Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.dialer And Other Malwares


  • This topic is locked This topic is locked
9 replies to this topic

#1 Lorialo

Lorialo

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 16 August 2006 - 12:17 AM

I'm running Windows XP Service Pack 2, Internet Explorer and Firefox. I've Ewido, Ashampoo Antispyware, Spyware Doctor and Symantec Antivirus. Symantec is having problems and the dialer continuously interrupts my internet connection.

Please help!

Here's the hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 1:06:25 AM, on 8/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\Symantec AntiVirus\DefWatch.exe
D:\Program Files\ewido anti-spyware 4.0\guard.exe
D:\Program Files\Spyware Doctor\sdhelp.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Symantec AntiVirus\Rtvscan.exe
D:\WINDOWS\system32\wdfmgr.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\hkcmd.exe
D:\Program Files\Analog Devices\Core\smax4pnp.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\PROGRA~1\SYMANT~1\VPTray.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
D:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\WINDOWS\system32\lxamsp32.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareGuard.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\TGTSoft\StyleXP\StyleXP.exe
D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
D:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareControl.exe
D:\Program Files\BitComet\BitComet.exe
D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
D:\Program Files\Spyware Doctor\swdoctor.exe
D:\Program Files\LexmarkX63\ACMonitor_X63.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\TEMP\win41C.tmp.exe
D:\Program Files\Real\RealPlayer\RealPlay.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] D:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] D:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PrinTray] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Dell AIO Printer A920] "D:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ashampoo AntiSpyWare Guard] D:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareGuard.exe
O4 - HKLM\..\RunOnce: [Spyware Doctor] "D:\Program Files\Spyware Doctor\swdoctor.exe" /RM /FS /X
O4 - HKCU\..\Run: [STYLEXP] D:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [tunebite.exe] D:\Program Files\tunebite\tunebite.exe -hidden
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [BitComet] "D:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Wlha] "D:\DOCUME~1\K\APPLIC~1\CURITY~1\tracert.exe" -vt yazr
O4 - HKCU\..\Run: [Jjrfvoaq] D:\Program Files\Common Files\??sembly\netdde.exe
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = D:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = D:\Program Files\LexmarkX63\ACMonitor_X63.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139925460781
O17 - HKLM\System\CCS\Services\Tcpip\..\{32E1D550-DED1-448B-9E8E-784C94A97920}: NameServer = 71.252.0.12 71.242.0.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{924C74BE-CFBA-46E3-A61B-63533B4860ED}: NameServer = 71.252.0.12,199.45.32.43
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - D:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: D:\WINDOWS\system32\wuauboot.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StyleXPService - Unknown owner - D:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec AntiVirus\Rtvscan.exe


Thanks,
Shalimar

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:26 AM

Posted 16 August 2006 - 05:32 AM

Hello,

Go to start > controlpanel > software > add/remove programs and uninstall next if present:

Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
Cowabanga by OIN
or anything similar with Oin in it.


If OIN not listed, download and run this uninstaller.

Reboot when done! Really important!

After reboot,

* Download Combofix to your desktop.
Doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot, it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Lorialo

Lorialo
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 16 August 2006 - 10:11 PM

Combofix didn't open a log, but here's the new HJT log file:

Logfile of HijackThis v1.99.1
Scan saved at 11:07:49 PM, on 8/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\Symantec AntiVirus\DefWatch.exe
D:\Program Files\Spyware Doctor\sdhelp.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Symantec AntiVirus\Rtvscan.exe
D:\WINDOWS\system32\wdfmgr.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\system32\hkcmd.exe
D:\Program Files\Analog Devices\Core\smax4pnp.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\PROGRA~1\SYMANT~1\VPTray.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\WINDOWS\system32\lxamsp32.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareGuard.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
D:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareControl.exe
D:\Program Files\Spyware Doctor\swdoctor.exe
D:\Program Files\LexmarkX63\ACMonitor_X63.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\ewido anti-spyware 4.0\ewido.exe
D:\WINDOWS\system32\taskmgr.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] D:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] D:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PrinTray] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Dell AIO Printer A920] "D:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ashampoo AntiSpyWare Guard] D:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareGuard.exe
O4 - HKLM\..\RunOnce: [Spyware Doctor] "D:\Program Files\Spyware Doctor\swdoctor.exe" /RM /FS /X
O4 - HKCU\..\Run: [STYLEXP] D:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [tunebite.exe] D:\Program Files\tunebite\tunebite.exe -hidden
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [BitComet] "D:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = D:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = D:\Program Files\LexmarkX63\ACMonitor_X63.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.amaena.com
O15 - Trusted Zone: http://*.systemdoctor.com
O15 - Trusted Zone: http://www.winantivirus.com
O15 - Trusted Zone: http://www.winantiviruspro.com
O15 - Trusted Zone: http://download.cdn.winsoftware.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139925460781
O17 - HKLM\System\CCS\Services\Tcpip\..\{924C74BE-CFBA-46E3-A61B-63533B4860ED}: NameServer = 71.252.0.12,199.45.32.43
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - D:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs:
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StyleXPService - Unknown owner - D:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec AntiVirus\Rtvscan.exe

