Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vx2


  • Please log in to reply
11 replies to this topic

#1 guy_wild

guy_wild

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 15 February 2006 - 12:06 PM

Logfile of HijackThis v1.99.1
Scan saved at 17:58:19, on 2006-02-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Portrait Displays\PerfectSuite\DTSRVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Spybot\TeaTimer.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\Program Files\Personal\bin\Personal.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\gorank\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\payick.exe reg_run
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - Startup: Cookies Manager.lnk = C:\Program Files\Cookies Manager.exe
O4 - Startup: TimeSync.lnk = C:\Program Files\TSYN.EXE
O4 - User Startup: Cookies Manager.lnk = C:\Program Files\Cookies Manager.exe
O4 - User Startup: TimeSync.lnk = C:\Program Files\TSYN.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Personal.lnk = C:\Program Files\Personal\bin\Personal.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134464059640
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = guywild.net
O17 - HKLM\Software\..\Telephony: DomainName = guywild.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{541B8DD7-1DE8-480A-ADD2-11B4AA90B3BD}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4C26EA1-4AA8-4757-8E12-23A7F5852342}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = guywild.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{541B8DD7-1DE8-480A-ADD2-11B4AA90B3BD}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = guywild.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{541B8DD7-1DE8-480A-ADD2-11B4AA90B3BD}: NameServer = 192.168.0.1
O23 - Service: Asset Management Daemon - Unknown owner - C:\Program Files\Portrait Displays\PerfectSuite\dtsslsrv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Portrait Displays\PerfectSuite\DTSRVC.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

-----------

I ran the Ad-Aware VX2 scan plugin, and it said I had "A new verion of VX2". I did what i was supposed to do (Clean, reboot, scan and check for VX2 again) but it wasn'r removed. So I looked at the sites describing how to manually remove VX2, and of all the files and regkeyes that were listed as VX2, I had NONE.
I also downloaded VX2Finder, and it didn't find any signs of VX2.

But I still get the occational IE window popping up with pokerads and so. What to do?!

Sincerely
guy_wild

BC AdBot (Login to Remove)

 


#2 guy_wild

guy_wild
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 16 February 2006 - 10:46 AM

I posted a query about a possible Qoologic infection in another forum, and was told by D-Trojanator (thank you) to post a Hijack-log here, and I do as I'm told. I also posted an Hijack-log here earlier due to the problems I have with the Ad-Aware VX2-plugin claiming I am infected with VX2. I ran an app called VX2Finder, but it did not find anything.

So those are the reasons I post again, in order to describe my situation, and what steps I have taken as clearly as possible. All engines I've used are of course updated as of today. As for my knowledge of Windows, I used to be an MSCE/MCT for WinNT 3.51/4.0/2000Srv. And even though it was a while I worked 'hands on' with Windows, I regard myself as being very familiar with the inner workings of the NT platforms.

My problem now is that an occational IE Window pops up, about five to ten times a day, showing pages from mostly www.errorsafe.com and www.pokeronline.com. This occurres even when I am browsing this site (blleepingcomputer.com) and nothing else.

So here's all the information i think you'll need.

1. Temporary files, Temporary Internet files, History and Recycle Bin emptied.

2. Ad-Aware full scan, log as follows:

Ad-Aware SE Build 1.06r1
Logfile Created on:den 16 februari 2006 14:27:14
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R92 14.02.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):4 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R92 14.02.2006
Internal build : 105
File location : C:\Program Files\Lavasoft\Ad-Aware\defs.ref
File size : 612293 Bytes
Total size : 1843069 Bytes
Signature data size : 1808182 Bytes
Reference data size : 34375 Bytes
Signatures total : 50991
CSI Fingerprints total : 1581
CSI data size : 47541 Bytes
Target categories : 15
Target families : 832


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:76 %
Total physical memory:1048032 kb
Available physical memory:789412 kb
Total page file size:2520700 kb
Available on page file:2372604 kb
Total virtual memory:2097024 kb
Available virtual memory:2043372 kb
OS:Microsoft Windows XP Professional Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include module list in log file
Set : Include alternate data stream details in log file
Set : Show detail tooltips in results lists
Set : Play sound at scan completion if scan locates critical objects


2006-02-16 14:27:14 - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\gorank\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : S-1-5-21-436374069-115176313-682003330-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-436374069-115176313-682003330-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-436374069-115176313-682003330-1003\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 384
ThreadCreationTime : 2006-02-16 13:24:43
BasePriority : Normal

Scanning Module:\SystemRoot\System32\smss.exe...
Scanning Module:C:\WINDOWS\system32\ntdll.dll...

#:2 [csrss.exe]
ModuleName : \??\C:\WINDOWS\system32\csrss.exe
Command Line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestTh
ProcessID : 552
ThreadCreationTime : 2006-02-16 13:24:48
BasePriority : Normal

Scanning Module:\??\C:\WINDOWS\system32\csrss.exe...
Scanning Module:C:\WINDOWS\system32\CSRSRV.dll...
Scanning Module:C:\WINDOWS\system32\basesrv.dll...
Scanning Module:C:\WINDOWS\system32\winsrv.dll...
Scanning Module:C:\WINDOWS\system32\GDI32.dll...
Scanning Module:C:\WINDOWS\system32\KERNEL32.dll...
Scanning Module:C:\WINDOWS\system32\USER32.dll...
Scanning Module:C:\WINDOWS\system32\sxs.dll...
Scanning Module:C:\WINDOWS\system32\ADVAPI32.dll...
Scanning Module:C:\WINDOWS\system32\RPCRT4.dll...

