Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cpu Running @ 100 %


  • This topic is locked This topic is locked
8 replies to this topic

#1 docturny

docturny

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 27 June 2006 - 02:10 PM

Already ran Adaware, windows defender, norton antivirus, tuneup software(repaired and optimized registry)and spybot solved many problems. Found and fixed many problems...but CPU running at 100% can't figure out why

Logfile of HijackThis v1.99.1
Scan saved at 11:00:07 AM, on 6/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\DOCUME~1\TECHSU~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\bfmip.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,mbtmawt.exe
O2 - BHO: Oddbot - {2B896072-F6E3-4FF7-ADE6-43D5BEC6557C} - C:\WINDOWS\system32\nodeipproc.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\webhdll.dll' missing
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1147475107638
O20 - AppInit_DLLs: C:\WINDOWS\system32\services.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

Thank You

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:57 PM

Posted 27 June 2006 - 06:06 PM

Hello,

It looks like you have been fixing in hijackthis yourself?

From what I can see, you were dealing with a lot malware and still are. Problem is, when you fix in hijackthis yourself, the related files should get deleted as well. Fixing in hijackthis is only deleting keys in the registry. So I can't see anymore what is still present or what isn't.

First of all, you didn't unzip/extract hijackthis.. and it's still in the tempfolder.
So I strongly advise to unzip/extract hijackthis.zip.
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Create a permanent folder and move hijackthis.exe into it. The reason is because hijackthis creates backups and when it's in your temp-folder it can be accidentally deleted.
How do you make a permanent folder:

Click My Computer, then C:\ and then on Program Files.
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
Now you have C:\Program Files\HijackThis. Put your HijackThis.exe there.

It is important you don't miss a step and perform everything in the right order!!

Go to start > controlpanel > software > add/remove programs and uninstall next if present:

Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
Cowabanga by OIN
or anything similar with Oin in it.
Webhancer


If OIN not listed, download and run this uninstaller.

Reboot when done! Really important!

* Download Brute Force Uninstaller.
Unzip it to a folder of itís own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: Posted Image
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

http://metallica.geekstogo.com/alcanshorty.bfu

Click Ok.
Then click execute in Brute Force Uninstaller.

Extra note:
If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, download the script
( alcanshorty.bfu ) manually from above url ( rightclick on it and choose 'save as' and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the 'scriptfile to execute'-window
Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller.


Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

-------------------------

* Download Combofix to your desktop.
Doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot, it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 docturny

docturny
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 28 June 2006 - 01:33 PM

Sir,

Followed your instructions to the letter, including proper extraction. Please find enclosed the two log files.

Logfile of HijackThis v1.99.1
Scan saved at 11:17:52 AM, on 6/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\hijackthis\HijackThis.exe

O2 - BHO: Oddbot - {2B896072-F6E3-4FF7-ADE6-43D5BEC6557C} - C:\WINDOWS\system32\nodeipproc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\webhdll.dll' missing
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1147475107638
O20 - AppInit_DLLs: C:\WINDOWS\system32\services.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe



Start Time= Tue 06/27/2006 17:16:23.96
Running from: C:\Documents and Settings\Tech Support\Desktop

(((((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))

17:19:50.93

Not all files found by this method are bad. There may be legitimate files found
This log should be examined by a trained analyst


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *


C:\WINDOWS\system32\lvvepr.exe
C:\WINDOWS\system32\lvvepr.exe
C:\WINDOWS\system32\bfmip.exe
C:\WINDOWS\SYSTEM32\MBTMAWT.EXE


* * * PRE-RUN - Filepaths extracted by Memory Dump * * * * * * * * * * * * * * * * * * * * * *


C:\WINDOWS\system32\rdvehae.dll
C:\WINDOWS\system32\rdvehae.dll
C:\WINDOWS\system32\qtkhc.dat
C:\WINDOWS\system32\mbtmawt.exe
C:\WINDOWS\system32\lvvepr.exe
C:\WINDOWS\system32\lvvepr.exe
C:\WINDOWS\system32\lvvepr.exe
C:\WINDOWS\system32\bfmip.exe
C:\WINDOWS\jqdkh.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ddifv.exe


* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-06-25 11:59:08 127,488 "C:\WINDOWS\system32\lvvepr.exe"
2006-06-25 11:59:08 28,672 "C:\WINDOWS\system32\bfmip.exe"
2006-05-09 22:23:00 55,808 "C:\WINDOWS\system32\extmgr.dll"
2006-05-09 22:23:00 96,256 "C:\WINDOWS\system32\inseng.dll"
2006-05-19 08:08:32 3,052,544 "C:\WINDOWS\system32\mshtml.dll"
2006-05-09 22:23:02 532,480 "C:\WINDOWS\system32\mstime.dll"
2006-05-09 22:23:02 613,888 "C:\WINDOWS\system32\urlmon.dll"
2006-06-25 11:59:08 23,552 "C:\WINDOWS\system32\mbtmawt.exe"
2006-06-21 16:44:32 115,246 "C:\WINDOWS\system32\ts_chad.exe"
2006-05-09 22:23:00 151,040 "C:\WINDOWS\system32\cdfview.dll"
2006-05-09 22:23:00 357,888 "C:\WINDOWS\system32\dxtmsft.dll"
2006-05-09 22:23:00 205,312 "C:\WINDOWS\system32\dxtrans.dll"
2006-05-09 22:23:00 251,392 "C:\WINDOWS\system32\iepeers.dll"
2006-06-01 11:47:08 163,840 "C:\WINDOWS\system32\jgdw400.dll"
2006-06-01 11:47:08 27,648 "C:\WINDOWS\system32\jgpl400.dll"
2006-05-17 22:24:26 450,560 "C:\WINDOWS\system32\jscript.dll"
2006-05-09 22:23:00 16,384 "C:\WINDOWS\system32\jsproxy.dll"
2006-05-09 22:23:02 39,424 "C:\WINDOWS\system32\pngfilt.dll"
2006-06-25 11:59:08 51,712 "C:\WINDOWS\system32\rdvehae.dll"
2006-05-29 08:30:34 1,494,016 "C:\WINDOWS\system32\shdocvw.dll"
2006-05-09 22:23:02 474,112 "C:\WINDOWS\system32\shlwapi.dll"
2006-05-09 22:23:04 658,432 "C:\WINDOWS\system32\wininet.dll"
2006-06-25 12:05:10 380,928 "C:\WINDOWS\system32\WinNB58.dll"
2006-05-09 22:23:00 1,054,208 "C:\WINDOWS\system32\danim.dll"
2006-04-11 00:09:24 78,848 "C:\WINDOWS\system32\nslCC.dll"
2006-05-20 15:51:16 278,528 "C:\WINDOWS\system32\pncrt.dll"
2006-06-25 11:59:08 127,488 "C:\WINDOWS\system32\qtkhc.dat"
2006-06-25 12:35:14 303 "C:\WINDOWS\jqdkh.dll"
2006-06-25 11:58:50 53 "C:\WINDOWS\nbbovo.dat"
2006-06-25 11:59:06 127,488 "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ddifv.exe"


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06/25/2006 11:59 AM 127,488 qtkhc.dat.vir
06/25/2006 11:59 AM 127,488 ddifv.exe.vir
06/25/2006 11:59 AM 127,488 lvvepr.exe.vir
06/25/2006 11:59 AM 51,712 rdvehae.dll.vir
06/25/2006 11:59 AM 28,672 bfmip.exe.vir
06/25/2006 11:59 AM 23,552 mbtmawt.exe.vir
06/25/2006 11:58 AM 53 nbbovo.dat.vir


DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


* * * POST-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-06-21 16:44:32 115,246 "C:\WINDOWS\system32\ts_chad.exe"
2006-05-09 22:23:00 151,040 "C:\WINDOWS\system32\cdfview.dll"
2006-05-09 22:23:00 357,888 "C:\WINDOWS\system32\dxtmsft.dll"
2006-05-09 22:23:00 205,312 "C:\WINDOWS\system32\dxtrans.dll"
2006-05-09 22:23:00 251,392 "C:\WINDOWS\system32\iepeers.dll"
2006-06-01 11:47:08 163,840 "C:\WINDOWS\system32\jgdw400.dll"
2006-06-01 11:47:08 27,648 "C:\WINDOWS\system32\jgpl400.dll"
2006-05-17 22:24:26 450,560 "C:\WINDOWS\system32\jscript.dll"
2006-05-09 22:23:00 16,384 "C:\WINDOWS\system32\jsproxy.dll"
2006-05-09 22:23:02 39,424 "C:\WINDOWS\system32\pngfilt.dll"
2006-05-29 08:30:34 1,494,016 "C:\WINDOWS\system32\shdocvw.dll"
2006-05-09 22:23:02 474,112 "C:\WINDOWS\system32\shlwapi.dll"
2006-05-09 22:23:04 658,432 "C:\WINDOWS\system32\wininet.dll"
2006-06-25 12:05:10 380,928 "C:\WINDOWS\system32\WinNB58.dll"
2006-05-09 22:23:00 55,808 "C:\WINDOWS\system32\extmgr.dll"
2006-05-09 22:23:00 96,256 "C:\WINDOWS\system32\inseng.dll"
2006-05-19 08:08:32 3,052,544 "C:\WINDOWS\system32\mshtml.dll"
2006-05-09 22:23:02 532,480 "C:\WINDOWS\system32\mstime.dll"
2006-05-09 22:23:02 613,888 "C:\WINDOWS\system32\urlmon.dll"
2006-05-09 22:23:00 1,054,208 "C:\WINDOWS\system32\danim.dll"
2006-04-11 00:09:24 78,848 "C:\WINDOWS\system32\nslCC.dll"
2006-05-20 15:51:16 278,528 "C:\WINDOWS\system32\pncrt.dll"
2006-06-25 12:35:14 303 "C:\WINDOWS\jqdkh.dll"
2006-06-25 11:59:06 127,488 "C:\RECYCLER\NPROTECT\00045081.VIR"
2006-06-25 11:59:08 28,672 "C:\RECYCLER\NPROTECT\00045084.VIR"
2006-06-25 11:59:08 127,488 "C:\RECYCLER\NPROTECT\00045086.VIR"
2006-06-25 11:59:08 23,552 "C:\RECYCLER\NPROTECT\00045088.VIR"
2006-06-25 11:59:08 127,488 "C:\RECYCLER\NPROTECT\00045091.VIR"
2006-06-25 11:59:08 51,712 "C:\RECYCLER\NPROTECT\00045093.VIR"


