Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help With Mother In Law's Computer - Hijack Log


  • This topic is locked This topic is locked
16 replies to this topic

#1 InbewteenNights

InbewteenNights

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 08 July 2006 - 07:33 PM

Mother in law is on vacation so I thought I'd be nice and clean up her computer! Please look over this and tell me what you think. Any help is appreciated! :thumbsup:

Logfile of HijackThis v1.99.1
Scan saved at 7:26:54 PM, on 7/8/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\ldbwsb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Computer Clean Up\HJT\HijackThis1991.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: WinStat - {EE02B99B-1D55-48bc-B8DB-649A42CE45F6} - C:\WINDOWS\System32\WinStat12.dll (file missing)
O2 - BHO: BestOffers Shopping BHO - {F5DE8ADB-4A69-4e56-96AB-823171C8E9D8} - C:\Program Files\TBONAS\TBONlchr.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: BestOffers Shopping v1.20 - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - C:\Program Files\TBONAS\TBONlchr.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Engflenx] C:\Program Files\Boksppo\Qecugyb.exe
O4 - HKLM\..\Run: [tempx] C:\WINDOWS\System32\tempx.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [wsr] C:\WINDOWS\System32\wsr.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [pcpokuj] C:\WINDOWS\System32\ldbwsb.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Engflenx] C:\Program Files\Boksppo\Qecugyb.exe
O4 - HKCU\..\Run: [qqok] C:\PROGRA~1\COMMON~1\qqok\qqokm.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw4.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4047/ftp...23/cpbrkpie.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.com/acti...loadControl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:11 PM

Posted 09 July 2006 - 08:33 AM

Hello there,

It is a good idea to print off these instructions - they will be needed later when internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above. It is important that you complete the following instructions in the correct order, and also that you don't miss anything out!

* Please set your system to show hidden files; please see here if you're unsure how to do this.

* Please download Ewido anti-malware ; it is a 30 day trial version of the program.
  • Install ewido security suite
  • Ewido will automatically run at the end.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the top row of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the top will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Don't run it yet.

*Now start a new scan with HJT and place a checkmark next to each of the following items (if present):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: WinStat - {EE02B99B-1D55-48bc-B8DB-649A42CE45F6} - C:\WINDOWS\System32\WinStat12.dll (file missing)
O2 - BHO: BestOffers Shopping BHO - {F5DE8ADB-4A69-4e56-96AB-823171C8E9D8} - C:\Program Files\TBONAS\TBONlchr.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: BestOffers Shopping v1.20 - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - C:\Program Files\TBONAS\TBONlchr.dll (file missing)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Engflenx] C:\Program Files\Boksppo\Qecugyb.exe
O4 - HKLM\..\Run: [tempx] C:\WINDOWS\System32\tempx.exe
O4 - HKLM\..\Run: [wsr] C:\WINDOWS\System32\wsr.exe
O4 - HKLM\..\Run: [pcpokuj] C:\WINDOWS\System32\ldbwsb.exe r
O4 - HKCU\..\Run: [Engflenx] C:\Program Files\Boksppo\Qecugyb.exe
O4 - HKCU\..\Run: [qqok] C:\PROGRA~1\COMMON~1\qqok\qqokm.exe
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw4.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4047/ftp...23/cpbrkpie.cab


* Make sure your Internet Explorer is closed and click on "Fix Checked" and exit HijackThis when finished.

Reboot into SAFE MODE
By pressing the F8 key right when Windows starts, usually right after you hear your computer
beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
you will be brought to a menu where you can choose to boot into safe mode.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINDOWS\Nail.exe
C:\Program Files\Boksppo
C:\WINDOWS\System32\tempx.exe
C:\WINDOWS\System32\wsr.exe
C:\WINDOWS\System32\ldbwsb.exe
C:\Program Files\Common Files\qqok

* Open Ewido anti-malware
Click on the scanner button in the top row.
  • Click Complete System Scan and the scan will begin.
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen.
  • Save the report to your desktop.
Close Ewido

* Please reboot back to normal mode.

* Also, download Combofix to your desktop.
Doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog, and the ewido log.

David

#3 InbewteenNights

InbewteenNights
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 10 July 2006 - 11:37 AM

Ok David.. I've done what you said. Here are my log files!

Combofix:

Start Time= Mon 07/10/2006 10:23:03.10
Running from: C:\Computer Clean Up\Combofix

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\igfxcui
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ScCertProp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Schedule
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlballoon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wzcnotif


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{4F3D48EE-DC66-419D-930F-E8ADB486697D}]
@=""

[HKEY_CLASSES_ROOT\clsid\{4F3D48EE-DC66-419D-930F-E8ADB486697D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{4F3D48EE-DC66-419D-930F-E8ADB486697D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{4F3D48EE-DC66-419D-930F-E8ADB486697D}\InprocServer32]
@="C:\\WINDOWS\\system32\\phfmgr.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINDOWS\SYSTEM32\fp4o03h3e.dll
C:\WINDOWS\SYSTEM32\gpjol3131.dll
C:\WINDOWS\SYSTEM32\m8820iloe8qc0.dll
C:\WINDOWS\SYSTEM32\mov1_0.dll
C:\WINDOWS\SYSTEM32\mpls31.dll
C:\WINDOWS\SYSTEM32\mvrsl9971.dll
C:\WINDOWS\SYSTEM32\mzpmsp.dll
C:\WINDOWS\SYSTEM32\n8n6li5s18.dll
C:\WINDOWS\SYSTEM32\phfmgr.dll
C:\WINDOWS\SYSTEM32\vcajet32.dll
C:\WINDOWS\SYSTEM32\vppodbc.dll
C:\WINDOWS\SYSTEM32\wrnipsec.dll


Granting sedebugprivilege to Administrators ... successful


((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))

10:24:01.98

Qoologic uninstaller found and executed
Registry entries fixed


(((((((((((((((((((((((((((((((((((((((((((((((( Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\repairs303169590.dll
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Ssk.log
C:\Documents and Settings\Mom\Application Data\Sskcwrd.dll
C:\Documents and Settings\Mom\Application Data\Sskknwrd.dll
C:\Documents and Settings\Mom\Local Settings\Temporary Internet Files\Ssk.log
C:\Program Files\SurfSideKick 3\Ssk.exe
C:\Program Files\SurfSideKick 3\SskBho.dll
C:\Program Files\SurfSideKick 3\SskCore.dll
C:\WINDOWS\system32\bk.exe


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



10:25:18.56
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Mendoza1.exe
C:\RECYCLER\S-1-5-21-1647243320-497347378-320518637-500\Dc55\Mendoza1[1].exe
C:\WINDOWS\drsmartload2.dat
C:\WINDOWS\newname.dat
C:\WINDOWS\keyboard1.dat
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\MTE3NDI6ODoxNg.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\Program Files\network monitor
C:\Program Files\snowball wars
C:\Program Files\Common Files\misc001
C:\Program Files\Common Files\simtest
C:\Program Files\Common Files\svchostsys
C:\Documents and Settings\LocalService\Application Data\NetMon