#:3 [winlogon.exe]
ModuleName : \??\C:\WINDOWS\system32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 576
ThreadCreationTime : 2006-02-16 13:24:49
BasePriority : High

Scanning Module:\??\C:\WINDOWS\system32\winlogon.exe...
Scanning Module:C:\WINDOWS\system32\AUTHZ.dll...
Scanning Module:C:\WINDOWS\system32\msvcrt.dll...
Scanning Module:C:\WINDOWS\system32\CRYPT32.dll...
Scanning Module:C:\WINDOWS\system32\MSASN1.dll...
Scanning Module:C:\WINDOWS\system32\NDdeApi.dll...
Scanning Module:C:\WINDOWS\system32\PROFMAP.dll...
Scanning Module:C:\WINDOWS\system32\NETAPI32.dll...
Scanning Module:C:\WINDOWS\system32\USERENV.dll...
Scanning Module:C:\WINDOWS\system32\PSAPI.DLL...
Scanning Module:C:\WINDOWS\system32\REGAPI.dll...
Scanning Module:C:\WINDOWS\system32\Secur32.dll...
Scanning Module:C:\WINDOWS\system32\SETUPAPI.dll...
Scanning Module:C:\WINDOWS\system32\VERSION.dll...
Scanning Module:C:\WINDOWS\system32\WINSTA.dll...
Scanning Module:C:\WINDOWS\system32\WINTRUST.dll...
Scanning Module:C:\WINDOWS\system32\IMAGEHLP.dll...
Scanning Module:C:\WINDOWS\system32\WS2_32.dll...
Scanning Module:C:\WINDOWS\system32\WS2HELP.dll...
Scanning Module:C:\WINDOWS\system32\MSGINA.dll...
Scanning Module:C:\WINDOWS\system32\SHELL32.dll...
Scanning Module:C:\WINDOWS\system32\SHLWAPI.dll...
Scanning Module:C:\WINDOWS\system32\COMCTL32.dll...
Scanning Module:C:\WINDOWS\system32\ODBC32.dll...
Scanning Module:C:\WINDOWS\system32\comdlg32.dll...
Scanning Module:C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll...
Scanning Module:C:\WINDOWS\system32\odbcint.dll...
Scanning Module:C:\WINDOWS\system32\SHSVCS.dll...
Scanning Module:C:\WINDOWS\system32\sfc.dll...
Scanning Module:C:\WINDOWS\system32\sfc_os.dll...
Scanning Module:C:\WINDOWS\system32\ole32.dll...
Scanning Module:C:\WINDOWS\system32\Apphelp.dll...
Scanning Module:C:\WINDOWS\system32\WINSCARD.DLL...
Scanning Module:C:\WINDOWS\system32\WTSAPI32.dll...
Scanning Module:C:\WINDOWS\system32\uxtheme.dll...
Scanning Module:C:\WINDOWS\system32\WINMM.dll...
Scanning Module:C:\WINDOWS\system32\cscdll.dll...
Scanning Module:C:\WINDOWS\system32\rsaenh.dll...
Scanning Module:C:\WINDOWS\vx2cleaner.dlx...
Scanning Module:C:\WINDOWS\system32\WlNotify.dll...
Scanning Module:C:\WINDOWS\system32\WINSPOOL.DRV...
Scanning Module:C:\WINDOWS\system32\MPR.dll...
Scanning Module:C:\WINDOWS\system32\msv1_0.dll...
Scanning Module:C:\WINDOWS\system32\iphlpapi.dll...
Scanning Module:C:\WINDOWS\system32\wldap32.dll...
Scanning Module:C:\WINDOWS\system32\CLBCATQ.DLL...
Scanning Module:C:\WINDOWS\system32\COMRes.dll...
Scanning Module:C:\WINDOWS\system32\OLEAUT32.dll...
Scanning Module:C:\WINDOWS\system32\xpsp2res.dll...
Scanning Module:C:\WINDOWS\system32\SAMLIB.dll...
Scanning Module:C:\WINDOWS\system32\cscui.dll...
Scanning Module:C:\WINDOWS\System32\ntlanman.dll...
Scanning Module:C:\WINDOWS\System32\NETUI0.dll...
Scanning Module:C:\WINDOWS\System32\NETUI1.dll...
Scanning Module:C:\WINDOWS\System32\NETRAP.dll...
Scanning Module:C:\WINDOWS\System32\davclnt.dll...
Scanning Module:C:\WINDOWS\system32\MPRUI.dll...
Scanning Module:C:\WINDOWS\system32\NETUI2.dll...
Scanning Module:C:\WINDOWS\system32\netmsg.dll...
Scanning Module:C:\WINDOWS\system32\wdmaud.drv...
Scanning Module:C:\WINDOWS\system32\msacm32.drv...
Scanning Module:C:\WINDOWS\system32\MSACM32.dll...
Scanning Module:C:\WINDOWS\system32\midimap.dll...
Scanning Module:C:\WINDOWS\system32\NTMARTA.DLL...

#:4 [services.exe]
ModuleName : C:\WINDOWS\system32\services.exe
Command Line : C:\WINDOWS\system32\services.exe
ProcessID : 624
ThreadCreationTime : 2006-02-16 13:24:50
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe
Scanning Module:C:\WINDOWS\system32\services.exe...
Scanning Module:C:\WINDOWS\system32\SCESRV.dll...
Scanning Module:C:\WINDOWS\system32\umpnpmgr.dll...
Scanning Module:C:\WINDOWS\system32\NCObjAPI.DLL...
Scanning Module:C:\WINDOWS\system32\MSVCP60.dll...
Scanning Module:C:\WINDOWS\system32\ShimEng.dll...
Scanning Module:C:\WINDOWS\AppPatch\AcGenral.DLL...
Scanning Module:C:\WINDOWS\system32\eventlog.dll...

