Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop Ups And Redirects


  • This topic is locked This topic is locked
12 replies to this topic

#1 cybergrrl

cybergrrl

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Northwest
  • Local time:10:44 AM

Posted 31 January 2008 - 03:14 AM

This is one of the computers at work I've been asked to troubleshoot. I get multiple popups whether browsing the internet or just working on local aps like Word, am redirected to other web pages without requesting them, and the PC shuts down often. I've run various virus checkers, but most recently Ad-Aware and Spybot. Both had difficulty downloading updates. Ad-Aware found several cookies and win32.trojandownloader.zlob which kept returning after removing it and rescanning. Spybot stopped scanning 1/3 way through and got "error during check!" messages on coolwwwsearch and webdialer - neither of which I could "fix".

On startup, I get the following error messages:
*awtsq.exe - cannot access specific device
*could not run awtsq.exe c\windows\sys32\awtsq.exe
*error loading e\win\sys32\mlchivpu.dll
*during scan of files at system startup errors in sys reg found
p-07-0100 irql:1fSYSVER0xff00024
NT_Kernel error 1256
KMODE_EXEPTION_NOT_HANDLED

I only have access to this computer a few hours a couple of days a week, so be patient with me. Here's the HJT log I ran the last time I had access to it. I'll have access to it again for a few hours in the morning. Even though it shows AVG files, the program has expired.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:27 PM, on 1/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\tmw7\tmmail7.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.metacrawler.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
F3 - REG:win.ini: load=C:\WINDOWS\system32\awtsq.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Time Matters - {00F17ECE-12DA-46A0-B541-BDE4EB7DF027} - C:\tmw7\TMIETB.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [lsass] C:\WINDOWS\lsass .exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKLM\..\Run: [4ca59edf] rundll32.exe "C:\WINDOWS\system32\mlchivpu.dll",b
O4 - HKLM\..\Run: [BM4f96ad43] Rundll32.exe "C:\WINDOWS\system32\ydxeqcus.dll",s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Tair] "C:\WINDOWS\FNTS~1\rundll32.exe" -vt ndrv
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Time Matters 7.0 Mail Agent.lnk = C:\tmw7\tmmail7.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...04/mcfscan.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Messenger\rtelekifs.html

--
End of file - 7416 bytes

Thanks.
Becky

BC AdBot (Login to Remove)

 


#2 cybergrrl

cybergrrl
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Northwest
  • Local time:10:44 AM

Posted 31 January 2008 - 06:45 PM

I have done some additional things since posting this original hjt log - I've removed the Kaspersky antivirus software, tried to update avg but couldn't, ran ccCleaner slim, ran the vundofix and it found 2 files - wtfuetxe.dll and wtfuetxe.dllbox which it looks like it quarentined in a folder, and I ran SmitFraudFix. The C drive icon is now replaced with a red X and there are multiple .dll files in the C drive. I was going to install a new free avg anti-virus and anti-spyware program but ran out of time. I'm going back now to do that. Here is the latest HJT logs and rapport.txt log from SmitFraudFix.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:00 AM, on 1/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\tmw7\tmmail7.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.metacrawler.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
F3 - REG:win.ini: load=C:\WINDOWS\system32\awtsq.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Time Matters - {00F17ECE-12DA-46A0-B541-BDE4EB7DF027} - C:\tmw7\TMIETB.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [lsass] C:\WINDOWS\lsass .exe
O4 - HKLM\..\Run: [4ca59edf] rundll32.exe "C:\WINDOWS\system32\mlchivpu.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BM4f96ad43] Rundll32.exe "C:\WINDOWS\system32\ydxeqcus.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Time Matters 7.0 Mail Agent.lnk = C:\tmw7\tmmail7.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...204/mcfscan.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows
O24 - Desktop Component 0: (no name) - C:\Program Files\Messenger\rtelekifs.html

--
End of file - 6908 bytes


SmitFraudFix v2.277

Scan done at 10:19:18.15, Thu 01/31/2008
Run from C:\Documents and Settings\Chris\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\tmw7\tmmail7.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS

C:\WINDOWS\avp.exe FOUND !

C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Chris


C:\Documents and Settings\Chris\Application Data


Start Menu


C:\DOCUME~1\Chris\FAVORI~1


Desktop


C:\Program Files

C:\Program Files\Helper\ FOUND !

Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Messenger\\rtelekifs.html"
"SubscribedURL"=""
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~1\\GOEC62~1.DLL"


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Rustock



DNS

Description: Broadcom NetXtreme 57xx Gigabit Controller - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{6B4BAFCF-F475-4175-9AD7-9AD948E7E4E4}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6B4BAFCF-F475-4175-9AD7-9AD948E7E4E4}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{6B4BAFCF-F475-4175-9AD7-9AD948E7E4E4}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


Scanning for wininet.dll infection


End

Thanks for your help.