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-06-27 16:25:38 ( .D... ) "C:\Program Files\WinZip"
2006-06-27 12:49:24 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-06-26 17:06:00 ( .D... ) "C:\Program Files\TuneUp Utilities 2006"
2006-06-26 17:06:00 ( .D... ) "C:\Documents and Settings\Tech Support\Application Data\TuneUp Software"
2006-06-26 16:57:16 ( .D... ) "C:\Documents and Settings\Tech Support\Application Data\AOL"
2006-06-26 16:54:40 ( .D... ) "C:\Documents and Settings\Tech Support\Application Data\Identities"
2006-06-26 16:53:28 ( .DS.. ) "C:\Documents and Settings\Tech Support\Application Data\Microsoft"
2006-06-26 14:08:00 ( .D... ) "C:\Program Files\Common Files\Wise Installation Wizard"
2006-06-25 21:43:26 157696 ( A.... ) "C:\WINDOWS\system32\rmoc3260.dll"
2006-06-25 21:36:20 ( .D... ) "C:\Program Files\Common Files\AolCoach"
2006-06-25 21:31:00 ( .D... ) "C:\Program Files\America Online 9.0a"
2006-06-25 12:35:14 303 ( A.... ) "C:\WINDOWS\jqdkh.dll"
2006-06-25 12:05:10 380928 ( A.... ) "C:\WINDOWS\system32\WinNB58.dll"
2006-06-25 12:00:38 93634 ( A.SH. ) "C:\Program Files\Common Files\Yazzle1119OinUninstaller.exe"
2006-06-25 12:00:20 32768 ( A.... ) "C:\WINDOWS\unstall.exe"
2006-06-25 12:00:18 81920 ( A.... ) "C:\WINDOWS\system32\services.dll"
2006-06-25 11:59:58 32976 ( A.... ) "C:\WINDOWS\system32\uninstIcn.exe"
2006-06-25 11:59:54 53120 ( A.... ) "C:\WINDOWS\optimize.exe"
2006-06-25 11:59:50 359570 ( A.... ) "C:\WINDOWS\chad_bundle.exe"
2006-06-25 11:59:36 5632 ( A.... ) "C:\WINDOWS\pi1_36.exe"
2006-06-25 11:59:34 42944 ( A.... ) "C:\WINDOWS\pop06ap2.exe"
2006-06-25 11:59:30 ( .D... ) "C:\Program Files\oeoi"
2006-06-25 11:59:26 178726 ( A.... ) "C:\WINDOWS\YazzleBundle-1119.exe"
2006-06-25 11:58:58 359634 ( A.... ) "C:\WINDOWS\media_motor_bundle.exe"
2006-06-21 16:44:32 115246 ( A.... ) "C:\WINDOWS\system32\ts_chad.exe"
2006-06-21 16:43:42 235165 ( A.... ) "C:\WINDOWS\system32\icon_chad.exe"
2006-06-21 15:38:40 235228 ( A.... ) "C:\WINDOWS\system32\icon_mediamotor.exe"
2006-06-21 15:38:16 115239 ( A.... ) "C:\WINDOWS\system32\ts_mediamotor.exe"
2006-06-20 17:55:26 389120 ( A.... ) "C:\WINDOWS\system32\nodeipproc.dll"
2006-06-11 14:13:58 ( .D... ) "C:\Program Files\Common Files\Adobe"
2006-06-11 14:10:34 ( .D... ) "C:\Program Files\Adobe"
2006-06-09 17:01:54 ( .D... ) "C:\Program Files\MySpace"
2006-06-08 18:19:50 5967776 ( A.... ) "C:\WINDOWS\system32\MRT.exe"
2006-06-07 15:12:40 ( .D... ) "C:\Program Files\Yahoo!"
2006-06-03 19:58:08 ( .D... ) "C:\Program Files\Common Files\Kodak"
2006-06-03 19:52:24 ( .D... ) "C:\Program Files\Kodak"
2006-06-01 11:47:08 163840 ( A.... ) "C:\WINDOWS\system32\jgdw400.dll"
2006-06-01 11:47:08 27648 ( A.... ) "C:\WINDOWS\system32\jgpl400.dll"
2006-05-29 08:30:34 1494016 ( A.... ) "C:\WINDOWS\system32\shdocvw.dll"
2006-05-25 18:00:20 ( .D... ) "C:\Program Files\iTunes"
2006-05-25 18:00:20 ( .D... ) "C:\Program Files\iPod"
2006-05-20 16:04:14 10920 ( A.... ) "C:\aolconnfix.exe"
2006-05-20 15:53:58 ( .D... ) "C:\Program Files\Common Files\aolback"
2006-05-20 15:52:40 ( .D... ) "C:\Program Files\Common Files\Nullsoft"
2006-05-20 15:51:54 ( .D... ) "C:\Program Files\QuickTime"
2006-05-20 15:51:18 6656 ( A.... ) "C:\WINDOWS\system32\pndx5016.dll"
2006-05-20 15:51:18 5632 ( A.... ) "C:\WINDOWS\system32\pndx5032.dll"
2006-05-20 15:51:18 ( .D... ) "C:\Program Files\Real"
2006-05-20 15:51:16 278528 ( A.... ) "C:\WINDOWS\system32\pncrt.dll"
2006-05-20 15:51:16 ( .D... ) "C:\Program Files\Common Files\Real"
2006-05-20 15:50:44 ( .D... ) "C:\Program Files\Viewpoint"
2006-05-20 15:50:36 ( .D... ) "C:\Program Files\Pure Networks"
2006-05-20 15:50:18 ( .D... ) "C:\Program Files\AOL Toolbar"
2006-05-20 15:50:12 ( .D... ) "C:\Program Files\AOL Deskbar"
2006-05-20 15:48:56 ( .D... ) "C:\Program Files\Common Files\aolshare"
2006-05-20 15:48:56 ( .D... ) "C:\Program Files\America Online 9.0"
2006-05-20 15:48:26 ( .D... ) "C:\Program Files\Common Files\AOL"
2006-05-20 15:10:46 ( .D... ) "C:\Program Files\ANI"
2006-05-20 15:10:20 ( .D... ) "C:\Program Files\D-Link"
2006-05-19 08:08:32 3052544 ( A.... ) "C:\WINDOWS\system32\mshtml.dll"
2006-05-17 22:24:26 450560 ( A.... ) "C:\WINDOWS\system32\jscript.dll"
2006-05-12 17:25:30 ( .D... ) "C:\Program Files\SymNetDrv"
2006-05-12 17:20:18 ( .D... ) "C:\Program Files\Symantec"
2006-05-12 17:20:04 ( .D... ) "C:\Program Files\Norton AntiVirus"
2006-05-12 17:20:04 ( .D... ) "C:\Program Files\Common Files\Symantec Shared"
2006-05-12 17:17:30 ( .D... ) "C:\Program Files\Windows Defender"
2006-05-12 17:16:24 ( .D... ) "C:\Program Files\Lavasoft"
2006-05-12 17:00:42 47564 ( A.SHR ) "C:\NTDETECT.COM"
2006-05-12 15:53:00 ( .D... ) "C:\Program Files\Microsoft Visual Studio"
2006-05-12 15:52:58 ( .D... ) "C:\Program Files\Common Files\Designer"
2006-05-12 15:51:48 ( .D... ) "C:\Program Files\Snapshot Viewer"
2006-05-12 15:51:02 ( .D... ) "C:\Program Files\Microsoft Office"
2006-05-12 15:43:52 ( .D... ) "C:\Program Files\Intel"
2006-05-12 15:41:54 ( .D... ) "C:\Program Files\Analog Devices"
2006-05-12 14:43:32 ( .D.H. ) "C:\Program Files\InstallShield Installation Information"
2006-05-12 14:43:22 ( .D... ) "C:\Program Files\Broadcom"
2006-05-12 14:43:14 ( .D... ) "C:\Program Files\Common Files\InstallShield"
2006-05-12 14:19:26 ( .D.H. ) "C:\Program Files\Uninstall Information"
2006-05-12 14:13:28 ( .D... ) "C:\Program Files\xerox"
2006-05-12 14:13:28 ( .D... ) "C:\Program Files\microsoft frontpage"
2006-05-12 14:12:58 0 ( A.... ) "C:\AUTOEXEC.BAT"
2006-05-12 14:10:44 ( .D... ) "C:\Program Files\Movie Maker"
2006-05-12 14:10:22 ( .D... ) "C:\Program Files\Windows Media Player"
2006-05-12 14:10:18 ( .D... ) "C:\Program Files\NetMeeting"
2006-05-12 14:10:16 ( .D... ) "C:\Program Files\Common Files\Services"
2006-05-12 14:10:12 ( .D... ) "C:\Program Files\Outlook Express"
2006-05-12 14:10:10 ( .D... ) "C:\Program Files\Common Files\MSSoap"
2006-05-12 14:10:06 ( .D... ) "C:\Program Files\Common Files\System"
2006-05-12 14:10:02 ( .D... ) "C:\Program Files\Internet Explorer"
2006-05-12 14:09:12 ( .D... ) "C:\Program Files\ComPlus Applications"
2006-05-12 14:08:54 ( .D.H. ) "C:\Program Files\WindowsUpdate"
2006-05-12 14:08:54 ( .D... ) "C:\Program Files\Online Services"
2006-05-12 14:08:46 ( .D... ) "C:\Program Files\Messenger"
2006-05-12 14:08:42 ( .D... ) "C:\Program Files\MSN"
2006-05-12 14:08:38 ( .D... ) "C:\Program Files\MSN Gaming Zone"
2006-05-12 14:08:30 ( .D... ) "C:\Program Files\Windows NT"
2006-05-12 06:50:42 ( .D... ) "C:\Program Files\Common Files\ODBC"
2006-05-12 06:50:38 ( .D... ) "C:\Program Files\Common Files\SpeechEngines"
2006-05-12 06:50:38 ( .D... ) "C:\Program Files\Common Files\Microsoft Shared"
2006-05-12 06:50:38 ( .D... ) "C:\Program Files\Common Files"
2006-05-12 06:50:16 62 ( A.SH. ) "C:\Documents and Settings\Tech Support\Application Data\desktop.ini"
2006-05-11 01:23:24 24576 ( A.... ) "C:\WINDOWS\system32\xpsp3res.dll"
2006-05-09 22:23:04 658432 ( A.... ) "C:\WINDOWS\system32\wininet.dll"
2006-05-09 22:23:02 613888 ( A.... ) "C:\WINDOWS\system32\urlmon.dll"
2006-05-09 22:23:02 532480 ( A.... ) "C:\WINDOWS\system32\mstime.dll"
2006-05-09 22:23:02 474112 ( A.... ) "C:\WINDOWS\system32\shlwapi.dll"
2006-05-09 22:23:02 448512 ( A.... ) "C:\WINDOWS\system32\mshtmled.dll"
2006-05-09 22:23:02 146432 ( A.... ) "C:\WINDOWS\system32\msrating.dll"
2006-05-09 22:23:02 39424 ( A.... ) "C:\WINDOWS\system32\pngfilt.dll"
2006-05-09 22:23:00 1054208 ( A.... ) "C:\WINDOWS\system32\danim.dll"
2006-05-09 22:23:00 1022976 ( A.... ) "C:\WINDOWS\system32\browseui.dll"
2006-05-09 22:23:00 357888 ( A.... ) "C:\WINDOWS\system32\dxtmsft.dll"
2006-05-09 22:23:00 251392 ( A.... ) "C:\WINDOWS\system32\iepeers.dll"
2006-05-09 22:23:00 205312 ( A.... ) "C:\WINDOWS\system32\dxtrans.dll"
2006-05-09 22:23:00 151040 ( A.... ) "C:\WINDOWS\system32\cdfview.dll"
2006-05-09 22:23:00 96256 ( A.... ) "C:\WINDOWS\system32\inseng.dll"
2006-05-09 22:23:00 55808 ( ..... ) "C:\WINDOWS\system32\extmgr.dll"
2006-05-09 22:23:00 16384 ( A.... ) "C:\WINDOWS\system32\jsproxy.dll"
2006-04-24 15:40:00 4730880 ( A.... ) "C:\WINDOWS\system32\wmp.dll"
2006-04-11 00:09:24 78848 ( A.... ) "C:\WINDOWS\system32\nslCC.dll"


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
@=""
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"hkhwq"="C:\\WINDOWS\\system32\\lvvepr.exe reg_run"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,12,03,00,00,23,00,00,00,dc,00,00,00,d2,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ANIWZCS2Service"="C:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1148165339\\EE\\AOLHostManager.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"UIUCU"="C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\UIUCU.EXE -CLEAN_UP -S"
"D-Link AirPlus G"="C:\\Program Files\\D-Link\\AirPlus G\\AirGCFG.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"knavpp"="C:\\WINDOWS\\system32\\lvvepr.exe reg_run"
"BCMSMMSG"="BCMSMMSG.exe"
"Advanced Tools Check"="C:\\PROGRA~1\\NORTON~1\\AdvTools\\ADVCHK.EXE"
"pop06ap"="C:\\WINDOWS\\pop06ap2.exe"
"Pure Networks Port Magic"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Tue 06/27/2006 18:10:19.87
ComboFix ver 06.06.26 - This logfile is located at C:\ComboFix.txt

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:57 PM

Posted 28 June 2006 - 02:18 PM

Hello,

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, copy and paste next in the field:

C:\WINDOWS\system32\nodeipproc.dll

Then click the Send File button below.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: Oddbot - {2B896072-F6E3-4FF7-ADE6-43D5BEC6557C} - C:\WINDOWS\system32\nodeipproc.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O20 - AppInit_DLLs: C:\WINDOWS\system32\services.dll


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Go to start > run and type cmd
A dos Window will appear.
Type next in the dos window: netsh winsock reset
hit enter.