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-09 19:25:00 159834 ( A.... ) "C:\WINDOWS\system32\lwinrpez.exe"
2006-07-09 19:24:50 45095 ( A.... ) "C:\WINDOWS\system32\oqdsregq.exe"
2006-07-09 18:44:12 183296 ( A.S.. ) "C:\WINDOWS\NDNuninstall7_22.exe"
2006-07-09 18:41:48 1392640 ( A.... ) "C:\WINDOWS\cfg32a.exe"
2006-07-09 18:41:38 102400 ( A.... ) "C:\WINDOWS\cfg32r.dll"
2006-07-09 18:41:36 110592 ( A.... ) "C:\WINDOWS\cfg32o.dll"
2006-07-09 18:41:02 1063 ( A.... ) "C:\WINDOWS\system32\hhsb1872.sys"
2006-07-09 18:41:02 1063 ( A.... ) "C:\WINDOWS\system32\hhsb1872.sys"
2006-07-09 18:41:00 143360 ( A.... ) "C:\WINDOWS\ms05443521778.exe"
2006-07-09 18:37:02 397312 ( A.... ) "C:\WINDOWS\cfg32p.dll"
2006-07-09 18:36:50 38412 ( A.... ) "C:\WINDOWS\ssqbn.exe"
2006-07-09 18:36:48 926 ( A.... ) "C:\WINDOWS\system32\nt68rrtc12.sys"
2006-07-09 18:36:48 926 ( A.... ) "C:\WINDOWS\system32\nt68rrtc12.sys"
2006-07-09 18:36:42 20480 ( A.... ) "C:\stub_sca3.exe"
2006-07-09 18:36:42 0 ( A.... ) "C:\Documents and Settings\Mom\Application Data\internaldb41.dat"
2006-07-09 18:36:34 151112 ( A.... ) "C:\mc-110-12-0000228.exe"
2006-07-09 18:36:32 51712 ( A.... ) "C:\WINDOWS\system32\w01fd867.dll"
2006-07-09 18:36:30 48167 ( A.... ) "C:\WINDOWS\system32\VSL05.exe"
2006-07-09 18:36:28 45073 ( A.... ) "C:\WINDOWS\system32\dwdsregt.exe"
2006-07-09 18:36:26 45068 ( A.... ) "C:\WINDOWS\system32\ZICORN003.exe"
2006-07-09 18:36:24 389632 ( A.... ) "C:\webnexmknew.exe"
2006-07-09 18:36:22 61440 ( A.... ) "C:\WINDOWS\system32\hhsb1872.dll"
2006-07-09 18:36:20 29696 ( A.... ) "C:\WINDOWS\system32\w01fa9d5.dll"
2006-07-09 18:36:18 184829 ( A.... ) "C:\WINDOWS\srvtnrlbbj.exe"
2006-07-09 18:36:18 32976 ( A.... ) "C:\WINDOWS\system32\uninstIcn.exe"
2006-07-09 18:36:18 ( .D... ) "C:\Program Files\PSHope"
2006-07-09 18:36:16 235134 ( A.... ) "C:\WINDOWS\srvqcwgqaz.exe"
2006-07-09 18:35:44 8464 ( A.... ) "C:\WINDOWS\system32\sporder.dll"
2006-07-09 18:35:42 50688 ( A.S.. ) "C:\WINDOWS\NDNuninstall6_38.exe"
2006-07-09 18:35:20 208896 ( A.... ) "C:\WINDOWS\system32\x3cqp0.dll"
2006-07-09 18:35:20 28672 ( A.... ) "C:\WINDOWS\System32ftuninst.exe"
2006-07-09 18:35:20 28672 ( A.... ) "C:\WINDOWS\system32\gbe90qs.exe"
2006-07-09 18:35:20 24576 ( A.... ) "C:\WINDOWS\System32ssec.exe"
2006-07-09 18:35:18 45056 ( A.... ) "C:\WINDOWS\System32tfthot.exe"
2006-07-09 18:35:16 45056 ( A.... ) "C:\WINDOWS\system32\tfthot.exe"
2006-07-09 18:35:16 30208 ( A.... ) "C:\SS1001new.exe"
2006-07-09 18:35:16 28672 ( A.... ) "C:\WINDOWS\system32\ftuninst.exe"
2006-07-09 18:35:16 24576 ( A.... ) "C:\WINDOWS\system32\ssec.exe"
2006-07-09 18:34:58 45056 ( A.... ) "C:\wd7gi8nnew.exe"
2006-07-09 18:34:46 36608 ( A.... ) "C:\WINDOWS\nem220.dll"
2006-07-09 18:34:46 14848 ( A.... ) "C:\stub_113_4_0_4_0new.exe"
2006-07-09 18:34:36 232749 ( A.... ) "C:\WINDOWS\pf78.exe"
2006-07-09 18:34:36 52104 ( A.... ) "C:\WINDOWS\pf79.exe"
2006-07-09 18:34:26 467968 ( A.... ) "C:\visfx500new.exe"
2006-07-09 18:34:14 110592 ( A.... ) "C:\WINDOWS\v1201.exe"
2006-07-09 18:34:06 48190 ( A.... ) "C:\RDFX4.exe"
2006-07-09 18:33:26 ( .D... ) "C:\Program Files\ToolBar888"
2006-07-09 18:33:26 ( .D... ) "C:\Program Files\Common Files\{0CFB2073-0A6A-1033-0415-040203200001}"
2006-07-09 18:33:06 ( .DSH. ) "C:\Program Files\outlook"
2006-07-09 18:31:06 ( .D... ) "C:\Program Files\BearShare"
2006-06-20 19:55:26 389120 ( A.... ) "C:\WINDOWS\system32\nodeipproc.dll"
2006-06-15 18:39:06 131072 ( A.... ) "C:\WINDOWS\system32\mptft.exe"
2006-06-15 15:26:44 1142784 ( A.... ) "C:\WINDOWS\system32\ssn6tuu.exe"
2006-06-15 15:26:40 24576 ( A.... ) "C:\WINDOWS\system32\nr1rnqm8.exe"
2006-05-30 18:19:18 2088960 ( A.... ) "C:\WINDOWS\cfg32.exe"
2006-05-30 18:09:20 24576 ( A.... ) "C:\WINDOWS\Uninstall.exe"
2006-05-29 21:59:38 ( .D... ) "C:\Program Files\Common Files\HP"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-10 10:00 528,011,264 C:\hiberfil.sys
2006-07-09 19:24 45,095 C:\WINDOWS\system32\oqdsregq.exe
2006-07-09 19:24 159,834 C:\WINDOWS\system32\lwinrpez.exe
2006-07-09 18:41 102,400 C:\WINDOWS\cfg32r.dll
2006-07-09 18:41 1,392,640 C:\WINDOWS\cfg32a.exe
2006-07-09 18:40 143,360 C:\WINDOWS\ms05443521778.exe
2006-07-09 18:38 183,296 C:\WINDOWS\NDNuninstall7_22.exe
2006-07-09 18:37 397,312 C:\WINDOWS\cfg32p.dll
2006-07-09 18:37 110,592 C:\WINDOWS\cfg32o.dll
2006-07-09 18:36 926 C:\WINDOWS\system32\nt68rrtc12.sys
2006-07-09 18:36 61,440 C:\WINDOWS\system32\hhsb1872.dll
2006-07-09 18:36 51,712 C:\WINDOWS\system32\w01fd867.dll
2006-07-09 18:36 48,167 C:\WINDOWS\system32\VSL05.exe
2006-07-09 18:36 45,073 C:\WINDOWS\system32\dwdsregt.exe
2006-07-09 18:36 45,068 C:\WINDOWS\system32\ZICORN003.exe