Becky

#3 cybergrrl

cybergrrl
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Northwest
  • Local time:10:44 AM

Posted 04 February 2008 - 08:28 PM

The final things I did last Friday before turning in for the weekend was to install and run AVG anti-spyware. I tried to install AVG anti-virus but I kept getting an error. I ran combo fix. Then I ran S&D and AdAware again - they both ran a lot cleaner. I'm posting the combo fix log and the final HJT log I made:

ComboFix 08-01-31.5 - Chris 2008-02-01 10:43:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.573 [GMT -8:00]
Running from: C:\Documents and Settings\Chris\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Helper
C:\Program Files\Helper\Helper9.dll
C:\Program Files\lsass.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\fnts~1
C:\WINDOWS\fnts~1\F?nts\
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete
C:\WINDOWS\system32\ewwtccxa.dll
C:\WINDOWS\system32\fitfrvwp.dll
C:\WINDOWS\system32\irygghyt.dll
C:\WINDOWS\system32\layrbhpy.dll
C:\WINDOWS\system32\mlchivpu.dll
C:\WINDOWS\system32\ncxvkieg.dll
C:\WINDOWS\system32\nefppday.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\ppatch~1
C:\WINDOWS\system32\qkrqtieb.dll
C:\WINDOWS\system32\qstwa.ini
C:\WINDOWS\system32\qstwa.ini2
C:\WINDOWS\system32\upvihclm.ini
C:\WINDOWS\system32\ydxeqcus.dll
C:\WINDOWS\system32\ykkysqkb.dll
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.