#:5 [lsass.exe]
ModuleName : C:\WINDOWS\system32\lsass.exe
Command Line : C:\WINDOWS\system32\lsass.exe
ProcessID : 636
ThreadCreationTime : 2006-02-16 13:24:50
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe
Scanning Module:C:\WINDOWS\system32\lsass.exe...
Scanning Module:C:\WINDOWS\system32\LSASRV.dll...
Scanning Module:C:\WINDOWS\system32\NTDSAPI.dll...
Scanning Module:C:\WINDOWS\system32\DNSAPI.dll...
Scanning Module:C:\WINDOWS\system32\SAMSRV.dll...
Scanning Module:C:\WINDOWS\system32\cryptdll.dll...
Scanning Module:C:\WINDOWS\system32\msprivs.dll...
Scanning Module:C:\WINDOWS\system32\kerberos.dll...
Scanning Module:C:\WINDOWS\system32\netlogon.dll...
Scanning Module:C:\WINDOWS\system32\w32time.dll...
Scanning Module:C:\WINDOWS\system32\schannel.dll...
Scanning Module:C:\WINDOWS\system32\wdigest.dll...
Scanning Module:C:\WINDOWS\system32\scecli.dll...
Scanning Module:C:\WINDOWS\system32\ipsecsvc.dll...
Scanning Module:C:\WINDOWS\system32\oakley.DLL...
Scanning Module:C:\WINDOWS\system32\WINIPSEC.DLL...
Scanning Module:C:\WINDOWS\system32\mswsock.dll...
Scanning Module:C:\WINDOWS\system32\hnetcfg.dll...
Scanning Module:C:\WINDOWS\System32\wshtcpip.dll...
Scanning Module:C:\WINDOWS\system32\pstorsvc.dll...
Scanning Module:C:\WINDOWS\system32\psbase.dll...
Scanning Module:C:\WINDOWS\system32\dssenh.dll...

#:6 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k DcomLaunch
ProcessID : 800
ThreadCreationTime : 2006-02-16 13:24:51
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
Scanning Module:C:\WINDOWS\system32\svchost.exe...
Scanning Module:c:\windows\system32\rpcss.dll...

#:7 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k rpcss
ProcessID : 848
ThreadCreationTime : 2006-02-16 13:24:51
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
Scanning Module:C:\WINDOWS\System32\winrnr.dll...
Scanning Module:C:\WINDOWS\system32\rasadhlp.dll...

#:8 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k netsvcs
ProcessID : 912
ThreadCreationTime : 2006-02-16 13:24:51
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
Scanning Module:c:\windows\system32\dhcpcsvc.dll...
Scanning Module:c:\windows\system32\audiosrv.dll...
Scanning Module:c:\windows\system32\wkssvc.dll...
Scanning Module:c:\windows\system32\cryptsvc.dll...
Scanning Module:c:\windows\system32\certcli.dll...
Scanning Module:c:\windows\system32\ATL.DLL...
Scanning Module:C:\WINDOWS\system32\CRYPTUI.dll...
Scanning Module:C:\WINDOWS\system32\WININET.dll...
Scanning Module:c:\windows\system32\ESENT.dll...
Scanning Module:c:\windows\system32\es.dll...
Scanning Module:c:\windows\system32\dmserver.dll...
Scanning Module:c:\windows\pchealth\helpctr\binaries\pchsvc.dll...
Scanning Module:c:\windows\system32\srvsvc.dll...
Scanning Module:c:\windows\system32\netman.dll...
Scanning Module:c:\windows\system32\MPRAPI.dll...
Scanning Module:c:\windows\system32\ACTIVEDS.dll...
Scanning Module:c:\windows\system32\adsldpc.dll...
Scanning Module:c:\windows\system32\rtutils.dll...
Scanning Module:c:\windows\system32\netshell.dll...
Scanning Module:c:\windows\system32\credui.dll...
Scanning Module:c:\windows\system32\RASAPI32.dll...
Scanning Module:c:\windows\system32\rasman.dll...
Scanning Module:c:\windows\system32\TAPI32.dll...
Scanning Module:c:\windows\system32\WZCSAPI.DLL...
Scanning Module:c:\windows\system32\WZCSvc.DLL...
Scanning Module:c:\windows\system32\WMI.dll...
Scanning Module:c:\windows\system32\seclogon.dll...
Scanning Module:c:\windows\system32\sens.dll...
Scanning Module:c:\windows\system32\srsvc.dll...
Scanning Module:c:\windows\system32\POWRPROF.dll...
Scanning Module:c:\windows\system32\wbem\wmisvc.dll...
Scanning Module:C:\WINDOWS\system32\VSSAPI.DLL...
Scanning Module:c:\windows\system32\wuauserv.dll...
Scanning Module:C:\WINDOWS\system32\wuaueng.dll...
Scanning Module:C:\WINDOWS\System32\ADVPACK.dll...
Scanning Module:C:\WINDOWS\System32\SHFOLDER.dll...
Scanning Module:C:\WINDOWS\System32\WINHTTP.dll...
Scanning Module:C:\WINDOWS\System32\Cabinet.dll...
Scanning Module:C:\WINDOWS\System32\mspatcha.dll...
Scanning Module:c:\windows\system32\browser.dll...
Scanning Module:c:\windows\system32\wscsvc.dll...
Scanning Module:c:\windows\system32\msi.dll...
Scanning Module:C:\WINDOWS\system32\wbem\wbemcomn.dll...
Scanning Module:C:\WINDOWS\system32\comsvcs.dll...
Scanning Module:C:\WINDOWS\system32\colbact.DLL...
Scanning Module:C:\WINDOWS\system32\MTXCLU.DLL...
Scanning Module:C:\WINDOWS\system32\WSOCK32.dll...
Scanning Module:C:\WINDOWS\System32\CLUSAPI.DLL...
Scanning Module:C:\WINDOWS\System32\RESUTILS.DLL...
Scanning Module:c:\windows\system32\ipnathlp.dll...
Scanning Module:C:\WINDOWS\System32\Wbem\wbemcore.dll...
Scanning Module:C:\WINDOWS\System32\Wbem\esscli.dll...
Scanning Module:C:\WINDOWS\System32\Wbem\FastProx.dll...
Scanning Module:C:\WINDOWS\system32\wbem\wmiutils.dll...
Scanning Module:C:\WINDOWS\system32\wbem\repdrvfs.dll...
Scanning Module:C:\WINDOWS\system32\wbem\wmiprvsd.dll...
Scanning Module:C:\WINDOWS\system32\wbem\wbemess.dll...
Scanning Module:C:\WINDOWS\System32\RASDLG.dll...
Scanning Module:C:\WINDOWS\system32\wups.dll...
Scanning Module:C:\WINDOWS\system32\wbem\ncprov.dll...
Scanning Module:C:\WINDOWS\system32\wbem\wbemcons.dll...