Reboot!!

After reboot,

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.


Delete next files and folders:

C:\WINDOWS\jqdkh.dll
C:\WINDOWS\system32\WinNB58.dll
C:\Program Files\Common Files\Yazzle1119OinUninstaller.exe
C:\WINDOWS\unstall.exe
C:\WINDOWS\system32\services.dll <== don't try to delete services.exe !!!!
C:\WINDOWS\system32\uninstIcn.exe
C:\WINDOWS\optimize.exe
C:\WINDOWS\chad_bundle.exe
C:\WINDOWS\pi1_36.exe
C:\WINDOWS\pop06ap2.exe
C:\Program Files\oeoi <== folder
C:\WINDOWS\YazzleBundle-1119.exe
C:\WINDOWS\media_motor_bundle.exe
C:\WINDOWS\system32\ts_chad.exe
C:\WINDOWS\system32\icon_chad.exe
C:\WINDOWS\system32\icon_mediamotor.exe
C:\WINDOWS\system32\ts_mediamotor.exe
C:\WINDOWS\system32\nslCC.dll

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"hkhwq"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"UIUCU"=-
"knavpp"=-
"pop06ap"=-


Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
In case you still are unsure how to create a reg file, take a look here with screenshots.

I see you disabled some entries from startup.
Can you enable your Antivirus and Windows Defender again, because these programs need to be present.

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report together with a new hijackthislog.

Edited by miekiemoes, 28 June 2006 - 02:19 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 docturny

docturny
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 29 June 2006 - 12:48 PM

Thank You for your help, Computer is much better


Logfile of HijackThis v1.99.1
Scan saved at 10:44:15 AM, on 6/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1147475107638
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe



Start Time= Tue 06/27/2006 17:16:23.96
Running from: C:\Documents and Settings\Tech Support\Desktop

(((((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))

17:19:50.93

Not all files found by this method are bad. There may be legitimate files found
This log should be examined by a trained analyst


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *


C:\WINDOWS\system32\lvvepr.exe
C:\WINDOWS\system32\lvvepr.exe
C:\WINDOWS\system32\bfmip.exe
C:\WINDOWS\SYSTEM32\MBTMAWT.EXE


* * * PRE-RUN - Filepaths extracted by Memory Dump * * * * * * * * * * * * * * * * * * * * * *


C:\WINDOWS\system32\rdvehae.dll
C:\WINDOWS\system32\rdvehae.dll
C:\WINDOWS\system32\qtkhc.dat
C:\WINDOWS\system32\mbtmawt.exe
C:\WINDOWS\system32\lvvepr.exe
C:\WINDOWS\system32\lvvepr.exe
C:\WINDOWS\system32\lvvepr.exe
C:\WINDOWS\system32\bfmip.exe
C:\WINDOWS\jqdkh.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ddifv.exe


* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-06-25 11:59:08 127,488 "C:\WINDOWS\system32\lvvepr.exe"
2006-06-25 11:59:08 28,672 "C:\WINDOWS\system32\bfmip.exe"
2006-05-09 22:23:00 55,808 "C:\WINDOWS\system32\extmgr.dll"
2006-05-09 22:23:00 96,256 "C:\WINDOWS\system32\inseng.dll"
2006-05-19 08:08:32 3,052,544 "C:\WINDOWS\system32\mshtml.dll"
2006-05-09 22:23:02 532,480 "C:\WINDOWS\system32\mstime.dll"
2006-05-09 22:23:02 613,888 "C:\WINDOWS\system32\urlmon.dll"
2006-06-25 11:59:08 23,552 "C:\WINDOWS\system32\mbtmawt.exe"
2006-06-21 16:44:32 115,246 "C:\WINDOWS\system32\ts_chad.exe"
2006-05-09 22:23:00 151,040 "C:\WINDOWS\system32\cdfview.dll"
2006-05-09 22:23:00 357,888 "C:\WINDOWS\system32\dxtmsft.dll"
2006-05-09 22:23:00 205,312 "C:\WINDOWS\system32\dxtrans.dll"
2006-05-09 22:23:00 251,392 "C:\WINDOWS\system32\iepeers.dll"
2006-06-01 11:47:08 163,840 "C:\WINDOWS\system32\jgdw400.dll"
2006-06-01 11:47:08 27,648 "C:\WINDOWS\system32\jgpl400.dll"
2006-05-17 22:24:26 450,560 "C:\WINDOWS\system32\jscript.dll"
2006-05-09 22:23:00 16,384 "C:\WINDOWS\system32\jsproxy.dll"
2006-05-09 22:23:02 39,424 "C:\WINDOWS\system32\pngfilt.dll"
2006-06-25 11:59:08 51,712 "C:\WINDOWS\system32\rdvehae.dll"
2006-05-29 08:30:34 1,494,016 "C:\WINDOWS\system32\shdocvw.dll"
2006-05-09 22:23:02 474,112 "C:\WINDOWS\system32\shlwapi.dll"
2006-05-09 22:23:04 658,432 "C:\WINDOWS\system32\wininet.dll"
2006-06-25 12:05:10 380,928 "C:\WINDOWS\system32\WinNB58.dll"
2006-05-09 22:23:00 1,054,208 "C:\WINDOWS\system32\danim.dll"
2006-04-11 00:09:24 78,848 "C:\WINDOWS\system32\nslCC.dll"
2006-05-20 15:51:16 278,528 "C:\WINDOWS\system32\pncrt.dll"
2006-06-25 11:59:08 127,488 "C:\WINDOWS\system32\qtkhc.dat"
2006-06-25 12:35:14 303 "C:\WINDOWS\jqdkh.dll"
2006-06-25 11:58:50 53 "C:\WINDOWS\nbbovo.dat"
2006-06-25 11:59:06 127,488 "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ddifv.exe"


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06/25/2006 11:59 AM 127,488 qtkhc.dat.vir
06/25/2006 11:59 AM 127,488 ddifv.exe.vir
06/25/2006 11:59 AM 127,488 lvvepr.exe.vir
06/25/2006 11:59 AM 51,712 rdvehae.dll.vir
06/25/2006 11:59 AM 28,672 bfmip.exe.vir
06/25/2006 11:59 AM 23,552 mbtmawt.exe.vir
06/25/2006 11:58 AM 53 nbbovo.dat.vir


DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


* * * POST-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-06-21 16:44:32 115,246 "C:\WINDOWS\system32\ts_chad.exe"
2006-05-09 22:23:00 151,040 "C:\WINDOWS\system32\cdfview.dll"
2006-05-09 22:23:00 357,888 "C:\WINDOWS\system32\dxtmsft.dll"
2006-05-09 22:23:00 205,312 "C:\WINDOWS\system32\dxtrans.dll"
2006-05-09 22:23:00 251,392 "C:\WINDOWS\system32\iepeers.dll"
2006-06-01 11:47:08 163,840 "C:\WINDOWS\system32\jgdw400.dll"
2006-06-01 11:47:08 27,648 "C:\WINDOWS\system32\jgpl400.dll"
2006-05-17 22:24:26 450,560 "C:\WINDOWS\system32\jscript.dll"
2006-05-09 22:23:00 16,384 "C:\WINDOWS\system32\jsproxy.dll"
2006-05-09 22:23:02 39,424 "C:\WINDOWS\system32\pngfilt.dll"
2006-05-29 08:30:34 1,494,016 "C:\WINDOWS\system32\shdocvw.dll"
2006-05-09 22:23:02 474,112 "C:\WINDOWS\system32\shlwapi.dll"
2006-05-09 22:23:04 658,432 "C:\WINDOWS\system32\wininet.dll"
2006-06-25 12:05:10 380,928 "C:\WINDOWS\system32\WinNB58.dll"
2006-05-09 22:23:00 55,808 "C:\WINDOWS\system32\extmgr.dll"
2006-05-09 22:23:00 96,256 "C:\WINDOWS\system32\inseng.dll"
2006-05-19 08:08:32 3,052,544 "C:\WINDOWS\system32\mshtml.dll"
2006-05-09 22:23:02 532,480 "C:\WINDOWS\system32\mstime.dll"
2006-05-09 22:23:02 613,888 "C:\WINDOWS\system32\urlmon.dll"
2006-05-09 22:23:00 1,054,208 "C:\WINDOWS\system32\danim.dll"
2006-04-11 00:09:24 78,848 "C:\WINDOWS\system32\nslCC.dll"
2006-05-20 15:51:16 278,528 "C:\WINDOWS\system32\pncrt.dll"
2006-06-25 12:35:14 303 "C:\WINDOWS\jqdkh.dll"
2006-06-25 11:59:06 127,488 "C:\RECYCLER\NPROTECT\00045081.VIR"
2006-06-25 11:59:08 28,672 "C:\RECYCLER\NPROTECT\00045084.VIR"
2006-06-25 11:59:08 127,488 "C:\RECYCLER\NPROTECT\00045086.VIR"
2006-06-25 11:59:08 23,552 "C:\RECYCLER\NPROTECT\00045088.VIR"
2006-06-25 11:59:08 127,488 "C:\RECYCLER\NPROTECT\00045091.VIR"
2006-06-25 11:59:08 51,712 "C:\RECYCLER\NPROTECT\00045093.VIR"