2008-02-01 10:53 . 2008-02-01 10:53 134 ---hs---- C:\WINDOWS\system32\ykkysqkb.dllbox
2008-02-01 08:15 . 2008-02-01 08:15 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-01 08:12 . 2008-02-01 08:12 3,584 --a------ C:\WINDOWS\system32\awtsq.exe
2008-01-31 16:46 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-31 10:19 . 2008-01-31 10:19 3,796 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-31 10:15 . 2008-01-31 10:15 163,904 --a------ C:\WINDOWS\system32\ykkysqkb.dll_old
2008-01-31 10:15 . 2008-02-01 10:49 163,904 --a------ C:\WINDOWS\system32\ykkysqkb.dll
2008-01-31 10:03 . 2008-01-31 10:03 <DIR> d-------- C:\VundoFix Backups
2008-01-29 12:39 . 2008-01-29 12:47 <DIR> d-------- C:\Documents and Settings\Chris\CleanupDownloads
2008-01-29 12:25 . 2008-01-29 12:25 <DIR> d-------- C:\Program Files\Java
2008-01-29 12:25 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-29 12:24 . 2008-01-29 12:24 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-29 10:40 . 2008-01-29 10:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-29 08:43 . 2008-01-31 09:38 13,353 --a------ C:\WINDOWS\BM4f96ad43.xml
2008-01-29 08:43 . 2008-02-01 08:22 22 --a------ C:\WINDOWS\pskt.ini
2008-01-10 14:08 . 2008-01-10 14:08 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-01-09 13:39 . 2008-01-31 10:22 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-09 12:43 . 2008-01-11 10:21 1,718,560 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-09 12:43 . 2008-01-11 10:21 226,848 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-09 12:43 . 2008-01-11 10:21 26,180 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-09 12:43 . 2008-01-11 10:21 25,472 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-09 12:39 . 2008-01-09 12:39 <DIR> d-------- C:\KAV
2008-01-08 16:01 . 2008-02-01 10:32 393 --a------ C:\WINDOWS\wininit.ini
2008-01-08 14:48 . 2008-01-08 14:48 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-08 14:48 . 2008-01-29 09:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-08 14:46 . 2008-01-08 14:46 <DIR> d-------- C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
2008-01-08 14:45 . 2008-01-08 14:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-08 14:45 . 2008-01-08 16:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-07 17:13 . 2008-01-08 08:41 31,232 --a------ C:\Program Files\1010.exe
2008-01-07 16:49 . 2008-01-07 16:49 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\Grisoft
2008-01-07 16:34 . 2008-01-07 16:34 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\AVG7
2008-01-07 16:33 . 2008-01-07 16:33 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-07 16:33 . 2008-01-07 16:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-07 16:33 . 2008-02-01 08:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-07 16:30 . 2008-01-07 16:30 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-07 16:09 . 2008-01-08 10:23 355,840 --a------ C:\WINDOWS\lsass .exe
2008-01-07 16:08 . 2008-01-07 16:29 114,688 --a------ C:\WINDOWS\system32\igfxpers .exe
2008-01-07 16:08 . 2008-01-07 16:29 94,208 --a------ C:\WINDOWS\system32\igfxtray .exe
2008-01-07 16:08 . 2008-01-07 16:29 77,824 --a------ C:\WINDOWS\system32\hkcmd .exe
2008-01-07 14:37 . 2008-01-07 14:37 324,608 --a------ C:\WINDOWS\system32\awtsq.dll_old
2008-01-07 13:59 . 2008-01-09 13:37 <DIR> d-------- C:\WINDOWS\system32\usmvt3
2008-01-07 13:59 . 2008-01-07 14:02 <DIR> d-------- C:\WINDOWS\system32\drivez4
2008-01-07 13:59 . 2008-01-31 17:34 <DIR> d-------- C:\WINDOWS\system32\comp2
2008-01-07 13:59 . 2008-01-10 09:49 <DIR> d-------- C:\WINDOWS\system32\cache3
2008-01-07 13:59 . 2008-01-31 17:34 <DIR> d-------- C:\WINDOWS\system32\ardCo01
2008-01-07 13:59 . 2008-01-31 17:34 <DIR> d--hs---- C:\WINDOWS\QnJpYW4gUmFtc2F5
2008-01-07 13:59 . 2008-01-07 13:59 <DIR> d-------- C:\Temp\cEeer12
2008-01-07 13:59 . 2008-02-01 10:50 <DIR> d-------- C:\Temp
2008-01-07 13:59 . 2008-01-07 13:59 167,545 --a------ C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-07 13:59 . 2008-01-07 13:59 86,016 --a------ C:\WINDOWS\system32\drivers\dxgthkk.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-31 23:29 --------- d-----w C:\Documents and Settings\Chris\Application Data\AdobeUM
2008-01-29 23:14 --------- d-----w C:\Program Files\HotDocs 6
2008-01-29 17:57 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-08 18:23 423,424 ----a-w C:\WINDOWS\system32\igfxtray.exe
2008-01-08 18:23 --------- d-----w C:\Program Files\Microsoft IntelliType Pro
2008-01-08 18:23 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-12-13 17:21 --------- d-----w C:\Documents and Settings\Chris\Application Data\Roxio
2007-12-12 20:54 --------- d-----w C:\Program Files\Napster
2007-12-12 16:40 --------- d-----w C:\Program Files\MSECache
2007-11-14 07:26 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2006-11-25 07:57 482 ----a-w C:\Program Files\Del.js
2006-06-22 15:38 164,235 ----a-w C:\Program Files\uninstal.log
.
<pre>
----a-w		 1,404,928 2008-01-08 00:30:02  C:\Program Files\Analog Devices\Core\smax4pnp .exe
----a-w		   851,968 2008-01-08 00:30:12  C:\Program Files\Brother\ControlCenter2\brctrcen .exe
----a-w		   155,648 2008-01-08 00:30:05  C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate .exe
----a-w			53,248 2008-01-08 00:30:00  C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe
----a-w		   168,448 2008-01-08 00:30:02  C:\Program Files\Google\Google Desktop Search\GoogleDesktop .exe
----a-w			68,856 2008-01-08 00:30:10  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w		   217,088 2008-01-08 00:30:05  C:\Program Files\Microsoft IntelliPoint\point32 .exe
----a-w		   196,608 2008-01-08 00:30:02  C:\Program Files\Microsoft IntelliType Pro\type32 .exe
----a-w			40,960 2008-01-08 00:30:04  C:\Program Files\ScanSoft\PaperPort\IndexSearch .exe
----a-w			57,393 2008-01-08 00:30:05  C:\Program Files\ScanSoft\PaperPort\pptd40nt .exe
----a-w		   355,840 2008-01-08 18:23:12  C:\WINDOWS\lsass .exe
----a-w			15,360 2008-01-08 00:30:22  C:\WINDOWS\system32\ctfmon .exe
----a-w			77,824 2008-01-08 00:29:55  C:\WINDOWS\system32\hkcmd .exe
----a-w		   114,688 2008-01-08 00:29:56  C:\WINDOWS\system32\igfxpers .exe
----a-w			94,208 2008-01-08 00:29:55  C:\WINDOWS\system32\igfxtray .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1B2B2910-C72E-4755-97E5-AE5F771BF647}]
C:\Program Files\Online Services\meqoc83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7578434B-6456-4F98-BE5A-0BEC0206EA15}]
C:\WINDOWS\system32\awtsq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2008-02-01 10:49 163904 --a------ C:\WINDOWS\system32\ykkysqkb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD4C43E6-AAFA-4F1A-BFAD-538A19409E6A}]
C:\Program Files\Online Services\meqoc4444.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00 15360]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB2217"="command /c del C:\WINDOWS\system32\drivers\core.cache.dsk" [ ]
"SpybotDeletingD1732"="cmd /c del C:\WINDOWS\system32\drivers\core.cache.dsk" [ ]
"SpybotDeletingB6321"="command /c del C:\WINDOWS\system32\ykkysqkb.dll_old" [ ]
"SpybotDeletingD5690"="cmd /c del C:\WINDOWS\system32\ykkysqkb.dll_old" [ ]
"SpybotDeletingB3338"="command /c del C:\WINDOWS\system32\ykkysqkb.dll" [ ]
"SpybotDeletingD777"="cmd /c del C:\WINDOWS\system32\ykkysqkb.dll" [ ]
"SpybotDeletingB4451"="command /c del C:\WINDOWS\system32\awtsq.dll_old" [ ]
"SpybotDeletingD5008"="cmd /c del C:\WINDOWS\system32\awtsq.dll_old" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2008-01-08 10:23 423424]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2008-01-08 10:23 397824]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-08 10:23 507392]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 03:00 143360]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2008-01-08 10:23 551424]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2008-01-08 10:23 571904]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2008-01-08 10:23 485888]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2008-01-08 10:23 386560]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2008-01-08 10:23 370176]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2008-01-08 10:23 1206784]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-08 10:23 1104896]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 03:00 158208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingA6518"="command /c del C:\WINDOWS\system32\drivers\core.cache.dsk" [ ]
"SpybotDeletingC5126"="cmd /c del C:\WINDOWS\system32\drivers\core.cache.dsk" [ ]
"SpybotDeletingA6216"="command /c del C:\WINDOWS\system32\ykkysqkb.dll_old" [ ]
"SpybotDeletingC3095"="cmd /c del C:\WINDOWS\system32\ykkysqkb.dll_old" [ ]
"SpybotDeletingA5764"="command /c del C:\WINDOWS\system32\ykkysqkb.dll" [ ]
"SpybotDeletingC6943"="cmd /c del C:\WINDOWS\system32\ykkysqkb.dll" [ ]
"SpybotDeletingA3880"="command /c del C:\WINDOWS\system32\awtsq.dll_old" [ ]
"SpybotDeletingC7163"="cmd /c del C:\WINDOWS\system32\awtsq.dll_old" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [ ]