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:26 AM

Posted 17 August 2006 - 12:44 AM

Hello,

Download this version of combofix:

* Download Combofix
Then run it again.

Also, Can you rename Hijackthis.exe to Analyse.exe
Then scan with Analyse.exe and post the log in your next reply (which will be a hijackthislog ofcourse)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:26 AM

Posted 17 August 2006 - 01:10 AM

By the way.. can you look if there's a combofix.txt created on your D:\ ? That's the log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 Lorialo

Lorialo
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 17 August 2006 - 06:32 PM

Here is the combo fix log from before:
K*Administrators - 06-08-16 21:40:13.84
ComboFix 06.08.17 - Running from: D:\Documents and Settings\K\Desktop

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


D:\Program Files\Common Files\Y1123OU.exe
D:\WINDOWS\system32\components
D:\Program Files\Common Files\{ECAB85FE-0958-1033-1202-030512200001}
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

D:\QooBox\Purity\Documents and Settings\K\Application Data\STEM32~1
D:\QooBox\Purity\Documents and Settings\K\Application Data\YMBOLS~1
D:\QooBox\Purity\Documents and Settings\K\Application Data\STEM32~1\STEM32~1
D:\QooBox\Purity\Documents and Settings\K\Application Data\STEM32~1\STEM32~1\ctxad-454.0000
D:\QooBox\Purity\Documents and Settings\K\Application Data\STEM32~1\STEM32~1\ctxad-454.0001
D:\QooBox\Purity\Documents and Settings\K\Application Data\STEM32~1\STEM32~1\ctxad-454.0002
D:\QooBox\Purity\Documents and Settings\K\Application Data\STEM32~1\STEM32~1\ctxad-454.0003
D:\QooBox\Purity\Documents and Settings\K\Application Data\STEM32~1\STEM32~1\ctxad-454.0004
D:\QooBox\Purity\Documents and Settings\K\Application Data\STEM32~1\STEM32~1\ctxad-454.0005
D:\QooBox\Purity\Documents and Settings\K\Application Data\STEM32~1\STEM32~1\ctxad-454.0006
D:\QooBox\Purity\Documents and Settings\K\Application Data\STEM32~1\STEM32~1\ctxad-454.0007
D:\QooBox\Purity\Documents and Settings\K\My Documents\ICROSO~1
D:\QooBox\Purity\Documents and Settings\K\My Documents\SMBOLS~1
D:\QooBox\Purity\Documents and Settings\K\My Documents\SSTEM~1
D:\QooBox\Purity\Program Files\Common Files\SEMBLY~1
D:\QooBox\Purity\WINDOWS\PPATCH~1
D:\QooBox\Purity\WINDOWS\system32\ECURIT~1


((((((((((((((((((((((((((((((( Files Created from 2006-07-16 to 2006-08-16 ))))))))))))))))))))))))))))))))))