2006-07-09 18:36 389,632 C:\webnexmknew.exe
2006-07-09 18:36 38,412 C:\WINDOWS\ssqbn.exe
2006-07-09 18:36 32,976 C:\WINDOWS\system32\uninstIcn.exe
2006-07-09 18:36 29,696 C:\WINDOWS\system32\w01fa9d5.dll
2006-07-09 18:36 235,134 C:\WINDOWS\srvqcwgqaz.exe
2006-07-09 18:36 20,480 C:\stub_sca3.exe
2006-07-09 18:36 184,829 C:\WINDOWS\srvtnrlbbj.exe
2006-07-09 18:36 151,112 C:\mc-110-12-0000228.exe
2006-07-09 18:36 1,063 C:\WINDOWS\system32\hhsb1872.sys
2006-07-09 18:35 8,464 C:\WINDOWS\system32\sporder.dll
2006-07-09 18:35 50,688 C:\WINDOWS\NDNuninstall6_38.exe
2006-07-09 18:35 45,056 C:\WINDOWS\System32tfthot.exe
2006-07-09 18:35 45,056 C:\WINDOWS\system32\tfthot.exe
2006-07-09 18:35 30,208 C:\SS1001new.exe
2006-07-09 18:35 28,672 C:\WINDOWS\System32ftuninst.exe
2006-07-09 18:35 28,672 C:\WINDOWS\system32\gbe90qs.exe
2006-07-09 18:35 28,672 C:\WINDOWS\system32\ftuninst.exe
2006-07-09 18:35 24,576 C:\WINDOWS\System32ssec.exe
2006-07-09 18:35 24,576 C:\WINDOWS\system32\ssec.exe
2006-07-09 18:35 24,576 C:\WINDOWS\system32\nr1rnqm8.exe
2006-07-09 18:35 208,896 C:\WINDOWS\system32\x3cqp0.dll
2006-07-09 18:35 131,072 C:\WINDOWS\system32\mptft.exe
2006-07-09 18:35 1,142,784 C:\WINDOWS\system32\ssn6tuu.exe
2006-07-09 18:34 52,104 C:\WINDOWS\pf79.exe
2006-07-09 18:34 48,190 C:\RDFX4.exe
2006-07-09 18:34 467,968 C:\visfx500new.exe
2006-07-09 18:34 45,056 C:\wd7gi8nnew.exe
2006-07-09 18:34 36,608 C:\WINDOWS\nem220.dll
2006-07-09 18:34 232,749 C:\WINDOWS\pf78.exe
2006-07-09 18:34 21,504 C:\WINDOWS\offun.exe
2006-07-09 18:34 14,848 C:\stub_113_4_0_4_0new.exe
2006-07-09 18:34 127,574 C:\WINDOWS\system32\tsuninst.exe
2006-07-09 18:34 110,592 C:\WINDOWS\v1201.exe
2006-07-09 18:34 1,153,728 C:\WINDOWS\ebuljac.exe
2006-07-09 18:34 1,144,304 C:\WINDOWS\ebuljacA.exe
2006-06-20 19:55 389,120 C:\WINDOWS\system32\nodeipproc.dll
2006-05-30 18:19 2,088,960 C:\WINDOWS\cfg32.exe
2006-05-30 18:09 24,576 C:\WINDOWS\Uninstall.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"{B2-20-07-73-ZN}"="c:\\windows\\system32\\oqdsregq.exe CORN003"
"BrowserUpdateSched"="C:\\WINDOWS\\System32\\lwinrpez.exe CORN003"
"wvpdzqk"="C:\\WINDOWS\\System32\\hiwbwqp.exe r"
"wsr"="C:\\WINDOWS\\System32\\wsr.exe"
"winlog"="winlog.exe"
"win3206435217784"="C:\\WINDOWS\\win3206435217784.exe"
"w01fd867.dll"="RUNDLL32.EXE w01fd867.dll,I2 001b1871001fd867"
"VTTimer"="VTTimer.exe"
"UpdateManager"="\"c:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"TheMonitor"="C:\\WINDOWS\\SYSC00.exe"
"tempx"="C:\\WINDOWS\\System32\\tempx.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"outlook"="C:\\Program Files\\outlook\\outlook.exe /auto"
"New.net Startup"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~2.DLL,ClientStartup -s"
"NAV CfgWiz"="c:\\Program Files\\Common Files\\Symantec Shared\\CfgWiz.exe /GUID NAV /CMDLINE \"REBOOT\""
"ms05443521778"="C:\\WINDOWS\\ms05443521778.exe"
"Internet Optimizer"="\"C:\\Program Files\\Internet Optimizer\\optimize.exe\""
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb12.exe"
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd.exe\""
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"hhsb1872"="RUNDLL32.EXE w01fa9d5.dll,n 001b18710000000301fa9d5"
"Hhl7RfpJ"="\"C:\\WINDOWS\\System32\\ssn6tuu.exe\""
"ftexc"="C:\\WINDOWS\\System32\\mptft.exe"
"Engflenx"="C:\\Program Files\\Boksppo\\Qecugyb.exe"
"ebuljacA"="C:\\WINDOWS\\ebuljacA.exe"
"dtlehed"="C:\\WINDOWS\\System32\\vnlyjf.exe r"
"DeviceDiscovery"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpotdd01.exe"
"Configuration Manager"="C:\\WINDOWS\\cfg32.exe"
"ccApp"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"AlcxMonitor"="ALCXMNTR.EXE"
"AGRSMMSG"="AGRSMMSG.exe"
"ACTX1"="C:\\WINDOWS\\v1201.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"qqok"="C:\\PROGRA~1\\COMMON~1\\qqok\\qqokm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
@=""
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"winlog"="winlog.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"tempx"="C:\\WINDOWS\\System32\\tempx.exe"
"rqvadi"="C:\\WINDOWS\\System32\\rqvadi.exe"
"bslexcu"="C:\\WINDOWS\\System32\\bslexcu.exe"
"wsr"="C:\\WINDOWS\\System32\\wsr.exe"
"ogxle"="C:\\WINDOWS\\System32\\ogxle.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"zat"="C:\\WINDOWS\\System32\\zat.exe"
"{0CFB2073-0A6A-1033-0415-040203200001}"="\"C:\\Program Files\\Common Files\\{0CFB2073-0A6A-1033-0415-040203200001}\\Update.exe\" mc-110-12-0000137"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Disk Cleanup.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Mon 07/10/2006 10:25:41.62
ComboFix ver 06.07.08 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-07-10.102303.txt

