Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo.trojan, Webbuying (adware)


  • This topic is locked This topic is locked
6 replies to this topic

#1 shichiiiya

shichiiiya

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 21 February 2008 - 03:59 PM

HiJackThis Log ~
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:39:28 PM, on 2/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Nexon\MapleStory\MapleStory.exe
C:\Documents and Settings\Thu\Desktop\VundoFix.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Thu\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {10969EA6-732C-4B92-857F-51AA92BFE684} - C:\WINDOWS\system32\vtsqp.dll (file missing)
O2 - BHO: (no name) - {13262F3D-9CF7-40A5-89A9-E906E95E3C7A} - C:\WINDOWS\system32\awtqq.dll (file missing)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: {af57393d-e8ae-0cbb-1754-88196b07f162} - {261f70b6-9188-4571-bbc0-ea8ed39375fa} - C:\WINDOWS\system32\clhgkrbj.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6d849f57-25e7-4bff-af8b-2a4ad12c2003} - C:\WINDOWS\system32\ecclavg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {81CA40CA-8FB1-4965-A352-1E343F12802E} - C:\WINDOWS\system32\ssttr.dll (file missing)
O2 - BHO: (no name) - {95F6B572-3EFE-4B5B-98F6-D610E24603A2} - C:\WINDOWS\system32\ddcyy.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {C8CDF0B6-A3C3-4ABC-BBCA-EA772B562921} - C:\WINDOWS\system32\urqqpno.dll
O2 - BHO: (no name) - {FF93AC7C-807F-4754-A817-63004836A352} - C:\Program Files\NetMeeting\towexo89104.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [c0c74b94] rundll32.exe "C:\WINDOWS\system32\giwngmby.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.8\webbuying.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: urqqpno - C:\WINDOWS\SYSTEM32\urqqpno.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 10827 bytes


******
I thought I deleted webbuying in the program folder, but when I opened up control panel it was still there, I uninstalled it an deleted it, but every time I boot up IE ( I normally use firefox) I get a pop-up spam. I used vundofix and downloaded a trial of nortan 360, but they've only temporary helped. Also I can't seem to delete some files that I found were nasty like MyWaySA\SrchAsDe\deSrcAs.dll.

*Also is C:\WINDOWS\system32\WTablet\TabUserW.exe a virus or something?
"Possibly nasty! According to our database this process runs normally in c:\programme\wacom\! Check if you know this process and arrange a viruscheck where required. This entry was classified from our visitors as good." ~hijackthis.de

I do own a wacom intuos3 drawing tablet.

Thanks for responding in advance!

Edited by shichiiiya, 21 February 2008 - 04:20 PM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:29 PM

Posted 28 February 2008 - 10:44 AM

Hello shichiiiya,

Welcome to Bleeping Computer :thumbsup:

Sorry about the delay.:blink: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 shichiiiya

shichiiiya
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 28 February 2008 - 07:29 PM

Here's that latest log.

