCU~1\ASEMBL~1\netdde.exe" -vt yazb
O4 - HKCU\..\Run: [Ijtj] "C:\Program Files\Common Files\?racle\w?crtupd.exe"
O4 - HKCU\..\Run: [kernel] C:\Program Files\kernel\kernel.exe
O4 - HKCU\..\Run: [QdrPack11] "C:\Program Files\QdrPack\QdrPack11.exe"
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - Startup: DeskFlag.lnk = C:\Program Files\Tiger Technologies\DeskFlag\deskflag.exe
O4 - Startup: Spruce - Auto Update.lnk = C:\Program Files\Spruce\Spruce.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsrngt .exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\kwinsldq .exe
O4 - Global Startup: customize__IE.lnk = C:\hp\region\customizeIe.wsf
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\SIERRA\CardStudio\PLNRnote.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MsnFixer.lnk = ?
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1197932581671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1197932563640
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 9921 bytes

Any help would be appreciated,
Woobie 7

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 26 January 2008 - 09:38 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum.
My name is Richie and i'll be helping you to fix your problems.

Apologies for the late response,as i'm sure you can appreciate we are extremely busy.

If you've already recieved help at another forum and your issues have been resolved,or you're presently recieving help elsewhere then please let us know.

If you have not followed the info in the link below prior to posting your log then please do so now:
Preparation Guide for use before posting a HijackThis Log:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If you still require help,please post a new Hijackthis log into this topic in your next reply.

Also post a detailed description of the issues you're experiencing.

*Note*
Post all reports/logs directly into this topic,not as attachments,thanks.
Posted Image
Posted Image

#3 woobie7

woobie7
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 31 January 2008 - 11:32 AM

Richie, I DO still need help. This afternoon I will be posting a recent HJT log. Thanks for your help.

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 01 February 2008 - 05:50 AM

Ok,thanks for the update.
Posted Image
Posted Image

#5 woobie7

woobie7
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 01 February 2008 - 09:03 PM

Here is a copy of the latest HJT Log. At this time, the PC is not very usable. Adware ran for about 6 hours before it completed. Windows take a few minutes to open. On occasion, 40 ie browser windows will open on their own. The task manager has been disabled, so it nearly impossible to kill some of these processes or see what is eating up my CPU. I was also unable to perform a disk cleanup using windows "cleanmgr". The utility analyzed the drive for about 4 hours with little progress. What temp directories does that tool clean - I could try to do it manually.

Please help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:48:37 PM, on 2/1/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\lpcywinp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\windows\system\hpsysdrv .exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd .exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon .exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon06.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\winshow .exe
C:\WINDOWS\mrofinu77.exe
C:\WINDOWS\troy44.exe
C:\WINDOWS\System32\kwinsldq.exe
C:\WINDOWS\troy44.exe
C:\WINDOWS\win32072272026865.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\Gwang.exe
C:\Program Files\Cookie Washer\aolwasher.exe
C:\Program Files\Common Files\?racle\w?crtupd.exe
C:\Program Files\kernel\kernel.exe
C:\Program Files\Router\Router.exe
C:\Program Files\QdrPack\QdrPack12.exe
C:\Program Files\QdrModule\QdrModule12.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2 .exe
C:\WINDOWS\System32\hphmon06 .exe
C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11 .exe
C:\WINDOWS\winshow .exe
C:\WINDOWS\mrofinu77 .exe
C:\Program Files\ScanSoft\OmniPageSE\opware32 .exe
C:\WINDOWS\System32\kwinsldq .exe
C:\WINDOWS\troy44 .exe
C:\WINDOWS\troy44 .exe
C:\WINDOWS\win32072272026865 .exe
C:\SIERRA\CardStudio\PLNRnote.exe
C:\WINDOWS\Gwang .exe
C:\Program Files\Cookie Washer\aolwasher .exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\kernel\kernel .exe
C:\Program Files\Router\Router .exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\QdrPack\QdrPack12 .exe
C:\Program Files\QdrModule\QdrModule12 .exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Tiger Technologies\DeskFlag\deskflag.exe
C:\Program Files\Spruce\X_Spruce.exe
C:\WINDOWS\winhlp32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe
C:\DOCUME~1\Owner\MYDOCU~1\ASEMBL~1\netdde.exe
c:\windows\system32\dwdsrngt.exe
c:\windows\system32\dwdsrngt .exe
C:\DOCUME~1\Owner\MYDOCU~1\ASEMBL~1\netdde.exe
C:\DOCUME~1\Owner\MYDOCU~1\ASEMBL~1\netdde.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www6.comcast.net/a/
F3 - REG:win.ini: load=C:\WINDOWS\System32\ssqrr.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\lpcywinp.exe,C:\WINDOWS\system32\userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\Hewlett-Packard\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\System32\hphmon06.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow .exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A28452DA545E9B1894E754BE54C29159A7DBE80DC744B6CDE3F516CAC59B6
O4 - HKLM\..\Run: [troy44] C:\WINDOWS\troy44.exe
O4 - HKLM\..\Run: [{F8-82-24-4B-ZN}] c:\windows\system32\dwdsrngt .exe .exe .exe .exe .exe .exe CHD001
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\kwinsldq .exe .exe .exe .exe .exe .exe CHD001
O4 - HKLM\..\Run: [troy44 ] C:\WINDOWS\troy44 .exe
O4 - HKLM\..\Run: [win32072272026865] C:\WINDOWS\win32072272026865.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [TMT] C:\WINDOWS\Gwang .exe
O4 - HKLM\..\Run: [78cf82e4] rundll32.exe "C:\WINDOWS\System32\ijbftewo.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ccWasher] c:\Program Files\Cookie Washer\aolwasher.exe /0
O4 - HKCU\..\Run: [Notn] "C:\DOCUME~1\Owner\MYDOCU~1\ASEMBL~1\netdde.exe" -vt yazb
O4 - HKCU\..\Run: [Ijtj] "C:\Program Files\Common Files\?racle\w?crtupd.exe"
O4 - HKCU\..\Run: [kernel] C:\Program Files\kernel\kernel.exe
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [QdrPack12] "C:\Program Files\QdrPack\QdrPack12.exe"
O4 - HKCU\..\Run: [QdrModule12] "C:\Program Files\QdrModule\QdrModule12.exe"
O4 - Startup: DeskFlag.lnk = C:\Program Files\Tiger Technologies\DeskFlag\deskflag.exe
O4 - Startup: Spruce - Auto Update.lnk = C:\Program Files\Spruce\Spruce.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsrngt .exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\kwinsldq .exe
O4 - Global Startup: customize__IE.lnk = C:\hp\region\customizeIe.wsf
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\SIERRA\CardStudio\PLNRnote.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MsnFixer.lnk = ?
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1197932581671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1197932563640
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 9782 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 02 February 2008 - 04:34 AM

Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.