Ewido:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:25:44 AM, 7/10/2006
+ Report-Checksum: 6B40F551

+ Scan result:

C:\Documents and Settings\Mom\Cookies\mom@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Mom\Cookies\mom@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Mom\Cookies\mom@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Mom\Cookies\mom@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Mom\Cookies\mom@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Mom\Cookies\mom@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Mom\Cookies\mom@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Mom\Cookies\mom@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Mom\Cookies\mom@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned with backup
C:\Documents and Settings\Mom\Cookies\mom@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Mom\Cookies\mom@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Mom\Cookies\mom@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\Mom\Cookies\mom@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Mom\Cookies\mom@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Mom\Local Settings\Temporary Internet Files\Content.IE5\03AFKT6V\xpl[1].wmf -> Exploit.MS05-053-WMF : Cleaned with backup
C:\Documents and Settings\Mom\Local Settings\Temporary Internet Files\Content.IE5\OVSXUZK7\new[1].htm -> Not-A-Virus.Constructor.Perl.Msdds.b : Cleaned with backup
C:\Program Files\TBONAS\TBONcomp.dll -> Adware.ActivShopper : Cleaned with backup
C:\RECYCLER\S-1-5-21-1647243320-497347378-320518637-500\Dc1.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\S-1-5-21-1647243320-497347378-320518637-500\Dc3\qqokl.exe -> Downloader.TSUpdate.p : Error during cleaning
C:\RECYCLER\S-1-5-21-1647243320-497347378-320518637-500\Dc3\qqokp.exe -> Downloader.TSUpdate.f : Error during cleaning
C:\RECYCLER\S-1-5-21-1647243320-497347378-320518637-500\Dc660.exe -> Adware.Look2Me : Cleaned with backup
C:\RECYCLER\S-1-5-21-1647243320-497347378-320518637-500\Dc661.exe -> Adware.Look2Me : Cleaned with backup
C:\SS1001new.exe -> Dropper.Small.qn : Cleaned with backup
C:\stub_113_4_0_4_0new.exe -> Downloader.TSUpdate.o : Cleaned with backup
C:\stub_sca3.exe -> Adware.BookedSpace : Cleaned with backup
C:\visfx500new.exe -> Dropper.Agent.aie : Cleaned with backup
C:\wd7gi8nnew.exe -> Downloader.Agent.ala : Cleaned with backup
C:\webnexmknew.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\cfg32.exe -> Adware.BookedSpace : Cleaned with backup
C:\WINDOWS\cfg32a.exe -> Adware.BookedSpace : Cleaned with backup
C:\WINDOWS\cfg32o.dll -> Adware.BookedSpace : Cleaned with backup
C:\WINDOWS\cfg32p.dll -> Adware.BookedSpace : Cleaned with backup
C:\WINDOWS\cfg32r.dll -> Adware.BookedSpace : Cleaned with backup
C:\WINDOWS\ebuljac.exe -> Hijacker.VB.ij : Cleaned with backup
C:\WINDOWS\lt.exe -> Downloader.Small.ajc : Cleaned with backup
C:\WINDOWS\mvjcedbkqjf.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\NDNuninstall6_38.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\nem220.dll -> Downloader.Dyfuca : Cleaned with backup
C:\WINDOWS\offun.exe -> Downloader.VB.nw : Cleaned with backup
C:\WINDOWS\pf79.exe -> Downloader.Dyfuca.ei : Cleaned with backup
C:\WINDOWS\svcproc.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\SYSC00.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\system32\dwdsregt.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\ftuninst.exe -> Adware.Linkmaker : Cleaned with backup
C:\WINDOWS\system32\gbe90qs.exe -> Adware.Suggestor : Cleaned with backup
C:\WINDOWS\system32\hhsb1872.dll -> Adware.IEHelper : Cleaned with backup
C:\WINDOWS\system32\lwinrpez.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\mptft.exe -> Hijacker.StartPage.ajj : Cleaned with backup
C:\WINDOWS\system32\nodeipproc.dll -> Adware.BHO : Cleaned with backup
C:\WINDOWS\system32\oqdsregq.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\ssec.exe -> Trojan.Runner.h : Cleaned with backup
C:\WINDOWS\system32\ssn6tuu.exe -> Adware.Suggestor : Cleaned with backup
C:\WINDOWS\system32\tfthot.exe -> Adware.SearchAssistant : Cleaned with backup
C:\WINDOWS\system32\w01fa9d5.dll -> Downloader.Small : Cleaned with backup
C:\WINDOWS\system32\w01fd867.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\WINDOWS\system32\winlog.exe -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\system32\WinStat10.dll -> Adware.Winsta : Cleaned with backup
C:\WINDOWS\system32\x3cqp0.dll -> Adware.Suggestor : Cleaned with backup
C:\WINDOWS\system32\ZICORN003.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\System32ftuninst.exe -> Adware.Linkmaker : Cleaned with backup
C:\WINDOWS\System32ssec.exe -> Trojan.Runner.h : Cleaned with backup
C:\WINDOWS\System32tfthot.exe -> Adware.SearchAssistant : Cleaned with backup
C:\WINDOWS\sеcurity\lsass.exe -> Trojan.PurityAd : Cleaned with backup
C:\WINDOWS\unin101.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\uni_eh.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\v1201.exe -> Hijacker.Small : Cleaned with backup


::Report End

HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 11:31:34 AM, on 7/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\xjstkxj.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hkcmd.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\ebuljacA.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\{0CFB2073-0A6A-1033-0415-040203200001}\Update.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\win3209217784435.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Computer Clean Up\HJT\HijackThis1991.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll (file missing)
O4 - HKLM\..\Run: [wsr] C:\WINDOWS\System32\wsr.exe
O4 - HKLM\..\Run: [w01fd867.dll] RUNDLL32.EXE w01fd867.dll,I2 001b1871001fd867
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tempx] C:\WINDOWS\System32\tempx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [ms05443521778] C:\WINDOWS\ms05443521778.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [hhsb1872] RUNDLL32.EXE w01fa9d5.dll,n 001b18710000000301fa9d5
O4 - HKLM\..\Run: [Engflenx] C:\Program Files\Boksppo\Qecugyb.exe
O4 - HKLM\..\Run: [ebuljacA] C:\WINDOWS\ebuljacA.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [jncuzua] C:\WINDOWS\System32\xjstkxj.exe r
O4 - HKLM\..\Run: [win3209217784435] C:\WINDOWS\win3209217784435.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [qqok] C:\PROGRA~1\COMMON~1\qqok\qqokm.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\lwinrpez.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet7_22.dll' missing
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O18 - Filter: text/html - {DA28E0DB-229C-4003-827E-96AE15AD90FB} - C:\WINDOWS\System32\x3cqp0.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\ebuljac.exe (file missing)

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:11 PM

Posted 10 July 2006 - 11:51 AM

Hey there.