And thanks for the welcome! :thumbsup:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:21:00 PM, on 2/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Thu\Desktop\HiJackThis.exe
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {10969EA6-732C-4B92-857F-51AA92BFE684} - C:\WINDOWS\system32\vtsqp.dll (file missing)
O2 - BHO: (no name) - {13262F3D-9CF7-40A5-89A9-E906E95E3C7A} - C:\WINDOWS\system32\awtqq.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6d849f57-25e7-4bff-af8b-2a4ad12c2003} - C:\WINDOWS\system32\ecclavg.dll
O2 - BHO: {b188ad79-6e10-ece8-2d44-dcc3cbc397e6} - {6e793cbc-3ccd-44d2-8ece-01e697da881b} - C:\WINDOWS\system32\vervfjrw.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7A8D0FEE-F01A-4F41-8463-650127BBA3FB} - (no file)
O2 - BHO: (no name) - {81CA40CA-8FB1-4965-A352-1E343F12802E} - C:\WINDOWS\system32\ssttr.dll (file missing)
O2 - BHO: (no name) - {95F6B572-3EFE-4B5B-98F6-D610E24603A2} - C:\WINDOWS\system32\ddcyy.dll (file missing)
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {A4C6FD5C-94F2-44DD-A140-D1DED590393C} - C:\WINDOWS\system32\sstqq.dll (file missing)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\xubalkdn.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {B633017B-5103-40CE-B244-81EEFE09C259} - C:\WINDOWS\system32\awtqn.dll
O2 - BHO: (no name) - {C8CDF0B6-A3C3-4ABC-BBCA-EA772B562921} - C:\WINDOWS\system32\urqqpno.dll
O2 - BHO: (no name) - {db1f5424-03dd-493e-9c00-6250b028f5a4} - (no file)
O2 - BHO: (no name) - {EF6952B6-7683-4EBB-A09B-387D68701A46} - (no file)
O2 - BHO: (no name) - {fa370dfd-f26b-4810-88ce-2ed515302d48} - (no file)
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BMc3f47808] Rundll32.exe "C:\WINDOWS\system32\abmgmpyc.dll",s
O4 - HKLM\..\RunOnce: [SpybotDeletingA1595] command /c del "C:\WINDOWS\system32\xubalkdn.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC98] cmd /c del "C:\WINDOWS\system32\xubalkdn.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8807] command /c del "C:\WINDOWS\system32\xubalkdn.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4116] cmd /c del "C:\WINDOWS\system32\xubalkdn.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.8\webbuying.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB1987] command /c del "C:\WINDOWS\system32\xubalkdn.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3270] cmd /c del "C:\WINDOWS\system32\xubalkdn.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9808] command /c del "C:\WINDOWS\system32\xubalkdn.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5933] cmd /c del "C:\WINDOWS\system32\xubalkdn.dll"
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: urqqpno - C:\WINDOWS\SYSTEM32\urqqpno.dll
O20 - Winlogon Notify: xubalkdn - xubalkdn.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 10870 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:29 PM

Posted 28 February 2008 - 07:45 PM

Hello,

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 shichiiiya

shichiiiya
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 01 March 2008 - 06:52 PM

Sorry it took so long to reply!

Here's the combo fix.

=========

ComboFix 08-03-01.3 - Thu 2008-03-01 18:40:04.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.195 [GMT -5:00]
Running from: C:\Documents and Settings\Thu\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\NetMeeting\towexo89104.dll
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\isgTi19
C:\Temp\isgTi19\lPig.log
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\system32\abmgmpyc.dll
C:\WINDOWS\system32\ac1
C:\WINDOWS\system32\awtqn.dll
C:\WINDOWS\system32\dwhrxvro.ini
C:\WINDOWS\system32\ebarujnv.dll
C:\WINDOWS\system32\ecclavg.dll
C:\WINDOWS\system32\egwfimln.dll
C:\WINDOWS\system32\gabvahvp.ini
C:\WINDOWS\system32\glwokqlx.ini
C:\WINDOWS\system32\hndkunxw.ini
C:\WINDOWS\system32\jjulexxj.dll
C:\WINDOWS\system32\kfyfuwut.dll
C:\WINDOWS\system32\klcatqwr.dll
C:\WINDOWS\system32\nGpxx18
C:\WINDOWS\system32\nqtwa.ini
C:\WINDOWS\system32\nqtwa.ini2
C:\WINDOWS\system32\orvxrhwd.dll
C:\WINDOWS\system32\oubarrlg.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pqstv.ini
C:\WINDOWS\system32\pqstv.ini2
C:\WINDOWS\system32\qqtss.ini
C:\WINDOWS\system32\qqtss.ini2
C:\WINDOWS\system32\rwqtaclk.ini
C:\WINDOWS\system32\urqqpno.dll
C:\WINDOWS\system32\vervfjrw.dll
C:\WINDOWS\system32\xecnwijn.dll
C:\WINDOWS\system32\xlqkowlg.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-01 to 2008-03-01 )))))))))))))))))))))))))))))))
.