C:\Documents and Settings\Chris\Start Menu\Programs\Startup\
Time Matters 7.0 Mail Agent.lnk - C:\tmw7\tmmail7.exe [2006-05-31 09:27:41 183808]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Messenger\rtelekifs.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqnopm]
ssqnopm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ykkysqkb]
ykkysqkb.dll 2008-02-01 10:49 163904 C:\WINDOWS\system32\ykkysqkb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)

R1 dxgthkk;dxgthkk;C:\WINDOWS\system32\drivers\dxgthkk.sys [2008-01-07 13:59]
R3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 12:12]
R3 BrSerWDM;Brother WDM Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2003-03-13 22:04]
R3 BrUsbMdm;Brother MFC USB Fax Only Modem;C:\WINDOWS\system32\Drivers\BrUsbMdm.sys [2001-08-17 12:12]
S3 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-01 10:53:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\ykkysqkb.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\ykkysqkb.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************
.
Completion time: 2008-02-01 10:55:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-01 18:55:19
.
2008-01-09 00:07:26 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:36 AM, on 2/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\tmw7\tmmail7.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.metacrawler.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: Time Matters - {00F17ECE-12DA-46A0-B541-BDE4EB7DF027} - C:\tmw7\TMIETB.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1B2B2910-C72E-4755-97E5-AE5F771BF647} - C:\Program Files\Online Services\meqoc83122.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7578434B-6456-4F98-BE5A-0BEC0206EA15} - C:\WINDOWS\system32\awtsq.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\ykkysqkb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: (no name) - {CD4C43E6-AAFA-4F1A-BFAD-538A19409E6A} - C:\Program Files\Online Services\meqoc4444.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Time Matters - {00F17ECE-12DA-46A0-B541-BDE4EB7DF027} - C:\tmw7\TMIETB.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Time Matters 7.0 Mail Agent.lnk = C:\tmw7\tmmail7.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...204/mcfscan.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: ssqnopm - ssqnopm.dll (file missing)
O20 - Winlogon Notify: ykkysqkb - C:\WINDOWS\SYSTEM32\ykkysqkb.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\Messenger\rtelekifs.html

--
End of file - 8238 bytes

#4 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 05 February 2008 - 09:32 AM

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\ykkysqkb.dllbox
C:\WINDOWS\system32\awtsq.exe
C:\WINDOWS\system32\ykkysqkb.dll_old
C:\WINDOWS\system32\ykkysqkb.dll
C:\WINDOWS\wininit.ini
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\QnJpYW4gUmFtc2F5
C:\WINDOWS\system32\awtsq.dll_old
C:\WINDOWS\system32\drivers\dxgthkk.sys