I need you to run combofix again and post its log.
I see that you ran combofix before runnng ewido, and this mean the combofix log contains files which aren't actually present as Ewido has deleted them.

David

#5 InbewteenNights

InbewteenNights
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 10 July 2006 - 12:43 PM

Yeah Ewido kept getting stuck on ssk.exe while cleaning the infected files. So it would never finish and produce a log file. I ran combofix and it took care of the problem and then re-ran Ewido. Here is my current Combofix log.

Start Time= Mon 07/10/2006 12:39:49.89
Running from: C:\Computer Clean Up\Combofix

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-10 11:30:28 143360 ( A.... ) "C:\WINDOWS\win3209217784435.exe"
2006-07-10 11:30:28 143360 ( A.... ) "C:\WINDOWS\win32073521778442006.exe"
2006-07-09 18:41:02 1063 ( A.... ) "C:\WINDOWS\system32\hhsb1872.sys"
2006-07-09 18:41:02 1063 ( A.... ) "C:\WINDOWS\system32\hhsb1872.sys"
2006-07-09 18:41:00 143360 ( A.... ) "C:\WINDOWS\ms05443521778.exe"
2006-07-09 18:36:50 38412 ( A.... ) "C:\WINDOWS\ssqbn.exe"
2006-07-09 18:36:48 926 ( A.... ) "C:\WINDOWS\system32\nt68rrtc12.sys"
2006-07-09 18:36:48 926 ( A.... ) "C:\WINDOWS\system32\nt68rrtc12.sys"
2006-07-09 18:36:42 0 ( A.... ) "C:\Documents and Settings\Mom\Application Data\internaldb41.dat"
2006-07-09 18:36:34 151112 ( A.... ) "C:\mc-110-12-0000228.exe"
2006-07-09 18:36:30 48167 ( A.... ) "C:\WINDOWS\system32\VSL05.exe"
2006-07-09 18:36:18 184829 ( A.... ) "C:\WINDOWS\srvtnrlbbj.exe"
2006-07-09 18:36:18 32976 ( A.... ) "C:\WINDOWS\system32\uninstIcn.exe"
2006-07-09 18:36:18 ( .D... ) "C:\Program Files\PSHope"
2006-07-09 18:36:16 235134 ( A.... ) "C:\WINDOWS\srvqcwgqaz.exe"
2006-07-09 18:35:44 8464 ( A.... ) "C:\WINDOWS\system32\sporder.dll"
2006-07-09 18:34:36 232749 ( A.... ) "C:\WINDOWS\pf78.exe"
2006-07-09 18:34:06 48190 ( A.... ) "C:\RDFX4.exe"
2006-07-09 18:33:26 ( .D... ) "C:\Program Files\ToolBar888"
2006-07-09 18:33:26 ( .D... ) "C:\Program Files\Common Files\{0CFB2073-0A6A-1033-0415-040203200001}"
2006-07-09 18:33:06 ( .DSH. ) "C:\Program Files\outlook"
2006-07-09 18:31:06 ( .D... ) "C:\Program Files\BearShare"
2006-06-15 15:26:40 24576 ( A.... ) "C:\WINDOWS\system32\nr1rnqm8.exe"
2006-05-30 18:09:20 24576 ( A.... ) "C:\WINDOWS\Uninstall.exe"
2006-05-29 21:59:38 ( .D... ) "C:\Program Files\Common Files\HP"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-10 11:30 143,360 C:\WINDOWS\win3209217784435.exe
2006-07-10 11:30 143,360 C:\WINDOWS\win32073521778442006.exe
2006-07-10 11:27 528,011,264 C:\hiberfil.sys
2006-07-09 18:40 143,360 C:\WINDOWS\ms05443521778.exe
2006-07-09 18:36 926 C:\WINDOWS\system32\nt68rrtc12.sys
2006-07-09 18:36 48,167 C:\WINDOWS\system32\VSL05.exe
2006-07-09 18:36 38,412 C:\WINDOWS\ssqbn.exe
2006-07-09 18:36 32,976 C:\WINDOWS\system32\uninstIcn.exe
2006-07-09 18:36 235,134 C:\WINDOWS\srvqcwgqaz.exe
2006-07-09 18:36 184,829 C:\WINDOWS\srvtnrlbbj.exe
2006-07-09 18:36 151,112 C:\mc-110-12-0000228.exe
2006-07-09 18:36 1,063 C:\WINDOWS\system32\hhsb1872.sys
2006-07-09 18:35 8,464 C:\WINDOWS\system32\sporder.dll
2006-07-09 18:35 24,576 C:\WINDOWS\system32\nr1rnqm8.exe
2006-07-09 18:34 48,190 C:\RDFX4.exe
2006-07-09 18:34 232,749 C:\WINDOWS\pf78.exe
2006-07-09 18:34 127,574 C:\WINDOWS\system32\tsuninst.exe
2006-07-09 18:34 1,144,304 C:\WINDOWS\ebuljacA.exe
2006-05-30 18:09 24,576 C:\WINDOWS\Uninstall.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"wsr"="C:\\WINDOWS\\System32\\wsr.exe"
"w01fd867.dll"="RUNDLL32.EXE w01fd867.dll,I2 001b1871001fd867"
"VTTimer"="VTTimer.exe"
"UpdateManager"="\"c:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"tempx"="C:\\WINDOWS\\System32\\tempx.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"outlook"="C:\\Program Files\\outlook\\outlook.exe /auto"
"New.net Startup"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~2.DLL,ClientStartup -s"
"NAV CfgWiz"="c:\\Program Files\\Common Files\\Symantec Shared\\CfgWiz.exe /GUID NAV /CMDLINE \"REBOOT\""
"ms05443521778"="C:\\WINDOWS\\ms05443521778.exe"
"Internet Optimizer"="\"C:\\Program Files\\Internet Optimizer\\optimize.exe\""
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb12.exe"
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd.exe\""
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"hhsb1872"="RUNDLL32.EXE w01fa9d5.dll,n 001b18710000000301fa9d5"
"Engflenx"="C:\\Program Files\\Boksppo\\Qecugyb.exe"
"ebuljacA"="C:\\WINDOWS\\ebuljacA.exe"
"DeviceDiscovery"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpotdd01.exe"
"ccApp"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"AlcxMonitor"="ALCXMNTR.EXE"
"AGRSMMSG"="AGRSMMSG.exe"
"jncuzua"="C:\\WINDOWS\\System32\\xjstkxj.exe r"
"win3209217784435"="C:\\WINDOWS\\win3209217784435.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"qqok"="C:\\PROGRA~1\\COMMON~1\\qqok\\qqokm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"tempx"="C:\\WINDOWS\\System32\\tempx.exe"
"rqvadi"="C:\\WINDOWS\\System32\\rqvadi.exe"
"bslexcu"="C:\\WINDOWS\\System32\\bslexcu.exe"
"wsr"="C:\\WINDOWS\\System32\\wsr.exe"
"ogxle"="C:\\WINDOWS\\System32\\ogxle.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"zat"="C:\\WINDOWS\\System32\\zat.exe"
"{0CFB2073-0A6A-1033-0415-040203200001}"="\"C:\\Program Files\\Common Files\\{0CFB2073-0A6A-1033-0415-040203200001}\\Update.exe\" mc-110-12-0000137"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Disk Cleanup.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Mon 07/10/2006 12:40:36.35
ComboFix ver 06.07.08 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-07-10.102303.txt
ComboFix.2006-07-10.123949.txt