#:9 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost.exe -k NetworkService
ProcessID : 948
ThreadCreationTime : 2006-02-16 13:24:51
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
Scanning Module:c:\windows\system32\dnsrslvr.dll...

#:10 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost.exe -k LocalService
ProcessID : 1004
ThreadCreationTime : 2006-02-16 13:24:51
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
Scanning Module:c:\windows\system32\lmhsvc.dll...
Scanning Module:c:\windows\system32\webclnt.dll...
Scanning Module:C:\WINDOWS\system32\urlmon.dll...
Scanning Module:c:\windows\system32\ssdpsrv.dll...

#:11 [spoolsv.exe]
ModuleName : C:\WINDOWS\system32\spoolsv.exe
Command Line : C:\WINDOWS\system32\spoolsv.exe
ProcessID : 1068
ThreadCreationTime : 2006-02-16 13:24:52
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe
Scanning Module:C:\WINDOWS\system32\spoolsv.exe...
Scanning Module:C:\WINDOWS\system32\SPOOLSS.DLL...
Scanning Module:C:\WINDOWS\system32\localspl.dll...
Scanning Module:C:\WINDOWS\system32\cnbjmon.dll...
Scanning Module:C:\WINDOWS\system32\pjlmon.dll...
Scanning Module:C:\WINDOWS\system32\tcpmon.dll...
Scanning Module:C:\WINDOWS\system32\usbmon.dll...
Scanning Module:C:\WINDOWS\system32\win32spl.dll...
Scanning Module:C:\WINDOWS\system32\inetpp.dll...

#:12 [cisvc.exe]
ModuleName : C:\WINDOWS\system32\cisvc.exe
Command Line : C:\WINDOWS\system32\cisvc.exe
ProcessID : 1180
ThreadCreationTime : 2006-02-16 13:24:53
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Content Index service
InternalName : cisvc.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : cisvc.exe
Scanning Module:C:\WINDOWS\system32\cisvc.exe...
Scanning Module:C:\WINDOWS\system32\query.dll...

#:13 [dtsrvc.exe]
ModuleName : C:\Program Files\Portrait Displays\PerfectSuite\DTSRVC.exe
Command Line : "C:\Program Files\Portrait Displays\PerfectSuite\DTSRVC.exe"
ProcessID : 1200
ThreadCreationTime : 2006-02-16 13:24:53
BasePriority : Normal

Scanning Module:C:\Program Files\Portrait Displays\PerfectSuite\DTSRVC.exe...

#:14 [ewidoctrl.exe]
ModuleName : C:\Program Files\Ewido\ewidoctrl.exe
Command Line : "C:\Program Files\Ewido\ewidoctrl.exe"
ProcessID : 1232
ThreadCreationTime : 2006-02-16 13:24:53
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : ewido control
CompanyName : ewido networks
FileDescription : ewido control
InternalName : ewido control
LegalCopyright : Copyright © 2004
OriginalFilename : ewidoctrl.exe
Scanning Module:C:\Program Files\Ewido\ewidoctrl.exe...
Scanning Module:C:\Program Files\Ewido\lang.dll...
Scanning Module:C:\WINDOWS\system32\MSVCP71.dll...
Scanning Module:C:\WINDOWS\system32\MSVCR71.dll...

#:15 [mdm.exe]
ModuleName : C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
Command Line : "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"
ProcessID : 1260
ThreadCreationTime : 2006-02-16 13:24:53
BasePriority : Normal
FileVersion : 7.00.9466
ProductVersion : 7.00.9466
ProductName : Microsoft® Visual Studio .NET
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : mdm.exe
Scanning Module:C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe...

#:16 [alg.exe]
ModuleName : C:\WINDOWS\System32\alg.exe
Command Line : C:\WINDOWS\System32\alg.exe
ProcessID : 1548
ThreadCreationTime : 2006-02-16 13:24:54
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe
Scanning Module:C:\WINDOWS\System32\alg.exe...

#:17 [explorer.exe]
ModuleName : C:\WINDOWS\Explorer.EXE
Command Line : C:\WINDOWS\Explorer.EXE
ProcessID : 1872
ThreadCreationTime : 2006-02-16 13:25:33
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE
Scanning Module:C:\WINDOWS\Explorer.EXE...
Scanning Module:C:\WINDOWS\system32\BROWSEUI.dll...
Scanning Module:C:\WINDOWS\system32\SHDOCVW.dll...
Scanning Module:C:\WINDOWS\system32\themeui.dll...
Scanning Module:C:\WINDOWS\system32\MSIMG32.dll...
Scanning Module:C:\WINDOWS\system32\actxprxy.dll...
Scanning Module:C:\WINDOWS\system32\LINKINFO.dll...
Scanning Module:C:\WINDOWS\system32\ntshrui.dll...
Scanning Module:C:\WINDOWS\system32\ipqonap.dll...
Scanning Module:C:\WINDOWS\system32\webcheck.dll...
Scanning Module:C:\WINDOWS\system32\stobject.dll...
Scanning Module:C:\WINDOWS\system32\BatMeter.dll...
Scanning Module:C:\WINDOWS\system32\upnpui.dll...
Scanning Module:C:\WINDOWS\system32\upnp.dll...
Scanning Module:C:\WINDOWS\system32\SSDPAPI.dll...

#:18 [jusched.exe]
ModuleName : C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
Command Line : "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
ProcessID : 1948
ThreadCreationTime : 2006-02-16 13:25:34
BasePriority : Normal

Scanning Module:C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe...