2006-08-16 21:36 12,308 D:\WINDOWS\system32\ydpwwafg.exe
2006-08-16 21:35 12,820 D:\WINDOWS\system32\htwrhyas.exe
2006-08-16 20:52 12,308 D:\WINDOWS\system32\urransxk.exe
2006-08-16 20:50 12,820 D:\WINDOWS\system32\xpusjnqd.exe
2006-08-16 02:14 40,973 D:\WINDOWS\system32\qomkkhg.dll
2006-08-15 21:12 1,020,230 D:\WINDOWS\system32\qqstv.ini2
2006-08-09 03:47 1,018,895 D:\WINDOWS\system32\qqstv.bak2
2006-08-08 15:46 631,722 D:\WINDOWS\system32\qqstv.bak1
2006-08-08 15:45 573,492 D:\WINDOWS\system32\vtsqq.dll
2006-08-08 15:42 2 D:\WINDOWS\system32\wcpit.exe
2006-08-08 15:39 40,973 D:\WINDOWS\system32\byxwuus.dll
2006-08-08 15:39 18,944 D:\WINDOWS\system32\winjyg32.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-16 21:46 1020230 ---hs---- D:\WINDOWS\system32\qqstv.ini2
2006-08-16 21:46 -------- d-------- D:\Program Files\Common Files
2006-08-16 21:36 12308 --a------ D:\WINDOWS\system32\ydpwwafg.exe
2006-08-16 21:35 12820 --a------ D:\WINDOWS\system32\htwrhyas.exe
2006-08-16 21:34 -------- d-------- D:\Program Files\Mozilla Firefox
2006-08-16 21:15 1018895 ---hs---- D:\WINDOWS\system32\qqstv.bak2
2006-08-16 21:14 -------- d-------- D:\Program Files\Symantec AntiVirus
2006-08-16 20:52 12308 --a------ D:\WINDOWS\system32\urransxk.exe
2006-08-16 20:50 12820 --a------ D:\WINDOWS\system32\xpusjnqd.exe
2006-08-16 02:14 40973 ---hs---- D:\WINDOWS\system32\qomkkhg.dll
2006-08-16 01:05 -------- d-------- D:\Program Files\HijackThis
2006-08-16 00:41 -------- d-------- D:\Program Files\ewido anti-spyware 4.0
2006-08-15 23:45 -------- d-------- D:\Program Files\Spyware Doctor
2006-08-15 23:42 -------- d-------- D:\Program Files\Trillian Pro
2006-08-15 23:08 -------- d-------- D:\Documents and Settings\K\Application Data\U3
2006-08-15 22:39 51072 --a------ D:\WINDOWS\system32\drivers\ikhlayer.sys
2006-08-15 22:39 30592 --a------ D:\WINDOWS\system32\drivers\ikhfile.sys
2006-08-14 20:39 631722 ---hs---- D:\WINDOWS\system32\qqstv.bak1
2006-08-09 01:39 -------- d-------- D:\Program Files\Trillian
2006-08-09 01:10 -------- d-------- D:\Program Files\WinAce
2006-08-09 00:51 -------- d-------- D:\Program Files\PhotoParade Share Uploader
2006-08-09 00:43 -------- d-------- D:\Documents and Settings\K\Application Data\tunebite
2006-08-08 15:45 573492 ---hs---- D:\WINDOWS\system32\vtsqq.dll
2006-08-08 15:42 2 --a------ D:\WINDOWS\system32\wcpit.exe
2006-08-08 15:39 40973 ---hs---- D:\WINDOWS\system32\byxwuus.dll
2006-08-08 15:39 18944 --a------ D:\WINDOWS\system32\winjyg32.dll
2006-07-27 09:24 679424 --a------ D:\WINDOWS\system32\inetcomm.dll
2006-07-27 02:27 -------- d-------- D:\Documents and Settings\K\Application Data\LimeWire
2006-07-21 04:24 72704 --a------ D:\WINDOWS\system32\hlink.dll
2006-07-18 02:53 -------- d--h----- D:\Program Files\InstallShield Installation Information
2006-07-18 02:52 -------- d-------- D:\Program Files\iTunes
2006-07-18 02:52 -------- d-------- D:\Program Files\iPod
2006-07-17 08:56 14848 --a------ D:\WINDOWS\system32\BASSMOD.dll
2006-07-14 13:30 -------- d-------- D:\Documents and Settings\K\Application Data\vlc
2006-07-14 03:48 -------- d-------- D:\Program Files\Windows Defender
2006-06-29 02:56 -------- d-------- D:\Program Files\SDP
2006-06-28 15:31 -------- d---s---- D:\Documents and Settings\K\Application Data\Microsoft
2006-06-25 21:25 595881 ---hs---- D:\WINDOWS\system32\ffhkj.ini2
2006-06-25 04:51 778871 ---hs---- D:\WINDOWS\system32\ffhkj.bak2
2006-06-24 04:49 779001 ---hs---- D:\WINDOWS\system32\ffhkj.bak1
2006-06-23 03:12 -------- d-------- D:\Program Files\Ashampoo
2006-06-21 19:36 -------- d-------- D:\Program Files\MSBuild
2006-06-21 19:36 -------- d-------- D:\Program Files\Common Files\Microsoft Shared
2006-06-21 19:35 -------- d-------- D:\Program Files\Microsoft Visual Studio
2006-06-21 19:35 -------- d-------- D:\Program Files\Microsoft Office
2006-06-21 19:35 -------- d-------- D:\Program Files\Common Files\DESIGNER
2006-06-21 19:33 -------- d-------- D:\Program Files\Microsoft Works