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:11 PM

Posted 10 July 2006 - 12:59 PM

Hey InbewteenNights!

Hello there,

It is a good idea to print off these instructions - they will be needed later when internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above. It is important that you complete the following instructions in the correct order, and also that you don't miss anything out!

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, copy and paste next in the field:

C:\WINDOWS\system32\hhsb1872.sys

Then click the Send File button below.
Please let me know when you have submitted the file.

* Please set your system to show hidden files; please see here if you're unsure how to do this.

Download LSPFix.exe to a convenient location. Do NOT run this program. This is only to be used if you lose Internet Access after removing NewDotNet.
To Get rid of NewDotNet, go to:
Start > Control Panel > Add or Remove Programs and remove the following:
New.Net Applications or New.Net Domains (anything that says New.Net)
If it is not there, go here and follow Procedure 4: NewDotNet Removal Procedure 4.

In the event that you lose Internet access after removing New.Net, please double-click LSPFix.exe that you downloaded earlier. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet. If nothing is listed under the "Remove Panel", do NOT do anything - just close the program. You will need to use another computer to come back here for further instructions on what to do.

* Download Brute Force Uninstaller.
Unzip it to a folder of itís own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: Posted Image
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

http://metallica.geekstogo.com/alcanshorty.bfu

Click Ok.
Then click execute in Brute Force Uninstaller.

Extra note:
If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, download the script
( alcanshorty.bfu ) manually from above url ( rightclick on it and choose 'save as' and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the 'scriptfile to execute'-window
Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller.


Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

Open notepad and copy and paste next in it:

sc delete "Windows Overlay Components"

Save this as look.bat
Choose to save as all files.
This is how the batch must look afterwards: Posted Image
Doubleclick look.bat and copy the contents of the text file that opens back here.

Now start a new scan with HJT and place a checkmark next to each of the following items (if present):

O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll (file missing)
O4 - HKLM\..\Run: [wsr] C:\WINDOWS\System32\wsr.exe
O4 - HKLM\..\Run: [w01fd867.dll] RUNDLL32.EXE w01fd867.dll,I2 001b1871001fd867
O4 - HKLM\..\Run: [tempx] C:\WINDOWS\System32\tempx.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [ms05443521778] C:\WINDOWS\ms05443521778.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [hhsb1872] RUNDLL32.EXE w01fa9d5.dll,n 001b18710000000301fa9d5
O4 - HKLM\..\Run: [Engflenx] C:\Program Files\Boksppo\Qecugyb.exe
O4 - HKLM\..\Run: [ebuljacA] C:\WINDOWS\ebuljacA.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [jncuzua] C:\WINDOWS\System32\xjstkxj.exe r
O4 - HKLM\..\Run: [win3209217784435] C:\WINDOWS\win3209217784435.exe
O4 - HKCU\..\Run: [qqok] C:\PROGRA~1\COMMON~1\qqok\qqokm.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\lwinrpez.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O18 - Filter: text/html - {DA28E0DB-229C-4003-827E-96AE15AD90FB} - C:\WINDOWS\System32\x3cqp0.dll


* Make sure your Internet Explorer is closed and click on "Fix Checked" and exit HijackThis when finished.

* Download KillBox from here
- Click killbox.exe.
- Select the option "Delete on reboot".
- Click the button: All Files (!important!)
- Now it should flash green.

Now copy the next bold part:

C:\WINDOWS\system32\lwinrpez.exe
C:\WINDOWS\system32\dwdsregt.exe
C:\WINDOWS\win32073521778442006.exe
C:\WINDOWS\win3209217784435.exe
C:\WINDOWS\system32\hhsb1872.sys
C:\WINDOWS\ms05443521778.exe
C:\WINDOWS\ssqbn.exe
C:\WINDOWS\system32\nt68rrtc12.sys
C:\Documents and Settings\Mom\Application Data\internaldb41.dat
C:\mc-110-12-0000228.exe
C:\WINDOWS\system32\VSL05.exe
C:\WINDOWS\srvtnrlbbj.exe
C:\WINDOWS\system32\uninstIcn.exe
C:\Program Files\PSHope
C:\WINDOWS\srvqcwgqaz.exe
C:\WINDOWS\pf78.exe
C:\RDFX4.exe
C:\WINDOWS\system32\nr1rnqm8.exe
C:\WINDOWS\Uninstall.exe
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\ebuljacA.exe
C:\WINDOWS\system32\w01fd867.dll
C:\WINDOWS\System32\tempx.exe
C:\WINDOWS\System32\w01fa9d5.dll
C:\WINDOWS\ebuljacA.exe
C:\WINDOWS\System32\xjstkxj.exe
C:\WINDOWS\System32\rqvadi.exe
C:\WINDOWS\System32\bslexcu.exe
C:\WINDOWS\System32\wsr.exe
C:\WINDOWS\System32\ogxle.exe
C:\WINDOWS\System32\zat.exe


- Open 'file' in the killboxmenu on top and choose Paste from clipboard
- Then press the button that looks like a red circle with a white X in it.
- Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES
- If you don't get that message, reboot manually.
- Your computer should reboot now.

Ignore the errors you'll get after reboot, that's normal, they will be gone after performing next steps..

* Reboot into SAFE MODE
By pressing the F8 key right when Windows starts, usually right after you hear your computer
beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
you will be brought to a menu where you can choose to boot into safe mode.
If it does not work on the first try, reboot and try again, as you have to be quick when you press it.

Please delete the following folders (don't be concerned if you can't find them):

C:\Program Files\ToolBar888
C:\Program Files\Common Files\{0CFB2073-0A6A-1033-0415-040203200001}
C:\Program Files\outlook
C:\Program Files\Internet Optimizer
C:\Program Files\Boksppo
C:\Program Files\Common Files\qqok

Please reboot back to normal mode and post a new Hijackthis log, and a new Combofix log.
David

#7 InbewteenNights

InbewteenNights
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 10 July 2006 - 01:08 PM

Ok I have submitted the file C:\WINDOWS\system32\hhsb1872.sys

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:11 PM

Posted 10 July 2006 - 01:39 PM

The hhsb1872.sys file is safe and does not appear to be malware.
Please continue with the instructions,
David :thumbsup:

#9 InbewteenNights

InbewteenNights
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 10 July 2006 - 01:49 PM

Ok I did the look.bat file but it did not open a txt file.