2008-02-26 15:06 . 2008-03-01 18:37 99,591 --a------ C:\WINDOWS\BMc3f47808.xml
2008-02-26 15:06 . 2008-03-01 18:40 21 --a------ C:\WINDOWS\pskt.ini
2008-02-22 06:04 . 2008-02-22 06:04 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-22 06:03 . 2008-02-22 06:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-22 06:02 . 2008-02-22 06:02 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-22 06:02 . 2008-02-22 06:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-22 06:02 . 2008-02-22 06:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-22 06:00 . 2008-02-22 06:00 <DIR> d-------- C:\Documents and Settings\Thu\.housecall6.6
2008-02-16 16:16 . 2008-02-17 16:16 354 --ahs---- C:\WINDOWS\system32\bsdmtorb.ini
2008-02-16 15:49 . 2008-03-01 06:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-02-15 15:34 . 2008-02-15 17:30 354 --ahs---- C:\WINDOWS\system32\lrqnokvt.ini
2008-02-15 14:59 . 2008-02-22 06:50 <DIR> d-------- C:\VundoFix Backups
2008-02-15 08:54 . 2008-01-12 18:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-02-15 08:54 . 2008-01-15 09:54 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-02-15 08:54 . 2008-01-15 05:28 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-02-14 17:29 . 2008-02-14 17:29 77 --a------ C:\Documents and Settings\Thu\9911.bat
2008-02-14 17:18 . 2008-02-28 19:15 <DIR> d-------- C:\WTablet
2008-02-14 17:01 . 2008-03-01 18:46 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-14 17:01 . 2008-02-14 17:01 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-14 16:07 . 2008-02-23 06:23 <DIR> d-------- C:\Program Files\Norton 360
2008-02-14 16:02 . 2008-02-14 16:02 <DIR> d--hs---- C:\Documents and Settings\LocalService\UserData
2008-02-14 16:01 . 2008-02-14 16:01 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-02-14 15:45 . 2008-02-14 15:45 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-02-14 15:15 . 2008-02-14 15:15 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-02-14 15:12 . 2008-02-14 17:51 <DIR> d--hs---- C:\WINDOWS\VGh1
2008-02-14 15:12 . 2008-02-14 15:12 <DIR> d-------- C:\WINDOWS\system32\wd11
2008-02-14 15:12 . 2008-02-14 15:25 <DIR> d-------- C:\WINDOWS\system32\vb6
2008-02-14 15:12 . 2008-02-14 15:12 <DIR> d-------- C:\WINDOWS\system32\kp9
2008-02-14 15:12 . 2008-03-01 18:40 <DIR> d-------- C:\Temp
2008-02-13 08:14 . 2008-02-13 08:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-02-13 07:52 . 2008-02-13 07:52 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-02-13 00:11 . 2008-02-13 00:18 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-02-10 18:51 . 2008-02-10 18:51 <DIR> d-------- C:\Documents and Settings\Thu\Application Data\Apple Computer
2008-02-10 18:50 . 2008-02-10 18:50 <DIR> d-------- C:\Program Files\iTunes
2008-02-10 18:50 . 2008-02-10 18:50 <DIR> d-------- C:\Program Files\iPod
2008-02-10 18:49 . 2008-02-10 18:49 <DIR> d-------- C:\Program Files\Bonjour
2008-02-10 18:47 . 2008-02-10 18:47 <DIR> d-------- C:\Program Files\Apple Software Update
2008-02-10 18:47 . 2008-02-10 18:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-10 18:46 . 2008-02-10 18:46 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-02-10 18:46 . 2008-02-10 18:46 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-02-10 18:46 . 2008-02-10 18:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-02-10 18:46 . 2008-01-15 02:39 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2008-02-10 18:33 . 2008-02-14 17:37 <DIR> d-------- C:\Documents and Settings\Thu\Application Data\LimeWire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-01 23:46 --------- d-----w C:\Documents and Settings\Thu\Application Data\WTablet
2008-03-01 23:43 --------- d-----w C:\Documents and Settings\Thu\Application Data\SiteAdvisor
2008-02-23 11:35 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-23 11:24 --------- d-----w C:\Program Files\Symantec
2008-02-23 11:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-16 20:49 --------- d-----w C:\Program Files\Google
2008-02-16 20:47 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-15 01:28 --------- d-----w C:\Documents and Settings\Thu\Application Data\Symantec