If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,NOT for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix by sUBs and save to your desktop.
Alternative Combofix download link HERE.
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#7 woobie7

woobie7
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 02 February 2008 - 11:34 PM

Richie,
I ran through all the suggested fixes you had given me.


Here are the logs you requested. . .
_____________________________________________________

SDFix:

SDFix: Version 1.135

Run by Owner on Sat 02/02/2008 at 11:43 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
core
kwiwexql

Path:
system32\drivers\core.sys
system32\drivers\fmtbycab.dat

core - Deleted
kwiwexql - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Service kwiwexql - Deleted after Reboot

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\system32\drivers\fmtbycab.dat - Deleted
C:\WINDOWS\SYSTEM32\IALMCOIN.DLL - Deleted
C:\AE1.TMP - Deleted
C:\AE2.TMP - Deleted
C:\PROGRA~1\MESSEN~1\RYBIMOD.DLL - Deleted
C:\PROGRA~1\MESSEN~1\VIKOBI~1.HTM - Deleted
C:\PROGRA~1\MESSEN~1\RYBIMOD - Deleted
C:\WINDOWS\SYSTEM32\BRCB48~1.DLL - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\WINDOWS\system32\Z1\aroblcidr31z.exe - Deleted
C:\Program Files\kernel\kernel .exe - Deleted
C:\Program Files\kernel\kernel.exe - Deleted
C:\Program Files\Router\Router .exe - Deleted
C:\Program Files\Router\Router.exe - Deleted
C:\Program Files\Router\UnInstall.exe - Deleted
C:\WINDOWS\b103.exe - Deleted
C:\WINDOWS\b104.exe - Deleted
C:\WINDOWS\b122.exe - Deleted
C:\WINDOWS\b138.exe - Deleted
C:\WINDOWS\b148.exe - Deleted
C:\WINDOWS\b151.exe - Deleted
C:\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M2210NetInstaller.exe - Deleted
C:\WINDOWS\mrofinu1000106.exe - Deleted
C:\WINDOWS\mrofinu77.exe - Deleted
C:\WINDOWS\mrofinu77.exe.tmp - Deleted
C:\WINDOWS\system32\drivers\core.cache(2).dsk - Deleted
C:\WINDOWS\system32\drivers\core.cache(3).dsk - Deleted
C:\WINDOWS\system32\drivers\core.cache(4).dsk - Deleted
C:\WINDOWS\system32\drivers\core.cache(5).dsk - Deleted
C:\WINDOWS\system32\w32sys0.exe - Deleted
C:\WINDOWS\system32\w32sys3.exe - Deleted
C:\WINDOWS\system32\w32sys5.exe - Deleted
C:\WINDOWS\system32\w32sys6.exe - Deleted
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\TA_Start.lnk - Deleted
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Think-Adz.lnk - Deleted
C:\WINDOWS\hotporn.exe - Deleted
C:\WINDOWS\ie_32.exe - Deleted
C:\WINDOWS\system32\drivers\core.cache.dsk - Deleted
C:\WINDOWS\system32\msnav32.ax - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\system32\zxdnt3d.cfg - Deleted
C:\WINDOWS\tk58.exe - Deleted
C:\WINDOWS\TTC-4444.exe - Deleted
C:\WINDOWS\winshow.exe - Deleted
C:\WINDOWS\system32\drivers\core.sys - Deleted



Folder C:\Program Files\kernel - Removed
Folder C:\Program Files\Router - Removed
Folder C:\Temp\1cb - Removed
Folder C:\Temp\tn3 - Removed
Folder C:\WINDOWS\system32\Z1 - Removed


Removing Temp Files...

ADS Check:



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 12:19:57
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:000000a4

scanning hidden files ...

C:\WINDOWS\hotporn.exe 23296 bytes
C:\WINDOWS\ie_32.exe 28160 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 2


Remaining Services:
------------------



Authorized Application Key Export:

Remaining Files:
---------------
C:\WINDOWS\hotporn.exe Found
C:\WINDOWS\ie_32.exe Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Thu 8 Sep 2005 4 A..H. --- "C:\WINDOWS\uccspecb.sys"
Sat 2 Feb 2008 210 ..SH. --- "C:\WINDOWS\system32\qavokxsk.dllbox"
Fri 25 Nov 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 9 Dec 2006 231,936 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL0441.tmp"
Thu 1 Nov 2007 230,400 ..SHR --- "C:\Program Files\Common Files\?racle\w?crtupd.exe"
Wed 4 Apr 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 4 Apr 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Wed 7 Nov 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv03.tmp"
Thu 3 Jan 2008 420,864 A.SHR --- "C:\Documents and Settings\Owner\My Documents\a?sembly\netdde.exe"
Mon 15 Nov 2004 2,096,640 ...H. --- "C:\Documents and Settings\Owner\My Documents\Music clipart\~WRL0929.tmp"
Fri 1 Dec 2006 757,248 ...H. --- "C:\Documents and Settings\Owner\My Documents\Music clipart\~WRL1938.tmp"
Thu 30 Nov 2006 663,552 ...H. --- "C:\Documents and Settings\Owner\My Documents\Music clipart\~WRL2001.tmp"
Sat 19 Mar 2005 644,608 ...H. --- "C:\Documents and Settings\Owner\My Documents\Music clipart\~WRL2579.tmp"
Tue 12 Apr 2005 95,892 ...H. --- "C:\Program Files\Comcast\Comcast PhotoShow 4\data\Comcast PhotoShow Deluxe.exe"
Thu 15 May 2003 43,008 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Fri 21 Feb 2003 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Fri 21 Feb 2003 12,368 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Fri 9 Mar 2007 31,232 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Templates\~WRL0849.tmp"
Sun 7 May 2006 110,080 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL0553.tmp"
Mon 28 May 2007 126,464 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL0802.tmp"
Tue 29 May 2007 139,776 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL0817.tmp"
Sat 24 Dec 2005 137,728 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL1030.tmp"
Sun 27 May 2007 194,048 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL1105.tmp"
Sat 30 Sep 2006 1,302,016 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL1289.tmp"
Mon 28 May 2007 185,856 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL1754.tmp"
Tue 29 May 2007 126,464 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL2091.tmp"
Sat 24 Dec 2005 136,192 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL2245.tmp"
Wed 7 Dec 2005 27,648 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL2628.tmp"
Tue 29 May 2007 129,024 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL3307.tmp"
Fri 25 Nov 2005 4,348 ...H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1key.bak"
Fri 25 Nov 2005 20 A..H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1lic.bak"
Fri 25 Nov 2005 400 A.SH. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv2key.bak"

Finished!