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-06-27 16:25:38 ( .D... ) "C:\Program Files\WinZip"
2006-06-27 12:49:24 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-06-26 17:06:00 ( .D... ) "C:\Program Files\TuneUp Utilities 2006"
2006-06-26 17:06:00 ( .D... ) "C:\Documents and Settings\Tech Support\Application Data\TuneUp Software"
2006-06-26 16:57:16 ( .D... ) "C:\Documents and Settings\Tech Support\Application Data\AOL"
2006-06-26 16:54:40 ( .D... ) "C:\Documents and Settings\Tech Support\Application Data\Identities"
2006-06-26 16:53:28 ( .DS.. ) "C:\Documents and Settings\Tech Support\Application Data\Microsoft"
2006-06-26 14:08:00 ( .D... ) "C:\Program Files\Common Files\Wise Installation Wizard"
2006-06-25 21:43:26 157696 ( A.... ) "C:\WINDOWS\system32\rmoc3260.dll"
2006-06-25 21:36:20 ( .D... ) "C:\Program Files\Common Files\AolCoach"
2006-06-25 21:31:00 ( .D... ) "C:\Program Files\America Online 9.0a"
2006-06-25 12:35:14 303 ( A.... ) "C:\WINDOWS\jqdkh.dll"
2006-06-25 12:05:10 380928 ( A.... ) "C:\WINDOWS\system32\WinNB58.dll"
2006-06-25 12:00:38 93634 ( A.SH. ) "C:\Program Files\Common Files\Yazzle1119OinUninstaller.exe"
2006-06-25 12:00:20 32768 ( A.... ) "C:\WINDOWS\unstall.exe"
2006-06-25 12:00:18 81920 ( A.... ) "C:\WINDOWS\system32\services.dll"
2006-06-25 11:59:58 32976 ( A.... ) "C:\WINDOWS\system32\uninstIcn.exe"
2006-06-25 11:59:54 53120 ( A.... ) "C:\WINDOWS\optimize.exe"
2006-06-25 11:59:50 359570 ( A.... ) "C:\WINDOWS\chad_bundle.exe"
2006-06-25 11:59:36 5632 ( A.... ) "C:\WINDOWS\pi1_36.exe"
2006-06-25 11:59:34 42944 ( A.... ) "C:\WINDOWS\pop06ap2.exe"
2006-06-25 11:59:30 ( .D... ) "C:\Program Files\oeoi"
2006-06-25 11:59:26 178726 ( A.... ) "C:\WINDOWS\YazzleBundle-1119.exe"
2006-06-25 11:58:58 359634 ( A.... ) "C:\WINDOWS\media_motor_bundle.exe"
2006-06-21 16:44:32 115246 ( A.... ) "C:\WINDOWS\system32\ts_chad.exe"
2006-06-21 16:43:42 235165 ( A.... ) "C:\WINDOWS\system32\icon_chad.exe"
2006-06-21 15:38:40 235228 ( A.... ) "C:\WINDOWS\system32\icon_mediamotor.exe"
2006-06-21 15:38:16 115239 ( A.... ) "C:\WINDOWS\system32\ts_mediamotor.exe"
2006-06-20 17:55:26 389120 ( A.... ) "C:\WINDOWS\system32\nodeipproc.dll"
2006-06-11 14:13:58 ( .D... ) "C:\Program Files\Common Files\Adobe"
2006-06-11 14:10:34 ( .D... ) "C:\Program Files\Adobe"
2006-06-09 17:01:54 ( .D... ) "C:\Program Files\MySpace"
2006-06-08 18:19:50 5967776 ( A.... ) "C:\WINDOWS\system32\MRT.exe"
2006-06-07 15:12:40 ( .D... ) "C:\Program Files\Yahoo!"
2006-06-03 19:58:08 ( .D... ) "C:\Program Files\Common Files\Kodak"
2006-06-03 19:52:24 ( .D... ) "C:\Program Files\Kodak"
2006-06-01 11:47:08 163840 ( A.... ) "C:\WINDOWS\system32\jgdw400.dll"
2006-06-01 11:47:08 27648 ( A.... ) "C:\WINDOWS\system32\jgpl400.dll"
2006-05-29 08:30:34 1494016 ( A.... ) "C:\WINDOWS\system32\shdocvw.dll"
2006-05-25 18:00:20 ( .D... ) "C:\Program Files\iTunes"
2006-05-25 18:00:20 ( .D... ) "C:\Program Files\iPod"
2006-05-20 16:04:14 10920 ( A.... ) "C:\aolconnfix.exe"
2006-05-20 15:53:58 ( .D... ) "C:\Program Files\Common Files\aolback"
2006-05-20 15:52:40 ( .D... ) "C:\Program Files\Common Files\Nullsoft"
2006-05-20 15:51:54 ( .D... ) "C:\Program Files\QuickTime"
2006-05-20 15:51:18 6656 ( A.... ) "C:\WINDOWS\system32\pndx5016.dll"
2006-05-20 15:51:18 5632 ( A.... ) "C:\WINDOWS\system32\pndx5032.dll"
2006-05-20 15:51:18 ( .D... ) "C:\Program Files\Real"
2006-05-20 15:51:16 278528 ( A.... ) "C:\WINDOWS\system32\pncrt.dll"
2006-05-20 15:51:16 ( .D... ) "C:\Program Files\Common Files\Real"
2006-05-20 15:50:44 ( .D... ) "C:\Program Files\Viewpoint"
2006-05-20 15:50:36 ( .D... ) "C:\Program Files\Pure Networks"
2006-05-20 15:50:18 ( .D... ) "C:\Program Files\AOL Toolbar"
2006-05-20 15:50:12 ( .D... ) "C:\Program Files\AOL Deskbar"
2006-05-20 15:48:56 ( .D... ) "C:\Program Files\Common Files\aolshare"
2006-05-20 15:48:56 ( .D... ) "C:\Program Files\America Online 9.0"
2006-05-20 15:48:26 ( .D... ) "C:\Program Files\Common Files\AOL"
2006-05-20 15:10:46 ( .D... ) "C:\Program Files\ANI"
2006-05-20 15:10:20 ( .D... ) "C:\Program Files\D-Link"
2006-05-19 08:08:32 3052544 ( A.... ) "C:\WINDOWS\system32\mshtml.dll"
2006-05-17 22:24:26 450560 ( A.... ) "C:\WINDOWS\system32\jscript.dll"
2006-05-12 17:25:30 ( .D... ) "C:\Program Files\SymNetDrv"
2006-05-12 17:20:18 ( .D... ) "C:\Program Files\Symantec"
2006-05-12 17:20:04 ( .D... ) "C:\Program Files\Norton AntiVirus"
2006-05-12 17:20:04 ( .D... ) "C:\Program Files\Common Files\Symantec Shared"
2006-05-12 17:17:30 ( .D... ) "C:\Program Files\Windows Defender"
2006-05-12 17:16:24 ( .D... ) "C:\Program Files\Lavasoft"
2006-05-12 17:00:42 47564 ( A.SHR ) "C:\NTDETECT.COM"
2006-05-12 15:53:00 ( .D... ) "C:\Program Files\Microsoft Visual Studio"
2006-05-12 15:52:58 ( .D... ) "C:\Program Files\Common Files\Designer"
2006-05-12 15:51:48 ( .D... ) "C:\Program Files\Snapshot Viewer"
2006-05-12 15:51:02 ( .D... ) "C:\Program Files\Microsoft Office"
2006-05-12 15:43:52 ( .D... ) "C:\Program Files\Intel"
2006-05-12 15:41:54 ( .D... ) "C:\Program Files\Analog Devices"
2006-05-12 14:43:32 ( .D.H. ) "C:\Program Files\InstallShield Installation Information"
2006-05-12 14:43:22 ( .D... ) "C:\Program Files\Broadcom"
2006-05-12 14:43:14 ( .D... ) "C:\Program Files\Common Files\InstallShield"
2006-05-12 14:19:26 ( .D.H. ) "C:\Program Files\Uninstall Information"
2006-05-12 14:13:28 ( .D... ) "C:\Program Files\xerox"
2006-05-12 14:13:28 ( .D... ) "C:\Program Files\microsoft frontpage"
2006-05-12 14:12:58 0 ( A.... ) "C:\AUTOEXEC.BAT"
2006-05-12 14:10:44 ( .D... ) "C:\Program Files\Movie Maker"
2006-05-12 14:10:22 ( .D... ) "C:\Program Files\Windows Media Player"
2006-05-12 14:10:18 ( .D... ) "C:\Program Files\NetMeeting"
2006-05-12 14:10:16 ( .D... ) "C:\Program Files\Common Files\Services"
2006-05-12 14:10:12 ( .D... ) "C:\Program Files\Outlook Express"
2006-05-12 14:10:10 ( .D... ) "C:\Program Files\Common Files\MSSoap"
2006-05-12 14:10:06 ( .D... ) "C:\Program Files\Common Files\System"
2006-05-12 14:10:02 ( .D... ) "C:\Program Files\Internet Explorer"
2006-05-12 14:09:12 ( .D... ) "C:\Program Files\ComPlus Applications"
2006-05-12 14:08:54 ( .D.H. ) "C:\Program Files\WindowsUpdate"
2006-05-12 14:08:54 ( .D... ) "C:\Program Files\Online Services"
2006-05-12 14:08:46 ( .D... ) "C:\Program Files\Messenger"
2006-05-12 14:08:42 ( .D... ) "C:\Program Files\MSN"
2006-05-12 14:08:38 ( .D... ) "C:\Program Files\MSN Gaming Zone"
2006-05-12 14:08:30 ( .D... ) "C:\Program Files\Windows NT"
2006-05-12 06:50:42 ( .D... ) "C:\Program Files\Common Files\ODBC"
2006-05-12 06:50:38 ( .D... ) "C:\Program Files\Common Files\SpeechEngines"
2006-05-12 06:50:38 ( .D... ) "C:\Program Files\Common Files\Microsoft Shared"
2006-05-12 06:50:38 ( .D... ) "C:\Program Files\Common Files"
2006-05-12 06:50:16 62 ( A.SH. ) "C:\Documents and Settings\Tech Support\Application Data\desktop.ini"
2006-05-11 01:23:24 24576 ( A.... ) "C:\WINDOWS\system32\xpsp3res.dll"
2006-05-09 22:23:04 658432 ( A.... ) "C:\WINDOWS\system32\wininet.dll"
2006-05-09 22:23:02 613888 ( A.... ) "C:\WINDOWS\system32\urlmon.dll"
2006-05-09 22:23:02 532480 ( A.... ) "C:\WINDOWS\system32\mstime.dll"
2006-05-09 22:23:02 474112 ( A.... ) "C:\WINDOWS\system32\shlwapi.dll"
2006-05-09 22:23:02 448512 ( A.... ) "C:\WINDOWS\system32\mshtmled.dll"
2006-05-09 22:23:02 146432 ( A.... ) "C:\WINDOWS\system32\msrating.dll"
2006-05-09 22:23:02 39424 ( A.... ) "C:\WINDOWS\system32\pngfilt.dll"
2006-05-09 22:23:00 1054208 ( A.... ) "C:\WINDOWS\system32\danim.dll"
2006-05-09 22:23:00 1022976 ( A.... ) "C:\WINDOWS\system32\browseui.dll"
2006-05-09 22:23:00 357888 ( A.... ) "C:\WINDOWS\system32\dxtmsft.dll"
2006-05-09 22:23:00 251392 ( A.... ) "C:\WINDOWS\system32\iepeers.dll"
2006-05-09 22:23:00 205312 ( A.... ) "C:\WINDOWS\system32\dxtrans.dll"
2006-05-09 22:23:00 151040 ( A.... ) "C:\WINDOWS\system32\cdfview.dll"
2006-05-09 22:23:00 96256 ( A.... ) "C:\WINDOWS\system32\inseng.dll"
2006-05-09 22:23:00 55808 ( ..... ) "C:\WINDOWS\system32\extmgr.dll"
2006-05-09 22:23:00 16384 ( A.... ) "C:\WINDOWS\system32\jsproxy.dll"
2006-04-24 15:40:00 4730880 ( A.... ) "C:\WINDOWS\system32\wmp.dll"
2006-04-11 00:09:24 78848 ( A.... ) "C:\WINDOWS\system32\nslCC.dll"


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
@=""
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"hkhwq"="C:\\WINDOWS\\system32\\lvvepr.exe reg_run"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,12,03,00,00,23,00,00,00,dc,00,00,00,d2,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ANIWZCS2Service"="C:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1148165339\\EE\\AOLHostManager.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"UIUCU"="C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\UIUCU.EXE -CLEAN_UP -S"
"D-Link AirPlus G"="C:\\Program Files\\D-Link\\AirPlus G\\AirGCFG.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"knavpp"="C:\\WINDOWS\\system32\\lvvepr.exe reg_run"
"BCMSMMSG"="BCMSMMSG.exe"
"Advanced Tools Check"="C:\\PROGRA~1\\NORTON~1\\AdvTools\\ADVCHK.EXE"
"pop06ap"="C:\\WINDOWS\\pop06ap2.exe"
"Pure Networks Port Magic"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Tue 06/27/2006 18:10:19.87
ComboFix ver 06.06.26 - This logfile is located at C:\ComboFix.txt