Start Time= Mon 07/10/2006 13:44:26.64
Running from: C:\Computer Clean Up\Combofix

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-09 18:36:18 ( .D... ) "C:\Program Files\PSHope"
2006-07-09 18:35:44 8464 ( A.... ) "C:\WINDOWS\system32\sporder.dll"
2006-07-09 18:31:06 ( .D... ) "C:\Program Files\BearShare"
2006-05-29 21:59:38 ( .D... ) "C:\Program Files\Common Files\HP"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-10 13:38 528,011,264 C:\hiberfil.sys
2006-07-09 18:35 8,464 C:\WINDOWS\system32\sporder.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"VTTimer"="VTTimer.exe"
"UpdateManager"="\"c:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NAV CfgWiz"="c:\\Program Files\\Common Files\\Symantec Shared\\CfgWiz.exe /GUID NAV /CMDLINE \"REBOOT\""
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb12.exe"
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd.exe\""
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"DeviceDiscovery"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpotdd01.exe"
"ccApp"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"AGRSMMSG"="AGRSMMSG.exe"
"rjubwf"="C:\\WINDOWS\\System32\\qypxug.exe r"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"tempx"="C:\\WINDOWS\\System32\\tempx.exe"
"rqvadi"="C:\\WINDOWS\\System32\\rqvadi.exe"
"bslexcu"="C:\\WINDOWS\\System32\\bslexcu.exe"
"wsr"="C:\\WINDOWS\\System32\\wsr.exe"
"ogxle"="C:\\WINDOWS\\System32\\ogxle.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"zat"="C:\\WINDOWS\\System32\\zat.exe"
"{0CFB2073-0A6A-1033-0415-040203200001}"="\"C:\\Program Files\\Common Files\\{0CFB2073-0A6A-1033-0415-040203200001}\\Update.exe\" mc-110-12-0000137"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Disk Cleanup.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Mon 07/10/2006 13:45:07.64
ComboFix ver 06.07.08 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-07-10.102303.txt
ComboFix.2006-07-10.123949.txt
ComboFix.2006-07-10.134426.txt

------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 1:48:07 PM, on 7/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\qypxug.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Computer Clean Up\HJT\HijackThis1991.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [rjubwf] C:\WINDOWS\System32\qypxug.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet7_22.dll' missing
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:11 PM

Posted 10 July 2006 - 02:45 PM

Hey InbewteenNights,
This is looking much better!
We've just got an infection, and a few leftovers to delete.

Please read completely through the instructions below and download the files from the links provided. You may want to save or print out these instructions for easier reference.

Download Lavasoft's Ad-Aware and the VX2 Cleaner Plug-in. Install Ad-Aware using the default options, then install vx2cleaner_inst.exe, taking all the defaults there as well.

Run Ad-Aware, update to the latest definitions, then click on Add-ons in the lefthand column.
Select VX2 Cleaner V2.0 and click Run Tool.
Click "OK", then, if something is found, click "Clean" as in the directions given.
Click "Close", and exit Ad-Aware.

Reboot your PC and run Ad-Aware again.
This time, click on the Start button in Ad-Aware, select "Perform smart system scan" and click Next.
Once the scan finishes, click "Next" again.
Select all objects found (right click anywhere in the list of found objects and click "Select All Objects").
Click "Next" one more time, then "OK" to confirm the removal.

You will be prompted to set Ad-Aware to run on reboot, click "OK". Exit Ad-Aware and restart your PC once again.

When Ad-Aware starts up, click on "Start", then "Next".
Follow the steps above if anything is found, or click "Finish", then exit Ad-Aware.

Please finish up by rebooting your system once more, and posting a new HijackThis log, and a new Combofix log.

David

#11 InbewteenNights

InbewteenNights
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 10 July 2006 - 10:55 PM

Alrighty here we go!
Start Time= Mon 07/10/2006 22:51:40.79
Running from: C:\Computer Clean Up\Combofix

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-10 22:50:10 ( .D... ) "C:\Program Files\Common Files\tsa"
2006-07-09 18:36:18 ( .D... ) "C:\Program Files\PSHope"
2006-07-09 18:35:44 8464 ( A.... ) "C:\WINDOWS\system32\sporder.dll"
2006-07-09 18:31:06 ( .D... ) "C:\Program Files\BearShare"
2006-05-29 21:59:38 ( .D... ) "C:\Program Files\Common Files\HP"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-10 13:38 528,011,264 C:\hiberfil.sys
2006-07-09 18:35 8,464 C:\WINDOWS\system32\sporder.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"VTTimer"="VTTimer.exe"
"UpdateManager"="\"c:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NAV CfgWiz"="c:\\Program Files\\Common Files\\Symantec Shared\\CfgWiz.exe /GUID NAV /CMDLINE \"REBOOT\""
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb12.exe"
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd.exe\""
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"DeviceDiscovery"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpotdd01.exe"
"ccApp"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"AGRSMMSG"="AGRSMMSG.exe"
"Tsl2"="C:\\PROGRA~1\\COMMON~1\\tsa\\tsl2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"tempx"="C:\\WINDOWS\\System32\\tempx.exe"
"rqvadi"="C:\\WINDOWS\\System32\\rqvadi.exe"
"bslexcu"="C:\\WINDOWS\\System32\\bslexcu.exe"
"wsr"="C:\\WINDOWS\\System32\\wsr.exe"
"ogxle"="C:\\WINDOWS\\System32\\ogxle.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"zat"="C:\\WINDOWS\\System32\\zat.exe"
"{0CFB2073-0A6A-1033-0415-040203200001}"="\"C:\\Program Files\\Common Files\\{0CFB2073-0A6A-1033-0415-040203200001}\\Update.exe\" mc-110-12-0000137"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Disk Cleanup.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Mon 07/10/2006 22:52:38.25
ComboFix ver 06.07.08 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-07-10.102303.txt
ComboFix.2006-07-10.123949.txt
ComboFix.2006-07-10.134426.txt
ComboFix.2006-07-10.225140.txt

====================================
Logfile of HijackThis v1.99.1
Scan saved at 10:54:37 PM, on 7/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Computer Clean Up\HJT\HijackThis1991.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Tsl2] C:\PROGRA~1\COMMON~1\tsa\tsl2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet7_22.dll' missing
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:11 PM

Posted 11 July 2006 - 11:12 AM

Hey there, your Hijackthis log is now clean! :thumbsup:
We've just got a bit of house-cleaning to do...