#:19 [teatimer.exe]
ModuleName : C:\Program Files\Spybot\TeaTimer.exe
Command Line : "C:\Program Files\Spybot\TeaTimer.exe"
ProcessID : 1956
ThreadCreationTime : 2006-02-16 13:25:35
BasePriority : Idle
FileVersion : 1, 4, 0, 2
ProductVersion : 1, 4, 0, 3
ProductName : Spybot - Search & Destroy
CompanyName : Safer Networking Limited
FileDescription : System settings protector
InternalName : TeaTimer
LegalCopyright : © 2000-2005 Patrick M. Kolla / Safer Networking Limited. Alle Rechte vorbehalten.
LegalTrademarks : "Spybot" und "Spybot - Search & Destroy" sind registrierte Warenzeichen.
OriginalFilename : TeaTimer.exe
Comments : Schützt Systemeinstellungen vor ungewollten Änderungen.
Scanning Module:C:\Program Files\Spybot\TeaTimer.exe...
Scanning Module:C:\WINDOWS\system32\hhctrl.ocx...
Scanning Module:C:\Program Files\Spybot\advcheck.dll...

#:20 [ctltray.exe]
ModuleName : C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
Command Line : "C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe"
ProcessID : 1964
ThreadCreationTime : 2006-02-16 13:25:35
BasePriority : Normal
FileVersion : 1.00.00.24
ProductVersion : 1.00.00.24
ProductName : Creative TaskTray
CompanyName : Creative Technology Ltd.
FileDescription : Creative TaskTray
InternalName : Taskbar
LegalCopyright : Copyright © Creative Technology Ltd. 2001
OriginalFilename : CTLTray.exe
Comments : Creative TaskTray
Scanning Module:C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe...
Scanning Module:C:\Program Files\Creative\SBAudigy\Taskbar\CTLTRRes.dll...
Scanning Module:C:\WINDOWS\system32\ctdevcon.dll...
Scanning Module:C:\WINDOWS\system32\ctosuser.dll...
Scanning Module:C:\WINDOWS\system32\piaproxy.dll...
Scanning Module:C:\WINDOWS\system32\CTDPROXY.DLL...

#:21 [personal.exe]
ModuleName : C:\Program Files\Personal\bin\Personal.exe
Command Line : "C:\Program Files\Personal\bin\Personal.exe"
ProcessID : 1996
ThreadCreationTime : 2006-02-16 13:25:35
BasePriority : Normal
FileVersion : 4,2,5,1
ProductVersion : 4,2,5,1
ProductName : Nexus Personal
CompanyName : Technology Nexus AB
FileDescription : Nexus Personal
InternalName : Nexus Personal
LegalCopyright : Copyright 2005 Technology Nexus AB
OriginalFilename : personal.exe
Scanning Module:C:\Program Files\Personal\bin\Personal.exe...
Scanning Module:C:\Program Files\Personal\bin\tokenapi.dll...
Scanning Module:C:\Program Files\Personal\bin\lng_svse.dll...

#:22 [wuauclt.exe]
ModuleName : C:\WINDOWS\system32\wuauclt.exe
Command Line : "C:\WINDOWS\system32\wuauclt.exe" /RunStoreAsComServer Local\[390]SUSDS3a01561e4112894b8cf97b956925bbad
ProcessID : 236
ThreadCreationTime : 2006-02-16 13:25:39
BasePriority : Normal
FileVersion : 5.8.0.2469 built by: lab01_n(wmbla)
ProductVersion : 5.8.0.2469
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Automatic Updates
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wuauclt.exe
Scanning Module:C:\WINDOWS\system32\wuauclt.exe...
Scanning Module:C:\WINDOWS\system32\wuaucpl.cpl...

#:23 [ad-aware.exe]
ModuleName : C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
Command Line : "C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe"
ProcessID : 1524
ThreadCreationTime : 2006-02-16 13:26:46
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved
Scanning Module:C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe...
Scanning Module:C:\WINDOWS\system32\olepro32.dll...
Scanning Module:C:\WINDOWS\system32\RICHED32.DLL...
Scanning Module:C:\WINDOWS\system32\RICHED20.dll...

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1525 entries scanned.
New critical objects:0
Objects found so far: 4




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4

14:33:06 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:05:51.578
Objects scanned:137878
Objects identified:0
Objects ignored:0
New critical objects:0


3. SpyBot scan, no entries to delete. SpyBot runs with both resident monitors on in conjuction with SpywareBlaster.

4. Scan with HouseCall, Java based kernel.
It found the file:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ozph.exe, and said it was Qoologic.AA malware.
I've manually searched the entire HDD but found nothing.
In the Registry I found the following in
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\ozph.exe"="ozph". I deleted that string manually.
It also found the following files:
C:\Windows\system32\payick.exe
C:\Windows\system32\ipqonap.dll
C:\Windows\system32\wuqak.dat.
I found the file wuqak.dat (223 kb) in the named location but not payick.exe or ipqonapp.dll. I let HouseCall remove all the files it could.
In the Registry I found HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\"C:\\Windows\\system32\\payick.exe"="payick".
HouseCall did not remove that string, so I did. I found no references to ipqonap.dll in the Registry.

5. Scan with BitDefender.
It found - of course the quarantined items from HouseCalls scan, and deleted them. But it - again - found the
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ozph.exe as well as the
C:\Windows\system32\ipqonap.dll. BitDefender could not disinfect, nor delete them.

6. McAfee Stinger v2.5.9 were run; It found nothing whatsoever.

7. My main AV-software is Norton, and my Firewall is Symantecs Personal and my system is updated with all the latest hotfixes.