________________________________________________________________________________

ComboFix

ComboFix 08-02.02.5 - Owner 2008-02-02 14:13:35.1 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\rqrpnom.dll
C:\WINDOWS\system32\ssqrr.dll
C:\DOCUME~1\Owner\MYDOCU~1\ASEMBL~1\netdde.exe
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin3.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin4.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin5.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin6.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin7.zip
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\Owner\Desktop\searchus.exe
C:\Documents and Settings\Owner\My Documents\ASEMBL~1
C:\Documents and Settings\Owner\My Documents\ASEMBL~1\netdde .exe
C:\Documents and Settings\Owner\My Documents\ASEMBL~1\netdde.exe
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\TA_Start.lnk
C:\hp\KBD\KBD.EXE
C:\Program Files\3721
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\Accoona
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\guid.dat
C:\Program Files\amsys\ijl15.dll
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\Coloreal\coloreal.exe
C:\Program Files\Common Files\krrm
C:\Program Files\Common Files\krrm\krrma.lck
C:\Program Files\Common Files\krrm\krrmd\class-barrel
C:\Program Files\Common Files\krrm\krrmd\vocabulary
C:\Program Files\Common Files\krrm\krrml.lck
C:\Program Files\Common Files\krrm\krrmm.exe
C:\Program Files\Common Files\krrm\krrmm.lck
C:\Program Files\Common Files\racle~1
C:\Program Files\Common Files\racle~1\w?crtupd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
C:\Program Files\Cookie Washer\aolwasher.exe
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\Hewlett-Packard\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\QdrDrive9.dll
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dic.gz
C:\Program Files\QdrModule\kwd.gz
C:\Program Files\QdrModule\QdrModule12 .exe
C:\Program Files\QdrModule\QdrModule12.exe
C:\Program Files\QdrPack
C:\Program Files\QdrPack\carkazupd.exe
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\QdrPack11 .exe
C:\Program Files\QdrPack\QdrPack11.exe
C:\Program Files\QdrPack\QdrPack12 .exe
C:\Program Files\QdrPack\QdrPack12.exe
C:\Program Files\QdrPack\trgts.gz
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Spruce
C:\Program Files\Spruce\Spruce.dll
C:\Program Files\Spruce\Spruce.dll.intermediate.manifest
C:\Program Files\Spruce\Spruce.exe
C:\Program Files\Spruce\Spruce.info
C:\Program Files\Spruce\Spruce.original
C:\Program Files\Spruce\SpruceRg.dll
C:\Program Files\Spruce\un_SpruceSetup_17737.exe
C:\Program Files\Spruce\un_SpruceSetup_17737.txt
C:\Program Files\Spruce\X_Spruce.exe
C:\Program Files\Spruce\X_Spruce.log
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe
C:\Program Files\Zero Knowledge\Freedom\AutoStarterR.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\absolute key logger.lnk
C:\WINDOWS\aconti.exe
C:\WINDOWS\aconti.ini
C:\WINDOWS\aconti.log
C:\WINDOWS\aconti.sdb
C:\WINDOWS\acontidialer.txt
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\CREATOR\Remind_XP.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\default.htm
C:\WINDOWS\df87173.exe
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\Gwang .exe
C:\WINDOWS\Gwang.exe
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\hg173.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\IA
C:\WINDOWS\IA\KE.vbs
C:\WINDOWS\ie_32.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\krrm
C:\WINDOWS\krrm\krrm.dat
C:\WINDOWS\krrm\wu
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\settn.dll
C:\WINDOWS\SMINST\RECGUARD.EXE
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system\hpsysdrv.exe
C:\WINDOWS\system32\_000003_.tmp.dll
C:\WINDOWS\system32\_000004_.tmp.dll
C:\WINDOWS\system32\_000005_.tmp.dll
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\_000007_.tmp.dll
C:\WINDOWS\system32\_000008_.tmp.dll
C:\WINDOWS\system32\_000009_.tmp.dll
C:\WINDOWS\system32\_000010_.tmp.dll
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\acespy\__acelog.ndx
C:\WINDOWS\system32\acespy\systune.exe
C:\WINDOWS\system32\din.ip
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\system32\egmulhxk.dll
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\system32\ijbftewo.dll
C:\WINDOWS\system32\imdtsewx.dll
C:\WINDOWS\system32\kwinsldq .exe
C:\WINDOWS\system32\kwinsldq.exe
C:\WINDOWS\system32\lpcywinp.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\owetfbji.ini
C:\WINDOWS\system32\qavokxsk.dll
C:\WINDOWS\system32\qavokxsk.dll . . . . failed to delete
C:\WINDOWS\system32\qavokxsk.dllbox
C:\WINDOWS\system32\RCX69.tmp
C:\WINDOWS\system32\RCX6A.tmp
C:\WINDOWS\system32\RCX6B.tmp
C:\WINDOWS\system32\RCX6C.tmp
C:\WINDOWS\system32\RCX6D.tmp
C:\WINDOWS\system32\RCX6E.tmp
C:\WINDOWS\system32\RCX6F.tmp
C:\WINDOWS\system32\RCX70.tmp
C:\WINDOWS\system32\rqrpnom.dll
C:\WINDOWS\system32\rrqss.ini
C:\WINDOWS\system32\rrqss.ini2
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
C:\WINDOWS\system32\ssqrr.dll
C:\WINDOWS\system32\ssqrr.exe
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\sznf.ascii
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\system32\wtstr32.exe
C:\WINDOWS\system32\ymjegeoa.dll
C:\WINDOWS\troy44 .exe
C:\WINDOWS\troy44.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\win32072272026865 .exe
C:\WINDOWS\win32072272026865.exe
C:\WINDOWS\win32082720268652.exe
C:\WINDOWS\winshow .exe
C:\WINDOWS\winshow .exe
C:\WINDOWS\winshow .exe
C:\WINDOWS\winshow .exe
C:\WINDOWS\winshow .exe
C:\WINDOWS\winshow .exe
C:\WINDOWS\winshow .exe
C:\WINDOWS\winshow .exe
C:\WINDOWS\winshow .exe
C:\WINDOWS\winshow .exe
C:\WINDOWS\winshow .exe
C:\WINDOWS\winshow .exe
C:\WINDOWS\winshow .exe
C:\WINDOWS\winshow .exe
C:\WINDOWS\winshow .exe
C:\WINDOWS\winshow .exe
C:\WINDOWS\winshow .exe
C:\WINDOWS\winshow .exe
C:\WINDOWS\winshow .exe
C:\WINDOWS\winshow .exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE


((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

2008-02-02 18:21 . 2008-02-02 18:24 134 ---hs---- C:\WINDOWS\system32\qavokxsk.dllbox
2008-02-02 11:38 . 2008-02-02 11:38 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-02 11:23 . 2008-02-02 13:00 <DIR> d-------- C:\SDFix
2008-02-01 17:00 . 2008-02-02 14:44 163,904 --a------ C:\WINDOWS\system32\qavokxsk.dll
2008-02-01 16:35 . 2008-02-02 14:18 57,352 --a------ C:\WINDOWS\system32\dwdsrngt .exe
2008-02-01 06:42 . 2008-02-01 06:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-01-14 22:15 . 2008-01-14 22:41 <DIR> d-------- C:\Program Files\Internet Explorer Assistant
2008-01-05 03:11 . 2008-01-05 03:11 70 --a------ C:\WINDOWS\D065B29C.ini
2008-01-04 23:07 . 2008-01-04 23:07 <DIR> d-------- C:\Program Files\RcvSystem
2008-01-04 09:29 . 2008-01-04 09:29 <DIR> d--h-c--- C:\WINDOWS\$SQLUninstallMDAC28-KB911562-x86-ENU$
2008-01-04 08:51 . 2003-02-28 16:34 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2008-01-04 08:51 . 2003-02-28 18:26 171,280 --a------ C:\WINDOWS\system32\jit.dll
2008-01-04 08:51 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-01-04 08:51 . 2003-02-28 18:26 46,352 --a------ C:\WINDOWS\setdebug.exe
2008-01-04 08:51 . 2003-02-28 16:54 7,315 --a------ C:\WINDOWS\system32\javasup.vxd
2008-01-04 08:51 . 2003-02-28 16:35 6,550 --a------ C:\WINDOWS\jautoexp.dat
2008-01-04 07:36 . 2002-08-29 02:01 134,272 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2008-01-04 07:36 . 2002-08-29 02:01 134,272 --a--c--- C:\WINDOWS\system32\dllcache\portcls.sys
2008-01-04 07:36 . 2002-08-29 02:13 131,712 --a------ C:\WINDOWS\system32\drivers\ks.sys
2008-01-04 07:36 . 2002-08-29 02:13 131,712 --a--c--- C:\WINDOWS\system32\dllcache\ks.sys
2008-01-04 07:36 . 2001-08-17 22:37 117,248 --a------ C:\WINDOWS\system32\ksproxy.ax
2008-01-04 07:36 . 2001-08-17 22:37 117,248 --a--c--- C:\WINDOWS\system32\dllcache\ksproxy.ax
2008-01-04 07:36 . 2002-08-29 01:32 57,856 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2008-01-04 07:36 . 2002-08-29 01:32 57,856 --a--c--- C:\WINDOWS\system32\dllcache\drmk.sys
2008-01-04 07:36 . 2002-08-29 01:32 44,416 --a------ C:\WINDOWS\system32\drivers\stream.sys
2008-01-04 07:36 . 2002-08-29 01:32 44,416 --a--c--- C:\WINDOWS\system32\dllcache\stream.sys
2008-01-03 22:22 . 2005-10-20 16:33 991,232 --a------ C:\WINDOWS\system32\esent.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-02 20:43 --------- d-----w C:\Program Files\Cookie Washer
2008-02-02 20:43 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-02 20:43 --------- d-----w C:\Program Files\Coloreal
2008-02-02 20:05 18,432 ----a-w C:\WINDOWS\fkwggshm.exe
2008-01-03 01:13 --------- d-----w C:\Program Files\Symantec
2008-01-03 01:13 --------- d-----w C:\Program Files\Norton AntiVirus
2008-01-03 00:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-02 11:27 --------- d-----w C:\Documents and Settings\Owner\Application Data\Canon
2008-01-01 01:38 --------- d-----w C:\Program Files\LD Supreme
2007-12-30 14:08 --------- d-----w C:\Program Files\FinePixViewer
2007-12-27 13:25 6,656 ----a-w C:\autopiir.exe
2007-12-27 13:25 6,656 ----a-w C:\autooygc.exe
2007-12-27 13:25 6,656 ----a-w C:\autoihzi.exe
2007-12-27 13:25 6,656 ----a-w C:\autoaxuu.exe
2007-12-27 13:24 6,656 ----a-w C:\autovrfd.exe
2007-12-27 13:24 6,656 ----a-w C:\autoqmtz.exe
2007-12-27 13:24 6,656 ----a-w C:\autofksd.exe
2007-12-21 07:21 126,448 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-12-18 03:18 --------- d-----w C:\Program Files\Cosmi
2007-12-18 03:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-18 03:08 --------- d-----w C:\Program Files\Sony Corporation
2007-12-18 03:07 --------- d-----w C:\Program Files\Common Files\muvee Technologies
2007-12-18 02:43 --------- d-----w C:\Program Files\Sierra On-Line
2007-12-18 02:10 --------- d-----w C:\Program Files\The Print Shop Deluxe III
2007-12-07 05:36 --------- d-----w C:\Program Files\HP
2007-12-07 05:36 --------- d-----w C:\Documents and Settings\Owner\Application Data\Printer Info Cache
2007-12-07 05:36 --------- d-----w C:\Documents and Settings\Owner\Application Data\Image Zone Express
2007-12-07 05:30 43,672 ----a-w C:\WINDOWS\system32\drivers\AFS2K.SYS
2007-12-06 04:50 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2007-12-04 00:21 --------- d-----r C:\Program Files\Net Nanny
2007-12-04 00:04 --------- d-----w C:\Program Files\AWS
2007-12-03 10:59 4,466 --sha-r C:\WINDOWS\system32\drivers\HP_DF247A-ABA 725N_YC_Pavi_QMX3141_E32NAheBLU3 _4_IA7N8X-LA_SASUSTeK Computer INC._V1.04_B3.03_T030304_WXH1_L409_M448_J80_7AMD_8Athlon XP 2400+_92_110DE006E_N10DE0066_P_Z11C1044E_K_A10DE006A_U10DE0067_G10DE01F0.MRK
.
<pre>
----a-w			61,440 2008-02-02 19:49:22  C:\hp\KBD\KBD .EXE
----a-w		   131,072 2008-02-02 19:48:51  C:\Program Files\Coloreal\coloreal .exe
----a-w			54,976 2008-02-02 19:49:03  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w			59,072 2008-02-02 19:49:04  C:\Program Files\Common Files\Symantec Shared\ccRegVfy .exe
----a-w		 2,982,400 2008-02-02 01:30:47  C:\Program Files\Cookie Washer\aolwasher .exe
----a-w			69,632 2008-02-02 19:48:44  C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon .exe
----a-w			69,632 2008-02-02 19:48:39  C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd .exe
----a-w			49,152 2008-02-02 19:49:09  C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2 .exe
----a-w			49,152 2008-02-02 19:49:13  C:\Program Files\Hewlett-Packard\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06 .exe
----a-w		   241,664 2008-02-02 19:49:15  C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
----a-w		 1,670,144 2008-02-02 19:49:51  C:\Program Files\Messenger\msmsgs .exe
----a-w			49,152 2008-02-02 19:49:21  C:\Program Files\ScanSoft\OmniPageSE\opware32 .exe
----a-w		   155,648 2008-02-02 19:48:51  C:\Program Files\VERITAS Software\Update Manager\sgtray .exe
----a-w			86,016 2008-02-02 19:49:07  C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu .exe
----a-w			20,539 2008-01-05 09:07:38  C:\Program Files\Zero Knowledge\Freedom\AutoStarterR .exe
----a-w		   167,990 2008-02-02 19:49:48  C:\Program Files\Zero Knowledge\Freedom\Freedom .exe
----a-w		   315,392 2008-02-02 19:48:56  C:\WINDOWS\CREATOR\Remind_XP .exe
----a-w		   212,992 2008-02-02 19:48:54  C:\WINDOWS\SMINST\RECGUARD .EXE
----a-w			52,736 2008-02-02 19:48:35  C:\WINDOWS\system\hpsysdrv .exe
----a-w			57,352 2008-02-02 20:18:14  C:\WINDOWS\system32\dwdsrngt .exe
----a-w		   114,688 2008-02-02 19:48:39  C:\WINDOWS\system32\hkcmd .exe
----a-w		   659,456 2008-02-02 19:49:19  C:\WINDOWS\system32\hphmon06 .exe
----a-w		   172,032 2008-02-02 19:49:11  C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11 .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{35D1E8FD-C62C-45BA-82C9-979E7C96560C}]
C:\WINDOWS\System32\browseui(30.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59693FA9-25A3-4D8C-BB03-35658A5D83DA}]
2008-01-01 21:41 274432 --a------ C:\PROGRA~1\INTERN~2\INTERN~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6F2F54E1-F00D-4395-AB6E-6076703983BA}]
2007-08-02 07:43 282624 --a------ C:\Program Files\Windows Media Player\nipys4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7BC685F3-4155-4294-93E1-0BDF2962BAFC}]
2007-08-02 07:43 282624 --a------ C:\Program Files\Windows Media Player\nipys83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2008-02-02 14:44 163904 --a------ C:\WINDOWS\system32\qavokxsk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CB8BF713-63D0-3B78-892F-4FE602F05EE4}]
2007-11-01 07:44 60928 --a------ C:\WINDOWS\System32\lnxhevif.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"ccWasher"="\aolwasher.exe" [ ]
"Notn"="C:\DOCUME~1\Owner\MYDOCU~1\ASEMBL~1\netdde.exe" [ ]
"Ijtj"="C:\Program Files\Common Files\?racle\w?crtupd.exe" [ ]
"Zero Knowledge Freedom"="C:\Program Files\Zero Knowledge\Freedom\Freedom.exe" [ ]
"QdrPack12"="C:\Program Files\QdrPack\QdrPack12.exe" [ ]
"QdrModule12"="C:\Program Files\QdrModule\QdrModule12.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [ ]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [ ]
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [ ]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [ ]
"StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [ ]
"AutoTBar"="C:\hp\bin\autotbar.exe" [ ]
"WCOLOREAL"="C:\Program Files\Coloreal\coloreal.exe" [ ]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [ ]
"Reminder"="C:\Windows\Creator\Remind_XP.exe" [ ]
"nwiz"="nwiz.exe" [2002-09-10 00:35 372736 C:\WINDOWS\system32\nwiz.exe]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"ccRegVfy"="c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [ ]
"DDCActiveMenu"="C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" [ ]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [ ]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe" [ ]
"HPHUPD06"="C:\Program Files\Hewlett-Packard\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [ ]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [ ]
"HPHmon06"="C:\WINDOWS\System32\hphmon06.exe" [ ]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [ ]
"KBD"="C:\HP\KBD\KBD.EXE" [ ]
"troy44 "="C:\WINDOWS\troy44 .exe" [ ]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
DeskFlag.lnk - C:\Program Files\Tiger Technologies\DeskFlag\deskflag.exe [2001-10-10 12:44:44 184320]
Spruce - Auto Update.lnk - C:\QooBox\Quarantine\C\Program Files\Spruce\Spruce.exe.vir [2008-01-02 10:18:35 178390]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qavokxsk]
qavokxsk.dll 2008-02-02 14:44 163904 C:\WINDOWS\system32\qavokxsk.dll