Folder::
C:\VundoFix Backups
C:\Temp\cEeer12
C:\Temp
C:\WINDOWS\system32\ardCo01
C:\WINDOWS\system32\comp2
C:\WINDOWS\system32\cache3
C:\WINDOWS\system32\usmvt3
C:\WINDOWS\system32\drivez4

Driver::
dxgthkk.sys

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1B2B2910-C72E-4755-97E5-AE5F771BF647}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7578434B-6456-4F98-BE5A-0BEC0206EA15}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD4C43E6-AAFA-4F1A-BFAD-538A19409E6A}]

Renv::
<pre>
----a-w 1,404,928 2008-01-08 00:30:02 C:\Program Files\Analog Devices\Core\smax4pnp .exe
----a-w 851,968 2008-01-08 00:30:12 C:\Program Files\Brother\ControlCenter2\brctrcen .exe
----a-w 155,648 2008-01-08 00:30:05 C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate .exe
----a-w 53,248 2008-01-08 00:30:00 C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe
----a-w 168,448 2008-01-08 00:30:02 C:\Program Files\Google\Google Desktop Search\GoogleDesktop .exe
----a-w 68,856 2008-01-08 00:30:10 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w 217,088 2008-01-08 00:30:05 C:\Program Files\Microsoft IntelliPoint\point32 .exe
----a-w 196,608 2008-01-08 00:30:02 C:\Program Files\Microsoft IntelliType Pro\type32 .exe
----a-w 40,960 2008-01-08 00:30:04 C:\Program Files\ScanSoft\PaperPort\IndexSearch .exe
----a-w 57,393 2008-01-08 00:30:05 C:\Program Files\ScanSoft\PaperPort\pptd40nt .exe
----a-w 355,840 2008-01-08 18:23:12 C:\WINDOWS\lsass .exe
----a-w 15,360 2008-01-08 00:30:22 C:\WINDOWS\system32\ctfmon .exe
----a-w 77,824 2008-01-08 00:29:55 C:\WINDOWS\system32\hkcmd .exe
----a-w 114,688 2008-01-08 00:29:56 C:\WINDOWS\system32\igfxpers .exe
----a-w 94,208 2008-01-08 00:29:55 C:\WINDOWS\system32\igfxtray .exe
</pre>



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Posted Image
Proud member of ASAP since 2007

#5 cybergrrl

cybergrrl
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Northwest
  • Local time:10:44 AM

Posted 05 February 2008 - 03:09 PM

Thank you for your response. Here's the combo fix and HJT:

ComboFix 08-01-29.3 - Chris 2008-02-05 11:55:41.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.637 [GMT -8:00]
Running from: C:\Documents and Settings\Chris\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Chris\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\QnJpYW4gUmFtc2F5
C:\WINDOWS\system32\awtsq.dll_old
C:\WINDOWS\system32\awtsq.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\dxgthkk.sys
C:\WINDOWS\system32\ykkysqkb.dll
C:\WINDOWS\system32\ykkysqkb.dll_old
C:\WINDOWS\system32\ykkysqkb.dllbox
C:\WINDOWS\wininit.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\dxgthkk.sys
C:\Temp
C:\Temp\cEeer12\skAt.log
C:\temp\tn3
C:\WINDOWS\system32\ardCo01
C:\WINDOWS\system32\awtsq.exe
C:\WINDOWS\system32\cache3
C:\WINDOWS\system32\comp2
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\dxgthkk.sys
C:\WINDOWS\system32\drivez4
C:\WINDOWS\system32\usmvt3
C:\WINDOWS\system32\ykkysqkb.dllbox
C:\WINDOWS\wininit.ini

.
((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 )))))))))))))))))))))))))))))))
.