8. So, finally we come to running HijackThis and creating the log. The log looks as follows:

Logfile of HijackThis v1.99.1
Scan saved at 16:43:01, on 2006-02-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Portrait Displays\PerfectSuite\DTSRVC.exe
C:\Program Files\Ewido\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Spybot\TeaTimer.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\Program Files\Personal\bin\Personal.exe
C:\Program Files\Notepad++\notepad++.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = My Internet!
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\payick.exe reg_run
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - Startup: Cookies Manager.lnk = C:\Program Files\Cookies Manager.exe
O4 - Startup: TimeSync.lnk = C:\Program Files\TSYN.EXE
O4 - User Startup: Cookies Manager.lnk = C:\Program Files\Cookies Manager.exe
O4 - User Startup: TimeSync.lnk = C:\Program Files\TSYN.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Personal.lnk = C:\Program Files\Personal\bin\Personal.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134464059640
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = guywild.net
O17 - HKLM\Software\..\Telephony: DomainName = guywild.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{541B8DD7-1DE8-480A-ADD2-11B4AA90B3BD}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4C26EA1-4AA8-4757-8E12-23A7F5852342}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = guywild.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{541B8DD7-1DE8-480A-ADD2-11B4AA90B3BD}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = guywild.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{541B8DD7-1DE8-480A-ADD2-11B4AA90B3BD}: NameServer = 192.168.0.1
O23 - Service: Asset Management Daemon - Unknown owner - C:\Program Files\Portrait Displays\PerfectSuite\dtsslsrv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Portrait Displays\PerfectSuite\DTSRVC.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Ewido\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


So that's it. I really hope you can make any sense of this. I am looking forward and patiently awaiting an interesteing analysis. Oh, and you can disregart or delete my previous post.

Sincerely
guy_wild

#3 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:09 AM

Posted 18 February 2006 - 11:19 PM

Hi guy_wild and welcome to the BC HijackThis forum. Let's use a different scanner and see if there are any additional files that are involved with this.

Download WinPFind.zip and unzip the contents to the C:\ folder.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the c:\winpfind\winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder) back here along with a new HijackThis log and I will review the information when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#4 guy_wild

guy_wild
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 19 February 2006 - 12:32 PM

Hello OldTimer. (How old is that anyway? I was certified on Win 3.11! *lol*) Well anyway, some info and the logs you wanted.

I noticed that when I started in Safe Mode these files were to be found in the C:\WINDOWS\system32 folder:

kmgew.dll
jvksdcv.exe
ipqonap.dll
payick.exe


When I do a normal startup those files are not on the harddrive, but instead I find the file wuqak.dat. So something om my system is creating this at every startup. I haven't found the source, but hopefully you know what it might be.

Now to the log files, first WinPFind:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...
UPX! 2005-02-16 11:06:16 218112 C:\Program Files\HijackThis.exe
winsync 2006-02-15 17:58:20 5275 C:\Program Files\hijackthis.log
UPX! 2006-02-15 17:39:28 1144839 C:\Program Files\stng260.exe

Checking %WinDir% folder...

Checking %System% folder...
PEC2 2001-07-21 17:15:32 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 2005-07-12 18:04:22 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 2006-02-08 06:23:40 4513120 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 2006-02-08 06:23:40 4513120 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 2004-08-04 03:56:36 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 2004-08-04 03:56:44 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 2001-07-21 17:23:44 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
UPX! 2005-05-23 16:09:36 242688 C:\WINDOWS\SYSTEM32\wbocx450.ocx

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
127.0.0.1 ad-w-a-r-e.com
127.0.0.1 www.ad-w-a-r-e.com
127.0.0.1 www.ad-w-a-r-e.com
127.0.0.1 ad-w-a-r-e.com

ad-w-a-r-e.com 2005-12-19 12:53:16 R 40565 C:\WINDOWS\SYSTEM32\drivers\etc\hosts.20060112-111147.backup

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
2006-02-19 17:24:46 S 64 C:\WINDOWS\CSC\00000001
2006-01-30 21:13:04 S 64 C:\WINDOWS\CSC\00000002
2006-01-28 16:25:30 S 64 C:\WINDOWS\CSC\csc1.tmp
2006-01-13 12:34:32 S 7898 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911565.cat
2006-01-04 06:39:38 S 11223 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911927.cat
2006-01-03 00:09:36 S 11223 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat
2006-01-13 20:28:32 S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB913446.cat
2006-02-19 17:25:56 H 8192 C:\WINDOWS\system32\config\default.LOG
2006-02-19 17:26:16 H 1024 C:\WINDOWS\system32\config\SAM.LOG
2006-02-19 17:26:06 H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
2006-02-19 17:28:54 H 77824 C:\WINDOWS\system32\config\software.LOG
2006-02-19 17:26:10 H 847872 C:\WINDOWS\system32\config\system.LOG
2006-02-18 15:35:42 H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2006-01-19 09:02:46 S 1047 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\7C8A03C4580C6B04FDF34357F3474EDC
2006-01-19 09:02:44 S 1370 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\B82262A5D5DA4DDACE9EDA7F787D0DEB
2006-01-19 09:02:46 S 126 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\7C8A03C4580C6B04FDF34357F3474EDC
2006-01-19 09:02:44 S 194 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\B82262A5D5DA4DDACE9EDA7F787D0DEB
2006-01-24 17:47:44 H 81 C:\WINDOWS\system32\GroupPolicy\Adm\admfiles.ini
2006-02-19 17:16:06 H 458 C:\WINDOWS\Temp\olf1F0.tmp.html
2006-02-19 17:16:06 H 432 C:\WINDOWS\Temp\olr1F0.tmp.html
2006-02-19 17:16:06 H 1034 C:\WINDOWS\Temp\olv1F0.tmp.html
2006-02-19 17:16:06 H 415 C:\WINDOWS\Temp\olx1F0.tmp.html
2006-02-19 17:24:30 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini

Checking for CPL files...
Microsoft Corporation 2004-08-04 03:56:58 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 2004-08-04 03:56:58 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Creative Technology Ltd. 2001-05-28 13:47:00 32768 C:\WINDOWS\SYSTEM32\AudioHQU.cpl
Microsoft Corporation 2004-08-04 03:56:58 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Creative Technology Ltd. 2001-03-30 02:00:00 230912 C:\WINDOWS\SYSTEM32\CTDetect.cpl
Microsoft Corporation 2004-08-04 03:56:58 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 2004-08-04 03:56:58 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 2004-08-04 03:56:58 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 2004-08-04 03:56:58 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 2004-08-04 03:56:58 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 2004-08-04 03:56:58 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 2004-08-04 03:56:58 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 2005-11-10 13:03:50 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 2001-08-18 01:37:02 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 2004-08-04 03:56:58 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 2001-08-18 01:37:02 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 2004-08-04 03:56:58 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 2004-08-04 03:56:58 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 2003-07-28 15:19:00 143360 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 2001-08-18 01:37:02 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 2004-08-04 03:56:58 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 2004-08-04 03:56:58 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Creative Technology Ltd. 2000-07-19 01:00:00 24576 C:\WINDOWS\SYSTEM32\RcMan.cpl
Microsoft Corporation 2004-08-04 03:56:58 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 2001-08-18 01:37:02 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 2004-08-04 03:56:58 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 2004-08-04 03:56:58 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 2005-05-26 04:16:30 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
2001-01-13 14:34:28 336384 C:\WINDOWS\SYSTEM32\XQXSetup.cpl
Microsoft Corporation 2004-08-04 03:56:58 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 2004-08-04 03:56:58 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 2004-08-04 03:56:58 110592 C:\WINDOWS\SYSTEM32\dllcache\bthprops.cpl
Microsoft Corporation 2004-08-04 03:56:58 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 2004-08-04 03:56:58 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 2004-08-04 03:56:58 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 2004-08-04 03:56:58 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 2004-08-04 03:56:58 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 2004-08-04 03:56:58 380416 C:\WINDOWS\SYSTEM32\dllcache\irprops.cpl
Microsoft Corporation 2004-08-04 03:56:58 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 2001-08-18 01:37:02 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 2004-08-04 03:56:58 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 2001-08-18 01:37:02 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 2004-08-04 03:56:58 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 2004-08-04 03:56:58 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 2001-08-18 01:37:02 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 2004-08-04 03:56:58 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 2004-08-04 03:56:58 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 2004-08-04 03:56:58 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 2004-08-04 03:56:58 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 2001-08-18 01:37:02 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 2004-08-04 03:56:58 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 2004-08-04 03:56:58 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 2005-05-26 04:16:30 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
2005-12-12 23:04:00 HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
2005-12-13 19:40:14 1747 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
2006-02-19 17:22:38 227840 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ozph.exe
2005-12-14 14:16:28 869 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Personal.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
2005-12-12 23:08:20 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
2005-12-14 15:24:22 625 C:\Documents and Settings\gorank\Start Menu\Programs\Startup\Cookies Manager.lnk
2005-12-12 23:04:00 HS 84 C:\Documents and Settings\gorank\Start Menu\Programs\Startup\desktop.ini
2005-12-31 14:29:48 606 C:\Documents and Settings\gorank\Start Menu\Programs\Startup\TimeSync.lnk

Checking files in %USERPROFILE%\Application Data folder...
2005-12-12 23:08:20 HS 62 C:\Documents and Settings\gorank\Application Data\desktop.ini
2006-02-14 22:17:36 20824 C:\Documents and Settings\gorank\Application Data\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\Spybot\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
KernelFaultCheck %systemroot%\system32\dumprep 0 -k
winsync C:\WINDOWS\system32\payick.exe reg_run

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SpybotSD TeaTimer C:\Program Files\Spybot\TeaTimer.exe
TaskTray C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandFrom

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandTo

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoSharedDocuments 1


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll
UPnPMonitor {e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\system32\upnpui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 2006-02-19 17:34:31


Ok, the file C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ozph.exe does not exist on my system after a normal startup.

Next, The Hijack Log:

Logfile of HijackThis v1.99.1
Scan saved at 18:07:06, on 2006-02-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = My Internet!
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\payick.exe reg_run
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - Startup: Cookies Manager.lnk = C:\Program Files\Cookies Manager.exe
O4 - Startup: TimeSync.lnk = C:\Program Files\TSYN.EXE
O4 - User Startup: Cookies Manager.lnk = C:\Program Files\Cookies Manager.exe
O4 - User Startup: TimeSync.lnk = C:\Program Files\TSYN.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ozph.exe
O4 - Global Startup: Personal.lnk = C:\Program Files\Personal\bin\Personal.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134464059640
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = guywild.net
O17 - HKLM\Software\..\Telephony: DomainName = guywild.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{541B8DD7-1DE8-480A-ADD2-11B4AA90B3BD}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4C26EA1-4AA8-4757-8E12-23A7F5852342}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = guywild.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{541B8DD7-1DE8-480A-ADD2-11B4AA90B3BD}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = guywild.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{541B8DD7-1DE8-480A-ADD2-11B4AA90B3BD}: NameServer = 192.168.0.1
O23 - Service: Asset Management Daemon - Unknown owner - C:\Program Files\Portrait Displays\PerfectSuite\dtsslsrv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Portrait Displays\PerfectSuite\DTSRVC.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Ewido\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


I really hope this can help you in determining what all this originates from. Thank you again for taking the time - If this is solved I'll most definately make a donation!

All the best
guy_wild

#5 guy_wild

guy_wild
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 19 February 2006 - 01:52 PM

Oh! There's a post below this with the WinPFind and Hijack logs. The thing is that I ran HijackThis in Safe Mode along with WinPFind. When I read your post more carefully I realized you wanted an Hijack log when I was in Normal mode, so here it is. Sorry for the confusion.