* Your Java is out of date and the older versions are being exploited by malware. It is the likely cause of your infection, so we need to get it patched up as soon as possible.
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • Then Download and install the newest version from here:http://www.java.com/en/download/manual.jsp
Previously killbox couldn't delete these files, but the active infection has been killed so hopefully they will be able to be deleted now.
- Open killbox.exe.
- Select the option "Delete on reboot".
- Click the button: All Files (!important!)
- Now it should flash green.

Now copy the next bold part:

C:\WINDOWS\System32\tempx.exe
C:\WINDOWS\System32\rqvadi.exe
C:\WINDOWS\System32\bslexcu.exe
C:\WINDOWS\System32\wsr.exe
C:\WINDOWS\System32\ogxle.exe
C:\WINDOWS\System32\zat.exe


- Open 'file' in the killboxmenu on top and choose Paste from clipboard
- Then press the button that looks like a red circle with a white X in it.
- Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES
- If you don't get that message, reboot manually.
- Your computer should reboot now.

Ignore the errors you'll get after reboot, that's normal.

After reboot, delete the following two folders:

C:\Program Files\Common Files\tsa
C:\Program Files\Common Files\{0CFB2073-0A6A-1033-0415-040203200001}

Then please post back with a new Combofix log and a new Hijackthis log.
Also let me know how the computer is running for you :flowers:
David

#13 InbewteenNights

InbewteenNights
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 11 July 2006 - 12:15 PM

Computer is running awesome! No more annoying pop ups or lagging!

Logfile of HijackThis v1.99.1
Scan saved at 12:13:55 PM, on 7/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Computer Clean Up\HJT\HijackThis1991.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Tsl2] C:\PROGRA~1\COMMON~1\tsa\tsl2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet7_22.dll' missing
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Start Time= Tue 07/11/2006 12:08:44.84
Running from: C:\Computer Clean Up\Combofix

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-11 11:50:12 ( .D... ) "C:\Program Files\Common Files\Java"
2006-07-09 18:36:18 ( .D... ) "C:\Program Files\PSHope"
2006-07-09 18:35:44 8464 ( A.... ) "C:\WINDOWS\system32\sporder.dll"
2006-07-09 18:31:06 ( .D... ) "C:\Program Files\BearShare"
2006-05-29 21:59:38 ( .D... ) "C:\Program Files\Common Files\HP"
2006-05-03 02:56:58 127078 ( A.... ) "C:\WINDOWS\system32\javaws.exe"
2006-05-03 01:19:40 53346 ( A.... ) "C:\WINDOWS\system32\javaw.exe"
2006-05-03 01:19:30 49248 ( A.... ) "C:\WINDOWS\system32\java.exe"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-11 11:55 22,752 C:\WINDOWS\system32\spupdsvc.exe
2006-07-11 11:53 53,346 C:\WINDOWS\system32\javaw.exe
2006-07-11 11:53 49,248 C:\WINDOWS\system32\java.exe
2006-07-11 11:53 127,078 C:\WINDOWS\system32\javaws.exe
2006-07-10 13:38 528,011,264 C:\hiberfil.sys
2006-07-09 18:35 8,464 C:\WINDOWS\system32\sporder.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"VTTimer"="VTTimer.exe"
"UpdateManager"="\"c:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NAV CfgWiz"="c:\\Program Files\\Common Files\\Symantec Shared\\CfgWiz.exe /GUID NAV /CMDLINE \"REBOOT\""
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb12.exe"
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd.exe\""
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"DeviceDiscovery"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpotdd01.exe"
"ccApp"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"AGRSMMSG"="AGRSMMSG.exe"
"Tsl2"="C:\\PROGRA~1\\COMMON~1\\tsa\\tsl2.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"tempx"="C:\\WINDOWS\\System32\\tempx.exe"
"rqvadi"="C:\\WINDOWS\\System32\\rqvadi.exe"
"bslexcu"="C:\\WINDOWS\\System32\\bslexcu.exe"
"wsr"="C:\\WINDOWS\\System32\\wsr.exe"
"ogxle"="C:\\WINDOWS\\System32\\ogxle.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"zat"="C:\\WINDOWS\\System32\\zat.exe"
"{0CFB2073-0A6A-1033-0415-040203200001}"="\"C:\\Program Files\\Common Files\\{0CFB2073-0A6A-1033-0415-040203200001}\\Update.exe\" mc-110-12-0000137"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Disk Cleanup.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Tue 07/11/2006 12:09:25.62
ComboFix ver 06.07.08 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-07-10.102303.txt
ComboFix.2006-07-10.123949.txt
ComboFix.2006-07-10.134426.txt
ComboFix.2006-07-10.225140.txt
ComboFix.2006-07-11.120844.txt

#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:11 PM

Posted 11 July 2006 - 04:27 PM

Hey InbewteenNights,
This should be the last step now :thumbsup:

Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Post back with a new Combofix log.
David

#15 InbewteenNights

InbewteenNights
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 11 July 2006 - 04:45 PM

Ok got it done! Here's is my combofix log!

Start Time= Tue 07/11/2006 16:43:20.01
Running from: C:\Computer Clean Up\Combofix

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-11 11:50:12 ( .D... ) "C:\Program Files\Common Files\Java"
2006-07-09 18:36:18 ( .D... ) "C:\Program Files\PSHope"
2006-07-09 18:35:44 8464 ( A.... ) "C:\WINDOWS\system32\sporder.dll"
2006-07-09 18:31:06 ( .D... ) "C:\Program Files\BearShare"
2006-05-29 21:59:38 ( .D... ) "C:\Program Files\Common Files\HP"
2006-05-03 02:56:58 127078 ( A.... ) "C:\WINDOWS\system32\javaws.exe"
2006-05-03 01:19:40 53346 ( A.... ) "C:\WINDOWS\system32\javaw.exe"
2006-05-03 01:19:30 49248 ( A.... ) "C:\WINDOWS\system32\java.exe"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-11 16:37 528,011,264 C:\hiberfil.sys
2006-07-11 11:55 22,752 C:\WINDOWS\system32\spupdsvc.exe
2006-07-11 11:53 53,346 C:\WINDOWS\system32\javaw.exe
2006-07-11 11:53 49,248 C:\WINDOWS\system32\java.exe
2006-07-11 11:53 127,078 C:\WINDOWS\system32\javaws.exe
2006-07-09 18:35 8,464 C:\WINDOWS\system32\sporder.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"VTTimer"="VTTimer.exe"
"UpdateManager"="\"c:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb12.exe"
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd.exe\""
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"DeviceDiscovery"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpotdd01.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"Tsl2"="C:\\PROGRA~1\\COMMON~1\\tsa\\tsl2.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Disk Cleanup.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Tue 07/11/2006 16:43:54.26
ComboFix ver 06.07.08 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-07-10.102303.txt
ComboFix.2006-07-10.123949.txt
ComboFix.2006-07-10.134426.txt
ComboFix.2006-07-10.225140.txt
ComboFix.2006-07-11.120844.txt
ComboFix.2006-07-11.164319.txt




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users