.
Contents of the 'Scheduled Tasks' folder
"2007-12-06 04:10:08 C:\WINDOWS\Tasks\HP Usg Daily FY04.job"
- C:\Program Files\Hewlett-Packard\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped06.exe
"2007-12-06 04:11:54 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 18:22:29
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\qavokxsk.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2800.1106]
-> C:\WINDOWS\system32\qavokxsk.dll
.
------------------------ Other Running Processes ------------------------
.
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\SIERRA\CardStudio\PLNRnote.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2008-02-02 18:45:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-03 00:45:54
.
2008-01-06 09:40:27 --- E O F ---

____________________________________________________________

HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:14 PM, on 2/2/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\SIERRA\CardStudio\PLNRnote.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Tiger Technologies\DeskFlag\deskflag.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www6.comcast.net/a/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {35D1E8FD-C62C-45BA-82C9-979E7C96560C} - C:\WINDOWS\System32\browseui(30.dll (file missing)
O2 - BHO: Freedom Popup Killer - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: CInternetExplorerAssistant - {59693FA9-25A3-4D8C-BB03-35658A5D83DA} - C:\PROGRA~1\INTERN~2\INTERN~1.DLL
O2 - BHO: (no name) - {6F2F54E1-F00D-4395-AB6E-6076703983BA} - C:\Program Files\Windows Media Player\nipys4444.dll
O2 - BHO: (no name) - {7BC685F3-4155-4294-93E1-0BDF2962BAFC} - C:\Program Files\Windows Media Player\nipys83122.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\qavokxsk.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CB8BF713-63D0-3B78-892F-4FE602F05EE4} - C:\WINDOWS\System32\lnxhevif.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\Hewlett-Packard\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\System32\hphmon06.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [troy44 ] C:\WINDOWS\troy44 .exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ccWasher] \aolwasher.exe /0
O4 - HKCU\..\Run: [Notn] "C:\DOCUME~1\Owner\MYDOCU~1\ASEMBL~1\netdde.exe" -vt yazb
O4 - HKCU\..\Run: [Ijtj] "C:\Program Files\Common Files\?racle\w?crtupd.exe"
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [QdrPack12] "C:\Program Files\QdrPack\QdrPack12.exe"
O4 - HKCU\..\Run: [QdrModule12] "C:\Program Files\QdrModule\QdrModule12.exe"
O4 - Startup: DeskFlag.lnk = C:\Program Files\Tiger Technologies\DeskFlag\deskflag.exe
O4 - Startup: Spruce - Auto Update.lnk = C:\QooBox\Quarantine\C\Program Files\Spruce\Spruce.exe.vir
O4 - Global Startup: customize__IE.lnk = C:\hp\region\customizeIe.wsf
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\SIERRA\CardStudio\PLNRnote.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MsnFixer.lnk = ?
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1197932581671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1197932563640
O20 - Winlogon Notify: qavokxsk - C:\WINDOWS\SYSTEM32\qavokxsk.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 7778 bytes
_______________________________________________________________