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:57 PM

Posted 29 June 2006 - 04:44 PM

Hello,

I see you posted the same combofix log as before - you need to rescan with combofix and post the log :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 docturny

docturny
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 30 June 2006 - 12:05 PM

oops

Logfile of HijackThis v1.99.1
Scan saved at 4:37:11 PM, on 6/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1147475107638
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe


Start Time= Thu 06/29/2006 16:04:09.37
Running from: C:\Documents and Settings\Tech Support\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-06-28 15:52:38 ( .D... ) "C:\Documents and Settings\Tech Support\Application Data\Macromedia"
2006-06-27 16:25:38 ( .D... ) "C:\Program Files\WinZip"
2006-06-27 12:49:24 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-06-26 17:06:00 ( .D... ) "C:\Program Files\TuneUp Utilities 2006"
2006-06-26 17:06:00 ( .D... ) "C:\Documents and Settings\Tech Support\Application Data\TuneUp Software"
2006-06-26 16:57:16 ( .D... ) "C:\Documents and Settings\Tech Support\Application Data\AOL"
2006-06-26 16:54:40 ( .D... ) "C:\Documents and Settings\Tech Support\Application Data\Identities"
2006-06-26 16:53:28 ( .DS.. ) "C:\Documents and Settings\Tech Support\Application Data\Microsoft"
2006-06-26 14:08:00 ( .D... ) "C:\Program Files\Common Files\Wise Installation Wizard"
2006-06-25 21:43:26 157696 ( A.... ) "C:\WINDOWS\system32\rmoc3260.dll"
2006-06-25 21:36:20 ( .D... ) "C:\Program Files\Common Files\AolCoach"
2006-06-25 21:31:00 ( .D... ) "C:\Program Files\America Online 9.0a"
2006-06-25 12:00:38 93634 ( A.SH. ) "C:\Program Files\Common Files\Yazzle1119OinUninstaller.exe"
2006-06-22 03:47:18 181248 ( A.... ) "C:\WINDOWS\system32\rasmans.dll"
2006-06-11 14:13:58 ( .D... ) "C:\Program Files\Common Files\Adobe"
2006-06-11 14:10:34 ( .D... ) "C:\Program Files\Adobe"
2006-06-09 17:01:54 ( .D... ) "C:\Program Files\MySpace"
2006-06-08 18:19:50 5967776 ( A.... ) "C:\WINDOWS\system32\MRT.exe"
2006-06-07 15:12:40 ( .D... ) "C:\Program Files\Yahoo!"
2006-06-03 19:58:08 ( .D... ) "C:\Program Files\Common Files\Kodak"
2006-06-03 19:52:24 ( .D... ) "C:\Program Files\Kodak"
2006-06-01 11:47:08 163840 ( A.... ) "C:\WINDOWS\system32\jgdw400.dll"
2006-06-01 11:47:08 27648 ( A.... ) "C:\WINDOWS\system32\jgpl400.dll"
2006-05-29 08:30:34 1494016 ( A.... ) "C:\WINDOWS\system32\shdocvw.dll"
2006-05-25 18:00:20 ( .D... ) "C:\Program Files\iTunes"
2006-05-25 18:00:20 ( .D... ) "C:\Program Files\iPod"
2006-05-20 16:04:14 10920 ( A.... ) "C:\aolconnfix.exe"
2006-05-20 15:53:58 ( .D... ) "C:\Program Files\Common Files\aolback"
2006-05-20 15:52:40 ( .D... ) "C:\Program Files\Common Files\Nullsoft"
2006-05-20 15:51:54 ( .D... ) "C:\Program Files\QuickTime"
2006-05-20 15:51:18 6656 ( A.... ) "C:\WINDOWS\system32\pndx5016.dll"
2006-05-20 15:51:18 5632 ( A.... ) "C:\WINDOWS\system32\pndx5032.dll"
2006-05-20 15:51:18 ( .D... ) "C:\Program Files\Real"
2006-05-20 15:51:16 278528 ( A.... ) "C:\WINDOWS\system32\pncrt.dll"
2006-05-20 15:51:16 ( .D... ) "C:\Program Files\Common Files\Real"
2006-05-20 15:50:44 ( .D... ) "C:\Program Files\Viewpoint"
2006-05-20 15:50:36 ( .D... ) "C:\Program Files\Pure Networks"
2006-05-20 15:50:18 ( .D... ) "C:\Program Files\AOL Toolbar"
2006-05-20 15:50:12 ( .D... ) "C:\Program Files\AOL Deskbar"
2006-05-20 15:48:56 ( .D... ) "C:\Program Files\Common Files\aolshare"
2006-05-20 15:48:56 ( .D... ) "C:\Program Files\America Online 9.0"
2006-05-20 15:48:26 ( .D... ) "C:\Program Files\Common Files\AOL"
2006-05-20 15:10:46 ( .D... ) "C:\Program Files\ANI"
2006-05-20 15:10:20 ( .D... ) "C:\Program Files\D-Link"
2006-05-19 08:08:32 3052544 ( A.... ) "C:\WINDOWS\system32\mshtml.dll"
2006-05-17 22:24:26 450560 ( A.... ) "C:\WINDOWS\system32\jscript.dll"
2006-05-12 17:25:30 ( .D... ) "C:\Program Files\SymNetDrv"
2006-05-12 17:20:18 ( .D... ) "C:\Program Files\Symantec"
2006-05-12 17:20:04 ( .D... ) "C:\Program Files\Norton AntiVirus"
2006-05-12 17:20:04 ( .D... ) "C:\Program Files\Common Files\Symantec Shared"
2006-05-12 17:17:30 ( .D... ) "C:\Program Files\Windows Defender"
2006-05-12 17:16:24 ( .D... ) "C:\Program Files\Lavasoft"
2006-05-12 17:00:42 47564 ( A.SHR ) "C:\NTDETECT.COM"
2006-05-12 15:53:00 ( .D... ) "C:\Program Files\Microsoft Visual Studio"
2006-05-12 15:52:58 ( .D... ) "C:\Program Files\Common Files\Designer"
2006-05-12 15:51:48 ( .D... ) "C:\Program Files\Snapshot Viewer"
2006-05-12 15:51:02 ( .D... ) "C:\Program Files\Microsoft Office"
2006-05-12 15:43:52 ( .D... ) "C:\Program Files\Intel"
2006-05-12 15:41:54 ( .D... ) "C:\Program Files\Analog Devices"
2006-05-12 14:43:32 ( .D.H. ) "C:\Program Files\InstallShield Installation Information"
2006-05-12 14:43:22 ( .D... ) "C:\Program Files\Broadcom"
2006-05-12 14:43:14 ( .D... ) "C:\Program Files\Common Files\InstallShield"
2006-05-12 14:19:26 ( .D.H. ) "C:\Program Files\Uninstall Information"
2006-05-12 14:13:28 ( .D... ) "C:\Program Files\xerox"
2006-05-12 14:13:28 ( .D... ) "C:\Program Files\microsoft frontpage"
2006-05-12 14:12:58 0 ( A.... ) "C:\AUTOEXEC.BAT"
2006-05-12 14:10:44 ( .D... ) "C:\Program Files\Movie Maker"
2006-05-12 14:10:22 ( .D... ) "C:\Program Files\Windows Media Player"
2006-05-12 14:10:18 ( .D... ) "C:\Program Files\NetMeeting"
2006-05-12 14:10:16 ( .D... ) "C:\Program Files\Common Files\Services"
2006-05-12 14:10:12 ( .D... ) "C:\Program Files\Outlook Express"
2006-05-12 14:10:10 ( .D... ) "C:\Program Files\Common Files\MSSoap"
2006-05-12 14:10:06 ( .D... ) "C:\Program Files\Common Files\System"
2006-05-12 14:10:02 ( .D... ) "C:\Program Files\Internet Explorer"
2006-05-12 14:09:12 ( .D... ) "C:\Program Files\ComPlus Applications"
2006-05-12 14:08:54 ( .D.H. ) "C:\Program Files\WindowsUpdate"
2006-05-12 14:08:54 ( .D... ) "C:\Program Files\Online Services"
2006-05-12 14:08:46 ( .D... ) "C:\Program Files\Messenger"
2006-05-12 14:08:42 ( .D... ) "C:\Program Files\MSN"
2006-05-12 14:08:38 ( .D... ) "C:\Program Files\MSN Gaming Zone"
2006-05-12 14:08:30 ( .D... ) "C:\Program Files\Windows NT"
2006-05-12 06:50:42 ( .D... ) "C:\Program Files\Common Files\ODBC"
2006-05-12 06:50:38 ( .D... ) "C:\Program Files\Common Files\SpeechEngines"
2006-05-12 06:50:38 ( .D... ) "C:\Program Files\Common Files\Microsoft Shared"
2006-05-12 06:50:38 ( .D... ) "C:\Program Files\Common Files"
2006-05-12 06:50:16 62 ( A.SH. ) "C:\Documents and Settings\Tech Support\Application Data\desktop.ini"
2006-05-11 01:23:24 24576 ( A.... ) "C:\WINDOWS\system32\xpsp3res.dll"
2006-05-09 22:23:04 658432 ( A.... ) "C:\WINDOWS\system32\wininet.dll"
2006-05-09 22:23:02 613888 ( A.... ) "C:\WINDOWS\system32\urlmon.dll"
2006-05-09 22:23:02 532480 ( A.... ) "C:\WINDOWS\system32\mstime.dll"
2006-05-09 22:23:02 474112 ( A.... ) "C:\WINDOWS\system32\shlwapi.dll"
2006-05-09 22:23:02 448512 ( A.... ) "C:\WINDOWS\system32\mshtmled.dll"
2006-05-09 22:23:02 146432 ( A.... ) "C:\WINDOWS\system32\msrating.dll"
2006-05-09 22:23:02 39424 ( A.... ) "C:\WINDOWS\system32\pngfilt.dll"
2006-05-09 22:23:00 1054208 ( A.... ) "C:\WINDOWS\system32\danim.dll"
2006-05-09 22:23:00 1022976 ( A.... ) "C:\WINDOWS\system32\browseui.dll"
2006-05-09 22:23:00 357888 ( A.... ) "C:\WINDOWS\system32\dxtmsft.dll"
2006-05-09 22:23:00 251392 ( A.... ) "C:\WINDOWS\system32\iepeers.dll"
2006-05-09 22:23:00 205312 ( A.... ) "C:\WINDOWS\system32\dxtrans.dll"
2006-05-09 22:23:00 151040 ( A.... ) "C:\WINDOWS\system32\cdfview.dll"
2006-05-09 22:23:00 96256 ( A.... ) "C:\WINDOWS\system32\inseng.dll"
2006-05-09 22:23:00 55808 ( ..... ) "C:\WINDOWS\system32\extmgr.dll"
2006-05-09 22:23:00 16384 ( A.... ) "C:\WINDOWS\system32\jsproxy.dll"
2006-04-24 15:40:00 4730880 ( A.... ) "C:\WINDOWS\system32\wmp.dll"
2006-04-06 10:54:38 73728 ( A.... ) "C:\WINDOWS\system32\asuninst.exe"