2008-02-05 11:10 . 2008-02-05 11:39 <DIR> d-------- C:\Documents and Settings\Chris\.housecall6.6
2008-02-01 11:21 . 2008-02-01 11:21 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-02-01 11:21 . 2008-02-05 11:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-01 08:15 . 2008-02-01 08:15 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-31 16:46 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-31 10:19 . 2008-01-31 10:19 3,796 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-29 12:39 . 2008-02-05 10:57 <DIR> d-------- C:\Documents and Settings\Chris\CleanupDownloads
2008-01-29 12:25 . 2008-01-29 12:25 <DIR> d-------- C:\Program Files\Java
2008-01-29 12:25 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-29 12:24 . 2008-01-29 12:24 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-29 10:40 . 2008-01-29 10:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-29 08:43 . 2008-01-31 09:38 13,353 --a------ C:\WINDOWS\BM4f96ad43.xml
2008-01-29 08:43 . 2008-02-01 08:22 22 --a------ C:\WINDOWS\pskt.ini
2008-01-10 14:08 . 2008-01-10 14:08 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-01-09 13:39 . 2008-01-31 10:22 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-09 12:43 . 2008-02-05 11:58 2,062,624 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-09 12:43 . 2008-02-05 11:58 243,744 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-09 12:43 . 2008-02-05 11:57 30,764 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-09 12:43 . 2008-02-05 11:57 27,032 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-09 12:39 . 2008-01-09 12:39 <DIR> d-------- C:\KAV
2008-01-08 14:48 . 2008-01-08 14:48 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-08 14:48 . 2008-01-29 09:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-08 14:46 . 2008-01-08 14:46 <DIR> d-------- C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
2008-01-08 14:45 . 2008-01-08 14:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-08 14:45 . 2008-01-08 16:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-07 17:13 . 2008-01-08 08:41 31,232 --a------ C:\Program Files\1010.exe
2008-01-07 16:49 . 2008-01-07 16:49 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\Grisoft
2008-01-07 16:34 . 2008-01-07 16:34 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\AVG7
2008-01-07 16:33 . 2008-01-07 16:33 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-07 16:33 . 2008-01-07 16:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-07 16:33 . 2008-02-01 08:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-07 16:30 . 2008-01-07 16:30 15,360 --a------ C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-07 16:30 . 2008-01-07 16:30 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-07 16:09 . 2008-01-08 10:23 355,840 --a------ C:\WINDOWS\lsass .exe
2008-01-07 16:08 . 2008-01-07 16:29 114,688 --a------ C:\WINDOWS\system32\igfxpers.exe
2008-01-07 16:08 . 2008-01-07 16:29 94,208 --a------ C:\WINDOWS\system32\igfxtray.exe
2008-01-07 16:08 . 2008-01-07 16:29 77,824 --a------ C:\WINDOWS\system32\hkcmd.exe
2008-01-07 13:59 . 2008-01-31 17:34 <DIR> d--hs---- C:\WINDOWS\QnJpYW4gUmFtc2F5

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 19:55 --------- d-----w C:\Program Files\Microsoft IntelliType Pro
2008-02-05 19:55 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-02-04 22:40 --------- d-----w C:\Documents and Settings\Chris\Application Data\AdobeUM
2008-01-29 23:14 --------- d-----w C:\Program Files\HotDocs 6
2007-12-13 17:21 --------- d-----w C:\Documents and Settings\Chris\Application Data\Roxio
2007-12-12 20:54 --------- d-----w C:\Program Files\Napster
2007-12-12 16:40 --------- d-----w C:\Program Files\MSECache
2006-11-25 07:57 482 ----a-w C:\Program Files\Del.js
2006-06-22 15:38 164,235 ----a-w C:\Program Files\uninstal.log
.
<pre>
----a-w		   355,840 2008-01-08 18:23:12  C:\WINDOWS\lsass .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-07 16:30 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2008-01-07 16:29 94208]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2008-01-07 16:30 53248]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-07 16:30 168448]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 03:00 143360]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2008-01-07 16:30 196608]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2008-01-07 16:30 217088]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2008-01-07 16:30 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2008-01-07 16:30 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2008-01-07 16:30 40960]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2008-01-07 16:30 851968]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 03:00 158208]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" [2007-11-19 14:40 231952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [ ]

C:\Documents and Settings\Chris\Start Menu\Programs\Startup\
Time Matters 7.0 Mail Agent.lnk - C:\tmw7\tmmail7.exe [2006-05-31 09:27:41 183808]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Messenger\rtelekifs.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqnopm]
ssqnopm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ykkysqkb]
ykkysqkb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-01-08 10:23 1104896 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
--a------ 2007-11-19 14:40 231952 C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe

R3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 12:12]
R3 BrSerWDM;Brother WDM Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2003-03-13 22:04]
R3 BrUsbMdm;Brother MFC USB Fax Only Modem;C:\WINDOWS\system32\Drivers\BrUsbMdm.sys [2001-08-17 12:12]
S1 dxgthkk;dxgthkk;C:\WINDOWS\system32\drivers\dxgthkk.sys []
S3 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-05 11:59:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\tmw7\tmmail7.exe
.
**************************************************************************
.
Completion time: 2008-02-05 12:00:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-05 20:00:27
ComboFix2.txt 2008-02-01 18:55:23
.
2008-01-09 00:07:26 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:46 PM, on 2/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\tmw7\tmmail7.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Chris\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.metacrawler.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: Time Matters - {00F17ECE-12DA-46A0-B541-BDE4EB7DF027} - C:\tmw7\TMIETB.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Time Matters - {00F17ECE-12DA-46A0-B541-BDE4EB7DF027} - C:\tmw7\TMIETB.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Time Matters 7.0 Mail Agent.lnk = C:\tmw7\tmmail7.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...204/mcfscan.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: ssqnopm - ssqnopm.dll (file missing)
O20 - Winlogon Notify: ykkysqkb - ykkysqkb.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\Messenger\rtelekifs.html