When I boot now, I get a warning about a couple files:

"Windows Cannot Open The File Spruce.exe.vir"
Windows also tries to reinstall HPProductAssistant. I would think this is just something packaged with printer software.

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 03 February 2008 - 05:21 AM

Copy and paste ALL the following text in the code box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.
File::
C:\WINDOWS\system32\qavokxsk.dllbox
C:\WINDOWS\fkwggshm.exe
C:\autopiir.exe
C:\autooygc.exe
C:\autoihzi.exe
C:\autoaxuu.exe
C:\autovrfd.exe
C:\autoqmtz.exe
C:\autofksd.exe
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Spruce - Auto Update.lnk - C:\QooBox\Quarantine\C\Program Files\Spruce\Spruce.exe.vir
Folder::
C:\Program Files\RcvSystem
RenV::
----a-w 61,440 2008-02-02 19:49:22  C:\hp\KBD\KBD .EXE
----a-w 131,072 2008-02-02 19:48:51  C:\Program Files\Coloreal\coloreal .exe
----a-w 54,976 2008-02-02 19:49:03  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w 59,072 2008-02-02 19:49:04  C:\Program Files\Common Files\Symantec Shared\ccRegVfy .exe
----a-w 2,982,400 2008-02-02 01:30:47  C:\Program Files\Cookie Washer\aolwasher .exe
----a-w 69,632 2008-02-02 19:48:44  C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon .exe
----a-w 69,632 2008-02-02 19:48:39  C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd .exe
----a-w 49,152 2008-02-02 19:49:09  C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2 .exe
----a-w 49,152 2008-02-02 19:49:13  C:\Program Files\Hewlett-Packard\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06 .exe
----a-w 241,664 2008-02-02 19:49:15  C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
----a-w 1,670,144 2008-02-02 19:49:51  C:\Program Files\Messenger\msmsgs .exe
----a-w 49,152 2008-02-02 19:49:21  C:\Program Files\ScanSoft\OmniPageSE\opware32 .exe
----a-w 155,648 2008-02-02 19:48:51  C:\Program Files\VERITAS Software\Update Manager\sgtray .exe
----a-w 86,016 2008-02-02 19:49:07  C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu .exe
----a-w 20,539 2008-01-05 09:07:38  C:\Program Files\Zero Knowledge\Freedom\AutoStarterR .exe
----a-w 167,990 2008-02-02 19:49:48  C:\Program Files\Zero Knowledge\Freedom\Freedom .exe
----a-w 315,392 2008-02-02 19:48:56  C:\WINDOWS\CREATOR\Remind_XP .exe
----a-w 212,992 2008-02-02 19:48:54  C:\WINDOWS\SMINST\RECGUARD .EXE
----a-w 52,736 2008-02-02 19:48:35  C:\WINDOWS\system\hpsysdrv .exe
----a-w 57,352 2008-02-02 20:18:14  C:\WINDOWS\system32\dwdsrngt .exe
----a-w 114,688 2008-02-02 19:48:39  C:\WINDOWS\system32\hkcmd .exe
----a-w 659,456 2008-02-02 19:49:19  C:\WINDOWS\system32\hphmon06 .exe
----a-w 172,032 2008-02-02 19:49:11  C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11 .exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{35D1E8FD-C62C-45BA-82C9-979E7C96560C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59693FA9-25A3-4D8C-BB03-35658A5D83DA}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6F2F54E1-F00D-4395-AB6E-6076703983BA}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7BC685F3-4155-4294-93E1-0BDF2962BAFC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CB8BF713-63D0-3B78-892F-4FE602F05EE4}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Notn"=-
"Ijtj"=-
"QdrPack12"=-
"QdrModule12"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"troy44 "=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qavokxsk]
Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#9 woobie7

woobie7
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 03 February 2008 - 12:09 PM

After running The ComboFix again, here are the latest logs.

ComboFix:

ComboFix 08-02.02.5 - Owner 2008-02-03 10:03:28.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.213 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\autoaxuu.exe
C:\autofksd.exe
C:\autoihzi.exe
C:\autooygc.exe
C:\autopiir.exe
C:\autoqmtz.exe
C:\autovrfd.exe
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Spruce - Auto Update.lnk - C:\QooBox\Quarantine\C\Program Files\Spruce\Spruce.exe.vir
C:\WINDOWS\fkwggshm.exe
C:\WINDOWS\system32\qavokxsk.dllbox
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autoaxuu.exe
C:\autofksd.exe
C:\autoihzi.exe
C:\autooygc.exe
C:\autopiir.exe
C:\autoqmtz.exe
C:\autovrfd.exe
C:\Program Files\RcvSystem
C:\Program Files\RcvSystem\httpdchk.dll
C:\WINDOWS\fkwggshm.exe
C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\system32\qavokxsk.dllbox