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,9c,00,00,00,00,00,00,00,64,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,12,03,00,00,23,00,00,00,dc,00,00,00,d2,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ANIWZCS2Service"="C:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1148165339\\EE\\AOLHostManager.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"D-Link AirPlus G"="C:\\Program Files\\D-Link\\AirPlus G\\AirGCFG.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"BCMSMMSG"="BCMSMMSG.exe"
"Advanced Tools Check"="C:\\PROGRA~1\\NORTON~1\\AdvTools\\ADVCHK.EXE"
"Pure Networks Port Magic"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Thu 06/29/2006 16:05:09.76
ComboFix ver 06.06.26 - This logfile is located at C:\ComboFix.txt



Incident Status Location

Adware:adware/purityscan Not disinfected Windows Registry
Spyware:spyware/media-motor Not disinfected Windows Registry
Adware:Adware/Mirar Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\mit10C.tmp[NNBar_VCSetup_876029.exe]
Adware:Adware/Mirar Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\mit10C.tmp.cab[NNBar_VCSetup_876029.exe]
Adware:Adware/Mirar Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\NNBar_VCSetup_876029.exe
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Tech Support\Cookies\tech support@questionmarket[1].txt
Adware:Adware/Qoologic Not disinfected C:\QooBox\ddifv.exe.vir
Adware:Adware/Qoologic Not disinfected C:\QooBox\lvvepr.exe.vir
Adware:Adware/Qoologic Not disinfected C:\QooBox\mbtmawt.exe.vir
Adware:Adware/Qoologic Not disinfected C:\QooBox\qtkhc.dat.vir
Adware:Adware/Qoologic Not disinfected C:\QooBox\rdvehae.dll.vir
Spyware:Cookie/QuestionMarket Not disinfected C:\RECYCLER\NPROTECT\00000005.TXT
Spyware:Cookie/QuestionMarket Not disinfected C:\RECYCLER\NPROTECT\00000006.TXT
Spyware:Cookie/888 Not disinfected C:\Rossana\Cookies\rossana@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Rossana\Cookies\rossana@888[2].txt
Spyware:Cookie/Abetterinternet Not disinfected C:\Rossana\Cookies\rossana@abetterinternet[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Rossana\Cookies\rossana@ad.yieldmanager[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Rossana\Cookies\rossana@adopt.hbmediapro[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Rossana\Cookies\rossana@ath.belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Rossana\Cookies\rossana@belnk[2].txt
Spyware:Cookie/BestOffersNetworks Not disinfected C:\Rossana\Cookies\rossana@bestoffersnetworks[1].txt
Spyware:Cookie/Btgrab Not disinfected C:\Rossana\Cookies\rossana@btg.btgrab[2].txt
Spyware:Cookie/Cassava Not disinfected C:\Rossana\Cookies\rossana@cassava[1].txt
Spyware:Cookie/Twain-Tech Not disinfected C:\Rossana\Cookies\rossana@cliks[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Rossana\Cookies\rossana@dist.belnk[1].txt
Spyware:Cookie/empnads Not disinfected C:\Rossana\Cookies\rossana@empnads[1].txt
Spyware:Cookie/Go Not disinfected C:\Rossana\Cookies\rossana@go[2].txt
Spyware:Cookie/Kmpads Not disinfected C:\Rossana\Cookies\rossana@kmpads[2].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Rossana\Cookies\rossana@offeroptimizer[1].txt
Adware:Adware/Look2Me Not disinfected C:\Rossana\Local Settings\Temporary Internet Files\Content.IE5\S5UVS1AR\upd209[1].exe
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\?ystem32\spoolsv.exe

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:57 PM

Posted 30 June 2006 - 12:15 PM

Hello,

Your hijackthislog looks clean again. Only one folder to delete here, but be very careful!!

Read this first before deleting!!!!
The folder you have to delete is C:\WINDOWS\?ystem32 <== this folder will most probably look like System32. Watch out here!! , there's also a LEGIT/good system32-folder present there with a lot of files and subfolders in it... Don't delete that one!! The bad system32-folder only contains 1 file with the name spoolsv.exe
So you'll have 2 system32-folders there, a good one with a lot of files in it and a bad one only containing spoolsv.exe. Also in the good system32-folder, there's also a spoolsv.exe, but that is a good one.

Let me know if you can find that bad folder - once again, make sure you don't delete the good system32-folder there.

Also perform next step again, but for every account present on your computer:

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Let me know in your next reply how things are running now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:57 PM

Posted 06 July 2006 - 05:16 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users