--
End of file - 8587 bytes

#6 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 05 February 2008 - 04:03 PM

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqnopm]
ssqnopm.dll"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ykkysqkb]
ykkysqkb.dll"=-

Renv::
<pre>
----a-w 355,840 2008-01-08 18:23:12 C:\WINDOWS\lsass .exe
</pre>



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Posted Image
Proud member of ASAP since 2007

#7 cybergrrl

cybergrrl
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Northwest
  • Local time:10:44 AM

Posted 05 February 2008 - 04:59 PM

ComboFix 08-01-31.5 - Chris 2008-02-05 13:46:43.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.639 [GMT -8:00]
Running from: C:\Documents and Settings\Chris\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Chris\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 )))))))))))))))))))))))))))))))
.

2008-02-05 13:23 . 2008-02-05 13:23 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-02-05 13:01 . 2008-02-05 13:01 1,891 --a------ C:\WINDOWS\imsins.BAK
2008-02-05 11:10 . 2008-02-05 11:39 <DIR> d-------- C:\Documents and Settings\Chris\.housecall6.6
2008-02-01 08:15 . 2008-02-01 08:15 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-31 16:46 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-31 10:19 . 2008-01-31 10:19 3,796 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-29 12:39 . 2008-02-05 10:57 <DIR> d-------- C:\Documents and Settings\Chris\CleanupDownloads
2008-01-29 12:25 . 2008-01-29 12:25 <DIR> d-------- C:\Program Files\Java
2008-01-29 12:25 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-29 12:24 . 2008-01-29 12:24 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-29 10:40 . 2008-01-29 10:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-29 08:43 . 2008-01-31 09:38 13,353 --a------ C:\WINDOWS\BM4f96ad43.xml
2008-01-29 08:43 . 2008-02-01 08:22 22 --a------ C:\WINDOWS\pskt.ini
2008-01-10 14:08 . 2008-01-10 14:08 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-01-09 13:39 . 2008-01-31 10:22 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-09 12:43 . 2008-02-05 13:26 3,745,312 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-09 12:43 . 2008-02-05 13:26 253,216 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-09 12:43 . 2008-02-05 13:26 53,324 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-09 12:43 . 2008-02-05 13:26 27,944 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-09 12:39 . 2008-01-09 12:39 <DIR> d-------- C:\KAV
2008-01-08 14:48 . 2008-01-08 14:48 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-08 14:48 . 2008-01-29 09:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-08 14:46 . 2008-01-08 14:46 <DIR> d-------- C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
2008-01-08 14:45 . 2008-01-08 14:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-08 14:45 . 2008-01-08 16:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-07 16:49 . 2008-01-07 16:49 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\Grisoft
2008-01-07 16:34 . 2008-02-05 13:08 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\AVG7
2008-01-07 16:33 . 2008-01-07 16:33 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-07 16:33 . 2008-01-07 16:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-07 16:33 . 2008-02-05 12:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-07 16:30 . 2008-01-07 16:30 15,360 --a------ C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-07 16:30 . 2008-01-07 16:30 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-07 16:09 . 2008-01-08 10:23 355,840 --a------ C:\WINDOWS\lsass .exe
2008-01-07 16:08 . 2008-01-07 16:29 114,688 --a------ C:\WINDOWS\system32\igfxpers.exe
2008-01-07 16:08 . 2008-01-07 16:29 94,208 --a------ C:\WINDOWS\system32\igfxtray.exe
2008-01-07 16:08 . 2008-01-07 16:29 77,824 --a------ C:\WINDOWS\system32\hkcmd.exe
2008-01-07 13:59 . 2008-01-31 17:34 <DIR> d--hs---- C:\WINDOWS\QnJpYW4gUmFtc2F5