.
((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

2008-02-02 11:38 . 2008-02-02 11:38 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-02 11:23 . 2008-02-02 13:00 <DIR> d-------- C:\SDFix
2008-02-01 06:42 . 2008-02-01 06:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-01-14 22:15 . 2008-01-14 22:41 <DIR> d-------- C:\Program Files\Internet Explorer Assistant
2008-01-05 03:11 . 2008-01-05 03:11 70 --a------ C:\WINDOWS\D065B29C.ini
2008-01-04 09:29 . 2008-01-04 09:29 <DIR> d--h-c--- C:\WINDOWS\$SQLUninstallMDAC28-KB911562-x86-ENU$
2008-01-04 08:51 . 2003-02-28 16:34 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2008-01-04 08:51 . 2003-02-28 18:26 171,280 --a------ C:\WINDOWS\system32\jit.dll
2008-01-04 08:51 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-01-04 08:51 . 2003-02-28 18:26 46,352 --a------ C:\WINDOWS\setdebug.exe
2008-01-04 08:51 . 2003-02-28 16:54 7,315 --a------ C:\WINDOWS\system32\javasup.vxd
2008-01-04 08:51 . 2003-02-28 16:35 6,550 --a------ C:\WINDOWS\jautoexp.dat
2008-01-04 07:36 . 2002-08-29 02:01 134,272 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2008-01-04 07:36 . 2002-08-29 02:01 134,272 --a--c--- C:\WINDOWS\system32\dllcache\portcls.sys
2008-01-04 07:36 . 2002-08-29 02:13 131,712 --a------ C:\WINDOWS\system32\drivers\ks.sys
2008-01-04 07:36 . 2002-08-29 02:13 131,712 --a--c--- C:\WINDOWS\system32\dllcache\ks.sys
2008-01-04 07:36 . 2001-08-17 22:37 117,248 --a------ C:\WINDOWS\system32\ksproxy.ax
2008-01-04 07:36 . 2001-08-17 22:37 117,248 --a--c--- C:\WINDOWS\system32\dllcache\ksproxy.ax
2008-01-04 07:36 . 2002-08-29 01:32 57,856 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2008-01-04 07:36 . 2002-08-29 01:32 57,856 --a--c--- C:\WINDOWS\system32\dllcache\drmk.sys
2008-01-04 07:36 . 2002-08-29 01:32 44,416 --a------ C:\WINDOWS\system32\drivers\stream.sys
2008-01-04 07:36 . 2002-08-29 01:32 44,416 --a--c--- C:\WINDOWS\system32\dllcache\stream.sys
2008-01-03 22:22 . 2005-10-20 16:33 991,232 --a------ C:\WINDOWS\system32\esent.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-03 16:03 --------- d-----w C:\Program Files\Cookie Washer
2008-02-03 16:03 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-03 16:03 --------- d-----w C:\Program Files\Coloreal
2008-02-02 19:49 659,456 ----a-w C:\WINDOWS\system32\hphmon06.exe
2008-02-02 19:48 114,688 ----a-w C:\WINDOWS\system32\hkcmd.exe
2008-01-03 01:52 409,088 ----a-w C:\WINDOWS\system32\krdsrngp.exe
2008-01-03 01:13 --------- d-----w C:\Program Files\Symantec
2008-01-03 01:13 --------- d-----w C:\Program Files\Norton AntiVirus
2008-01-03 00:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-02 11:27 --------- d-----w C:\Documents and Settings\Owner\Application Data\Canon
2008-01-01 01:38 --------- d-----w C:\Program Files\LD Supreme
2007-12-30 14:08 --------- d-----w C:\Program Files\FinePixViewer
2007-12-21 07:21 126,448 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-12-18 03:18 --------- d-----w C:\Program Files\Cosmi
2007-12-18 03:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-18 03:08 --------- d-----w C:\Program Files\Sony Corporation
2007-12-18 03:07 --------- d-----w C:\Program Files\Common Files\muvee Technologies
2007-12-18 02:43 --------- d-----w C:\Program Files\Sierra On-Line
2007-12-18 02:10 --------- d-----w C:\Program Files\The Print Shop Deluxe III
2007-12-07 05:36 --------- d-----w C:\Program Files\HP
2007-12-07 05:36 --------- d-----w C:\Documents and Settings\Owner\Application Data\Printer Info Cache
2007-12-07 05:36 --------- d-----w C:\Documents and Settings\Owner\Application Data\Image Zone Express
2007-12-07 05:30 43,672 ----a-w C:\WINDOWS\system32\drivers\AFS2K.SYS
2007-12-06 04:50 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2007-12-04 00:21 --------- d-----r C:\Program Files\Net Nanny
2007-12-04 00:04 --------- d-----w C:\Program Files\AWS
2007-12-03 10:59 4,466 --sha-r C:\WINDOWS\system32\drivers\HP_DF247A-ABA 725N_YC_Pavi_QMX3141_E32NAheBLU3 _4_IA7N8X-LA_SASUSTeK Computer INC._V1.04_B3.03_T030304_WXH1_L409_M448_J80_7AMD_8Athlon XP 2400+_92_110DE006E_N10DE0066_P_Z11C1044E_K_A10DE006A_U10DE0067_G10DE01F0.MRK
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-02-02 13:49 1670144]
"ccWasher"="\aolwasher.exe" [ ]
"Zero Knowledge Freedom"="C:\Program Files\Zero Knowledge\Freedom\Freedom.exe" [2008-02-02 13:49 167990]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [2008-02-02 13:48 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2008-02-02 13:48 114688]
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2008-02-02 13:48 69632]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2008-02-02 13:48 69632]
"StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2008-02-02 13:48 155648]
"AutoTBar"="C:\hp\bin\autotbar.exe" [ ]
"WCOLOREAL"="C:\Program Files\Coloreal\coloreal.exe" [2008-02-02 13:48 131072]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2008-02-02 13:48 212992]
"Reminder"="C:\Windows\Creator\Remind_XP.exe" [2008-02-02 13:48 315392]
"nwiz"="nwiz.exe" [2002-09-10 00:35 372736 C:\WINDOWS\system32\nwiz.exe]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-02 13:49 54976]
"ccRegVfy"="c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2008-02-02 13:49 59072]
"DDCActiveMenu"="C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" [2008-02-02 13:49 86016]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2008-02-02 13:49 49152]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe" [2008-02-02 13:49 172032]
"HPHUPD06"="C:\Program Files\Hewlett-Packard\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2008-02-02 13:49 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2008-02-02 13:49 241664]
"HPHmon06"="C:\WINDOWS\System32\hphmon06.exe" [2008-02-02 13:49 659456]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2008-02-02 13:49 49152]
"KBD"="C:\HP\KBD\KBD.EXE" [2008-02-02 13:49 61440]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
DeskFlag.lnk - C:\Program Files\Tiger Technologies\DeskFlag\deskflag.exe [2001-10-10 12:44:44 184320]
Spruce - Auto Update.lnk - C:\QooBox\Quarantine\C\Program Files\Spruce\Spruce.exe.vir [2008-01-02 10:18:35 178390]


.
Contents of the 'Scheduled Tasks' folder
"2007-12-06 04:10:08 C:\WINDOWS\Tasks\HP Usg Daily FY04.job"
- C:\Program Files\Hewlett-Packard\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped06.exe
"2007-12-06 04:11:54 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 10:10:57
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-02-03 10:27:19
ComboFix-quarantined-files.txt 2008-02-03 16:26:28
ComboFix2.txt 2008-02-03 00:45:59
.
2008-01-06 09:40:27 --- E O F ---




HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:04:54 AM, on 2/3/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\SIERRA\CardStudio\PLNRnote.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Tiger Technologies\DeskFlag\deskflag.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www6.comcast.net/a/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Freedom Popup Killer - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\Hewlett-Packard\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\System32\hphmon06.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ccWasher] \aolwasher.exe /0
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - Startup: DeskFlag.lnk = C:\Program Files\Tiger Technologies\DeskFlag\deskflag.exe
O4 - Startup: Spruce - Auto Update.lnk = C:\QooBox\Quarantine\C\Program Files\Spruce\Spruce.exe.vir
O4 - Global Startup: customize__IE.lnk = C:\hp\region\customizeIe.wsf
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\SIERRA\CardStudio\PLNRnote.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MsnFixer.lnk = ?
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1197932581671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1197932563640
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 6537 bytes

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 03 February 2008 - 12:19 PM

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1
Do not run it just yet.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.
Do not run it just yet.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
Exit Hijackthis.

Now double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Now Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#11 woobie7

woobie7
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 04 February 2008 - 09:43 AM

Here is the log from SuperAntiSpyware. I thought the PC was running much better, but SuperAntiSpyware detected 35 more threats.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/04/2008 at 00:13 AM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 01:24:43

Memory items scanned : 511
Memory threats detected : 0
Registry items scanned : 5507
Registry threats detected : 0
File items scanned : 81614
File threats detected : 35

Adware.180solutions/Search Assistant
C:\PROGRAM FILES\SEARCHASSISTANT5\180SAINSTALLER.EXE

Adware.ClickSpring-Variant
C:\QOOBOX\QUARANTINE\C\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\ASEMBL~1\NETDDE .EXE.VIR

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\IA\KE.VBS.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WTSTR32.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP101\A0010557.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP101\A0010620.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP102\A0010772.VBS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP102\A0010841.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP6\A0000079.VBS

Trojan.Downloader-FakeRX
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\EGMULHXK.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP102\A0010829.DLL

Trojan.ZenoSearch
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP0\A0000013.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP10\A0000390.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP100\A0007254.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP100\A0008340.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP100\A0009404.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP100\A0010409.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP101\A0010475.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP101\A0010543.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP65\A0002777.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP67\A0002866.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP7\A0000181.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP75\A0004155.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP77\A0005159.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP83\A0005293.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP84\A0005511.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP98\A0006499.EXE

Trojan.ZQuest
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP101\A0010550.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP101\A0010639.DLL

Adware.Adservs
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP101\A0010552.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP101\A0010618.EXE

Trojan.ZQuest-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP101\A0010578.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP101\A0010642.EXE

Adware.TargetSaver
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP16\A0000605.EXE

Trojan.NewDotNet
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP6\A0000081.EXE


_________________________________________________________________________



HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:19:06 AM, on 2/4/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon06.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\SIERRA\CardStudio\PLNRnote.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Tiger Technologies\DeskFlag\deskflag.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www6.comcast.net/a/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Freedom Popup Killer - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\Hewlett-Packard\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\System32\hphmon06.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ccWasher] \aolwasher.exe /0
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: DeskFlag.lnk = C:\Program Files\Tiger Technologies\DeskFlag\deskflag.exe
O4 - Startup: Spruce - Auto Update.lnk = C:\QooBox\Quarantine\C\Program Files\Spruce\Spruce.exe.vir
O4 - Global Startup: customize__IE.lnk = C:\hp\region\customizeIe.wsf
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\SIERRA\CardStudio\PLNRnote.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MsnFixer.lnk = ?
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1197932581671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1197932563640
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 7458 bytes
_________________________________________________________________________

The PC was hanging occasionally before I ran AFT Cleaner and SuperAntiSpyware. I will have to give it a test drive and let you know how it is running. I still get "Spruce.exe" trying to execute errors on boot up. Is there anything more to clean up regarding "Spruce"?


Woobie7

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 04 February 2008 - 10:45 AM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O4 - Startup: Spruce - Auto Update.lnk = C:\QooBox\Quarantine\C\Program Files\Spruce\Spruce.exe.vir

Clear your 'System Restore' points by doing the following:
Right-click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Select 'Turn Off System Restore On All Drives'.
Select 'Apply'.
You will then get the following warning:
"You have chosen to turn off System Restore.
If you continue,all existing restore points will be deleted,and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?".
Then select 'Yes',your 'System Restore' directories will be purged.

Restart your pc.

Turn 'System Restore' back on:

Right click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Unselect 'Turn Off System Restore On All Drives'.
Select 'Apply',then click 'Ok'.


Your log is clean :thumbsup: ,please do the following:

Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.
This will uninstall Combofix,delete its related folders and files,reset your clock settings,hide file extensions,hide the system/hidden files and resets System Restore again.

Posted Image


Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Click on the 'Cleanup' button Posted Image
When you do this a text file named cleanup.txt will be downloaded from the internet.
If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
When the 'Confirm' box appears click 'Yes'.
Restart your pc when prompted.

You should take the time to read and follow the information found in the links below,to help you prevent any possible future infections and stay safe and secure while online:

Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

How to prevent Malware:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

So how did I get infected in the first place:
http://forums.spybot.info/showthread.php?t=279

Malware Cleanup Programs and Preventative Procedures:
http://russelltexas.com/malware/allclear.htm

Hardening Windows Security - Part 1:
http://www.malwarehelp.org/Malware-Prevent...-Security1.html

Hardening Windows Security - Part 2:
http://www.malwarehelp.org/malware-prevent...-security2.html
Posted Image
Posted Image

#13 woobie7

woobie7
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 05 February 2008 - 10:42 AM

Richie,
Thank you so much for your time and expertise. The PC is running very well now.

To investigate some of this on my own next time, what resources do you use to verify whats good or whats bad? How do you know what scan/removal applications will work be for what is in the log?

Another quick question off the subject a little. What do you hear on ie7? Is it stable? Would you recommend upgrading to ie or staying with ie6?

Thanks again Richie, you are the best.

Woobie7

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 05 February 2008 - 11:03 AM

To investigate some of this on my own next time, what resources do you use to verify whats good or whats bad?
How do you know what scan/removal applications will work be for what is in the log?

Several years experience :thumbsup:
BC has an excellent malware removal training program if you're interested,contact one of the forum administrators/moderators via PM.

What do you hear on ie7? Is it stable? Would you recommend upgrading to ie or staying with ie6?

Its certainly stable,its all down to personal preference whichever version you use.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users