2008-02-14 20:58 --------- d-----w C:\Program Files\Norton Internet Security
2008-02-14 20:45 --------- d-----w C:\Program Files\Yahoo!
2008-02-13 13:06 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-10 23:48 --------- d-----w C:\Program Files\QuickTime
2008-01-31 00:49 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-01-08 12:04 --------- d-----w C:\Program Files\CCleaner
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{10969EA6-732C-4B92-857F-51AA92BFE684}]
C:\WINDOWS\system32\vtsqp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13262F3D-9CF7-40A5-89A9-E906E95E3C7A}]
C:\WINDOWS\system32\awtqq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6d849f57-25e7-4bff-af8b-2a4ad12c2003}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6e793cbc-3ccd-44d2-8ece-01e697da881b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7A8D0FEE-F01A-4F41-8463-650127BBA3FB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{81CA40CA-8FB1-4965-A352-1E343F12802E}]
C:\WINDOWS\system32\ssttr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95F6B572-3EFE-4B5B-98F6-D610E24603A2}]
C:\WINDOWS\system32\ddcyy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A4C6FD5C-94F2-44DD-A140-D1DED590393C}]
C:\WINDOWS\system32\sstqq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C8CDF0B6-A3C3-4ABC-BBCA-EA772B562921}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{db1f5424-03dd-493e-9c00-6250b028f5a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E88B8E73-AC7F-4AD5-84DC-ADACC0007D84}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF6952B6-7683-4EBB-A09B-387D68701A46}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fa370dfd-f26b-4810-88ce-2ed515302d48}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-11-06 19:51 3810544]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 19:42 1404928]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05 127035]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2005-09-26 19:34 169984]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"ISUSPM Startup"="c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-27 16:50 221184]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 14:18 267048]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-07-17 20:54 116072]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-08-17 23:54:58 24576]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-02-16 15:49:45 125624]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2007-11-11 16:07:39 131072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqqpno]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xubalkdn]
xubalkdn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2007-07-17 20:54 116072 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray]
--------- 2005-10-27 18:00 299008 C:\Program Files\Creative\Shared Files\CamTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2005-01-27 01:02 86016 C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 16:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
--a------ 2005-03-15 15:34 132248 C:\Program Files\Norton Internet Security\cfgwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 16:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2004-09-14 08:50 53248 C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-08-18 00:00 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-11-06 19:51 3810544 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
--a------ 2007-06-08 09:59 224248 C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Nexon\\MapleStory\\MapleStory.exe"=
"C:\\Nexon\\MapleStory\\Patcher.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 npkcmsvc;npkcmsvc;C:\Nexon\Mabinogi\npkcmsvc.exe [2007-08-02 12:33]
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2006-02-14 17:18]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2006-02-14 17:19]
S3 dump_wmimmc;dump_wmimmc;C:\Nexon\MapleStory\GameGuard\dump_wmimmc.sys []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-01 18:46:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-03-01 18:48:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-01 23:48:19
.
2008-02-13 05:36:15 --- E O F ---