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 19:55 --------- d-----w C:\Program Files\Microsoft IntelliType Pro
2008-02-05 19:55 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-02-04 22:40 --------- d-----w C:\Documents and Settings\Chris\Application Data\AdobeUM
2008-01-29 23:14 --------- d-----w C:\Program Files\HotDocs 6
2008-01-29 17:57 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-13 17:21 --------- d-----w C:\Documents and Settings\Chris\Application Data\Roxio
2007-12-12 20:54 --------- d-----w C:\Program Files\Napster
2007-12-12 16:40 --------- d-----w C:\Program Files\MSECache
2007-11-14 07:26 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2006-11-25 07:57 482 ----a-w C:\Program Files\Del.js
2006-06-22 15:38 164,235 ----a-w C:\Program Files\uninstal.log
.
<pre>
----a-w		   355,840 2008-01-08 18:23:12  C:\WINDOWS\lsass .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-07 16:30 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2008-01-07 16:29 94208]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2008-01-07 16:30 53248]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-07 16:30 168448]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 03:00 143360]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2008-01-07 16:30 196608]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2008-01-07 16:30 217088]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2008-01-07 16:30 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2008-01-07 16:30 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2008-01-07 16:30 40960]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2008-01-07 16:30 851968]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-05 12:34 579072]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25 6731312]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 03:00 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-05 12:34 219136]

C:\Documents and Settings\Chris\Start Menu\Programs\Startup\
Time Matters 7.0 Mail Agent.lnk - C:\tmw7\tmmail7.exe [2006-05-31 09:27:41 183808]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Messenger\rtelekifs.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqnopm]
ssqnopm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ykkysqkb]
ykkysqkb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2007-06-11 01:25 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

R3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 12:12]
R3 BrSerWDM;Brother WDM Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2003-03-13 22:04]
R3 BrUsbMdm;Brother MFC USB Fax Only Modem;C:\WINDOWS\system32\Drivers\BrUsbMdm.sys [2001-08-17 12:12]
S1 dxgthkk;dxgthkk;C:\WINDOWS\system32\drivers\dxgthkk.sys []
S3 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-05 13:47:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-05 13:47:57
ComboFix-quarantined-files.txt 2008-02-05 21:47:56
ComboFix2.txt 2008-02-05 20:00:31
ComboFix3.txt 2008-02-01 18:55:23
.
2008-01-09 00:07:26 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:48:37 PM, on 2/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\tmw7\tmmail7.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Chris\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.metacrawler.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: Time Matters - {00F17ECE-12DA-46A0-B541-BDE4EB7DF027} - C:\tmw7\TMIETB.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Time Matters - {00F17ECE-12DA-46A0-B541-BDE4EB7DF027} - C:\tmw7\TMIETB.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Time Matters 7.0 Mail Agent.lnk = C:\tmw7\tmmail7.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...204/mcfscan.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: ssqnopm - ssqnopm.dll (file missing)
O20 - Winlogon Notify: ykkysqkb - ykkysqkb.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\Messenger\rtelekifs.html

--
End of file - 8575 bytes


Is it looking better? I could finally install avg antivirus today and it boots up much faster.

#8 cybergrrl

cybergrrl
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Northwest
  • Local time:10:44 AM

Posted 06 February 2008 - 11:23 AM

I still have the red X on the C drive and I've lost the network connection to other computers in the office although I can still access the internet.

#9 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 06 February 2008 - 11:52 AM

I still have the red X on the C drive and I've lost the network connection to other computers in the office although I can still access the internet.


Hi,

your logs looks clean!!

For the red X on the C drive:

First Backup The Whole Regsitry
Start > Run > regedit /e c:\registrybackup.reg

Now...

Start > Run >

cmd /c Reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons


Let Us Know The Result and how things are running.
Posted Image
Proud member of ASAP since 2007

#10 cybergrrl

cybergrrl
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Northwest
  • Local time:10:44 AM

Posted 06 February 2008 - 02:37 PM

Thank you sooooooo much. Everything seems to be running well now. I also found the problem with the network - I had disabled some of the services that I shouldn't have when I tried to speed up XP. I think I'll suggest they get a better firewall than the one that comes with XP and keep their anti-virus software up to date in the future.

Becky

#11 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 06 February 2008 - 02:42 PM

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we at BC are to help you, for your sake we would rather not have repeat customers. :thumbsup:

1) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

AVG-AntiSpyware
Install it,update it to the latest definitions, and perform a full system scan.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.


Please also read Tony Klein's excellent article: So how I got Infected in the First Place

Hopefully this should take care of your problems! Good luck. :D (prevention speech by Swandog46)

With friendly regards,

Rosty.
Posted Image
Proud member of ASAP since 2007

#12 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 06 February 2008 - 03:03 PM

Hi,

I overlooked 2 lines in your log. :thumbsup:

Please open Hijackthis, click do a scan only and place a check next to the follwoing entries:

O20 - Winlogon Notify: ssqnopm - ssqnopm.dll (file missing)
O20 - Winlogon Notify: ykkysqkb - ykkysqkb.dll (file missing)

Close all other windows and bowsers, except HijackThis, and click Fix Checked. Close HijackThis.

Take the recommendations in mind that I give you in my previous post.
Posted Image
Proud member of ASAP since 2007

#13 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 17 February 2008 - 04:08 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Posted Image
Proud member of ASAP since 2007




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users