Logfile of HijackThis v1.99.1
Scan saved at 19:48:50, on 2006-02-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Portrait Displays\PerfectSuite\DTSRVC.exe
C:\Program Files\Ewido\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spybot\TeaTimer.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\Program Files\Personal\bin\Personal.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = My Internet!
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\payick.exe reg_run
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - Startup: Cookies Manager.lnk = C:\Program Files\Cookies Manager.exe
O4 - Startup: TimeSync.lnk = C:\Program Files\TSYN.EXE
O4 - User Startup: Cookies Manager.lnk = C:\Program Files\Cookies Manager.exe
O4 - User Startup: TimeSync.lnk = C:\Program Files\TSYN.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Personal.lnk = C:\Program Files\Personal\bin\Personal.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134464059640
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = guywild.net
O17 - HKLM\Software\..\Telephony: DomainName = guywild.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{541B8DD7-1DE8-480A-ADD2-11B4AA90B3BD}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4C26EA1-4AA8-4757-8E12-23A7F5852342}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = guywild.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{541B8DD7-1DE8-480A-ADD2-11B4AA90B3BD}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = guywild.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{541B8DD7-1DE8-480A-ADD2-11B4AA90B3BD}: NameServer = 192.168.0.1
O23 - Service: Asset Management Daemon - Unknown owner - C:\Program Files\Portrait Displays\PerfectSuite\dtsslsrv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Portrait Displays\PerfectSuite\DTSRVC.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Ewido\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


All the best!
guy_wild

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:09 AM

Posted 19 February 2006 - 07:16 PM

Hi guy_wild. That was a very interesting comparison between the Safe Mode HJT log and the Normal Mode one.

Anyway, I see that you have Ewido installed here. Let's do an update and then let Ewido do a Safe Mode scan. It should be able to take care of all of these little buggers.

Step #1

Start Ewido and do an update. When the update is complete close the program (do not run it yet).

Step #2

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #3

Start ewido and do the following:
  • Click on the Scanner button.
  • Click on the Complete System Scan.
  • If anything is found you will be prompted to clean the first infected file found. Choose Clean and put a checkmark in the checkbox for Perform action on all infections and click the Ok button to continue the scan.
  • When the scan is complete close ewido and reboot the computer normally.
Post the Ewido log back here and I will review it when it comes in. Whatever Ewido does not clean up we can finish up later.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 guy_wild

guy_wild
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 20 February 2006 - 04:11 AM

Hi again OldTimer.

In what way was the Safe/Normal mode Hijack logs interesting? If you have the time feel free to elaborate.

Anyway, it seems like Ewido took care of the malware files whilst in safe mode. So I guess the trick was to delete them in safe mode. What I'm curious about is exactly what file does what, and what happens once I start in normal mode.

So, here is the Ewido log, it didn't find any files I wasn't aware of, but hopefully it got the all in one sweep.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 09:49:59, 2006-02-20
+ Report-Checksum: 660256A4

+ Scan result:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ozph.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\WINDOWS\system32\ipqonap.dll -> Downloader.Qoologic.az : Cleaned with backup
C:\WINDOWS\system32\jvksdcv.exe -> Trojan.Pakes : Cleaned with backup
C:\WINDOWS\system32\kmgew.dll -> Downloader.Small : Cleaned with backup
C:\WINDOWS\system32\payick.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\WINDOWS\system32\wuqak.dat -> Downloader.Qoologic.at : Cleaned with backup


::Report End


Now I'll do some restarts in both safe and normal mode to see if the files will be created again. I'll post bake here a litle later. Just gotta finish breakfast first.

All the best
guy_wild

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:09 AM

Posted 20 February 2006 - 09:03 PM

Hi guy_wild. It was interesting because the ozph.exe showed up in a Safe Mode boot but not in the normal boot. That usually doesn't happen.

Anyway, let me know what you find. How are things running now? Any more problems?

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 guy_wild

guy_wild
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 21 February 2006 - 05:02 AM

Yup. That struck me as a little odd. Have you dissassembled these files in order to find out how they work and what they do?

The only thing now is that I have a reference to ozph.exe in the registry:
HKCU\Software\Microsoft\Windows\NoShellRoam\MIUCache contains the string:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ozph.exe with the value of ozph.

Perhaps its just a leftover, I'll delete it manually and see if it comes back. Other than that my system seems just fine.

Thanks again a million times.
guy_wild

#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:09 AM

Posted 22 February 2006 - 05:06 PM

Hi guy_wild. Yes, go ahead and delete that registry entry and then let's finish things up.

We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
  • CHECK the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
  • Turn off System Restore.
    • On the Desktop, right-click My Computer.
    • Click Properties.
    • Click the System Restore tab.
    • CHECK Turn off System Restore.
    • Click Apply, and then click OK.
  • Restart your computer.
  • Turn ON System Restore.
    • On the Desktop, right-click My Computer.
    • Click Properties.
    • Click the System Restore tab.
    • UN-Check Turn off System Restore.
    • Click Apply, and then click OK.
System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should definitely have a good antivirus to stop infections before they can start and spread. Here are 3 free anti-virus programs that are available for personal use (I use each of these on various machines and they are all good):You should also have a good firewall for blocking unwanted access to and from your computer. These also are free for personal use:It is best to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit Microsoft Windows Update monthly. Microsoft puts out new updates on the 2nd Tuesday of every month so be sure to check regularly.

And to keep your system clean be aware of what emails you open, what websites you visit, and update and run these free malware scanners once a week:To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 guy_wild

guy_wild
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:09 AM

Posted 23 February 2006 - 03:48 AM

Some feedback on your last post.

I always have systen/hidden files visible ... and file extention on. It's an old habit from when you had to access those files (NT 3.1/3.5/3.51 f ex).

I don't waste resources on the System Restore service. Instead I Ghost my system on a regular basis.

Ok, I use SpyBot's SDHelper and TeaTimer. Could you elaborate a little on the differenes betreen SpyWare Blaster (wich I use) and SpywareGuard. Does SWBlaster work as a resident program? I don't see it in the process list.

Otherwise I use Sygate Personal FW and Norton AV.

#12 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:09 AM

Posted 23 February 2006 - 06:50 PM

Hi guy_wild. SpywareGuard is a resident program to detect spyware installations and activity. SpywareBlaster is not a resident program. It simply maintains a list of known sites and adds them to the Restricted Sites of the Security Zone.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users