==========

HJT log from today after using combofix,

==========

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:52:03 PM, on 3/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Thu\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {10969EA6-732C-4B92-857F-51AA92BFE684} - C:\WINDOWS\system32\vtsqp.dll (file missing)
O2 - BHO: (no name) - {13262F3D-9CF7-40A5-89A9-E906E95E3C7A} - C:\WINDOWS\system32\awtqq.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6d849f57-25e7-4bff-af8b-2a4ad12c2003} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {81CA40CA-8FB1-4965-A352-1E343F12802E} - C:\WINDOWS\system32\ssttr.dll (file missing)
O2 - BHO: (no name) - {95F6B572-3EFE-4B5B-98F6-D610E24603A2} - C:\WINDOWS\system32\ddcyy.dll (file missing)
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {A4C6FD5C-94F2-44DD-A140-D1DED590393C} - C:\WINDOWS\system32\sstqq.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: xubalkdn - xubalkdn.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 9454 bytes

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:29 PM

Posted 02 March 2008 - 09:52 AM

Hello,

Please print these instructions or copy them to Notepad (or another word processor), and save it for easier reference. This is because we will be in Safe Mode during the fix and you won’t be able to access the Internet to view these instructions.

Please download AVG Anti-Spyware Free Edition and save that file to your desktop.

This is a 30-day trial of the program -- This means that after 30 days the "background guard" protection will be de-activated. However, this version can continue to be manually updated and used as an on-demand scanner forever.
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the setup program.
  • Once the setup is complete you will need to run AVG Anti-Spyware and update the definition files.
  • On the top of the main screen select the "Update" icon, then under the "Manual update" section click the "Start update" button.
  • The update will start and a progress bar will show the updates being installed.
  • Once the update has completed (the progress bar will display "Update successful!") select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the "Settings" screen:
    • Click on "Recommended actions" -> select "Quarantine".
    • Under "Reports:" -> select "Do not automatically generate reports".
  • Close AVG Anti-Spyware. Please do NOT run a scan yet!
Next, please reboot your computer into Safe Mode by doing the following:
  • Reboot your computer.
  • After hearing your computer beep once during startup, but just before the Windows icon appears, begin tapping the F8 key on your keyboard. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, reboot the computer and try again.
  • Instead of Windows loading as normal, a menu should appear.
  • Using the arrow keys on the keyboard, scroll to and select the "Safe Mode" menu item, and then press "Enter".
Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: (no name) - {10969EA6-732C-4B92-857F-51AA92BFE684} - C:\WINDOWS\system32\vtsqp.dll (file missing)
O2 - BHO: (no name) - {13262F3D-9CF7-40A5-89A9-E906E95E3C7A} - C:\WINDOWS\system32\awtqq.dll (file missing)
O2 - BHO: (no name) - {6d849f57-25e7-4bff-af8b-2a4ad12c2003} - (no file)
O2 - BHO: (no name) - {81CA40CA-8FB1-4965-A352-1E343F12802E} - C:\WINDOWS\system32\ssttr.dll (file missing)
O2 - BHO: (no name) - {95F6B572-3EFE-4B5B-98F6-D610E24603A2} - C:\WINDOWS\system32\ddcyy.dll (file missing)
O2 - BHO: (no name) - {A4C6FD5C-94F2-44DD-A140-D1DED590393C} - C:\WINDOWS\system32\sstqq.dll (file missing)
O20 - Winlogon Notify: xubalkdn - xubalkdn.dll (file missing)


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Then please run a scan with AVG Anti-Spyware:

IMPORTANT: Do NOT open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning process.
  • Launch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab. Click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
  • Once the scan is complete do the following:
    • If you have any infections you will prompted, then select the "Apply all actions" button, AVG Anti-Spyware will then display "All actions have been applied" on the right hand side.
    • Next select the "Save Report" button at the bottom.
    • Then select the "Save report as" button in the lower left hand corner of the screen and save it as a text file on your system (make sure to remember where you saved that file, this is important!).
  • Close AVG Anti-Spyware and reboot your system normally into Windows. Please post the contents of the AVG Anti-Spyware report in your next reply, along with a new HijackThis log.
How is it running please?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:29 PM

Posted 13 March 2008 - 03:35 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users