2006-06-21 19:32 -------- d-------- D:\Program Files\Microsoft.NET
2006-06-21 19:32 -------- d-------- D:\Program Files\Common Files\ODBC
2006-06-21 00:46 -------- d-------- D:\Program Files\Common Files\Symantec Shared
2006-06-20 12:12 -------- d-------- D:\Documents and Settings\K\Application Data\CoreCodec
2006-06-17 14:29 -------- d-------- D:\Documents and Settings\K\Application Data\Lavasoft
2006-06-17 13:44 -------- d-------- D:\Program Files\Lavasoft
2006-06-07 00:10 32887 --a------ D:\WINDOWS\system32\delme.exe
2006-06-06 21:33 816640 ---h----- D:\WINDOWS\system32\wodfamoh.dll
2006-06-04 13:30 2317824 --a------ D:\WINDOWS\system32\kernel1.exe
2006-06-04 00:24 352256 --a------ D:\WINDOWS\eSellerateEngine.dll
2006-06-01 12:55 155648 ---hs---- D:\Program Files\Common Files\Y1123OA.exe
2006-05-18 22:48 22344 --a------ D:\WINDOWS\system32\iscsilog.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="D:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="D:\\WINDOWS\\system32\\hkcmd.exe"
"SoundMAXPnP"="D:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"IMJPMIG8.1"="\"D:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"IMEKRMIG6.1"="D:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"
"MSPY2002"="D:\\WINDOWS\\System32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="D:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="D:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"PrinTray"="D:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\printray.exe"
"ccApp"="\"D:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="D:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"NeroFilterCheck"="D:\\WINDOWS\\system32\\NeroCheck.exe"
"TkBellExe"="\"D:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Dell AIO Printer A920"="\"D:\\Program Files\\Dell AIO Printer A920\\dlbkbmgr.exe\""
"QuickTime Task"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="D:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"lxamsp32.exe"="lxamsp32.exe"
"Windows Defender"="\"D:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"iTunesHelper"="\"D:\\Program Files\\iTunes\\iTunesHelper.exe\""
"Ashampoo AntiSpyWare Guard"="D:\\Program Files\\Ashampoo\\Ashampoo AntiSpyWare\\AntiSpyWareGuard.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"STYLEXP"="D:\\Program Files\\TGTSoft\\StyleXP\\StyleXP.exe -Hide"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"D:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""
"tunebite.exe"="D:\\Program Files\\tunebite\\tunebite.exe -hidden"
"updateMgr"="\"D:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7 -reboot 1"
"BitComet"="\"D:\\Program Files\\BitComet\\BitComet.exe\""
"Yahoo! Pager"="\"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"Spyware Doctor"="\"D:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"Spyware Doctor"="\"D:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /RM /FS /X"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000003

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Wlha"="\"D:\\DOCUME~1\\K\\APPLIC~1\\STEM32~1\\javaw.exe\" -vt ndrv"
"Spyware Doctor"="\"D:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Wlha"="\"D:\\DOCUME~1\\K\\APPLIC~1\\STEM32~1\\javaw.exe\" -vt ndrv"
"Spyware Doctor"="\"D:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{553858A7-4922-4e7e-B1C1-97140C1C16EF}"="IE Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{5A3E97DD-2A08-48BC-8F43-C0DEABC90266}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MSMSGS"
"hkey"="HKCU"
"command"="\"D:\\Program Files\\Messenger\\MSMSGS.EXE\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\Spyware Doctor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="swdoctor"
"hkey"="HKCU"
"command"="\"D:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YAHOOM~1"
"hkey"="HKCU"
"command"="\"D:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomkkhg
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtsqq


Contents of the 'Scheduled Tasks' folder
D:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: Wed 08/16/2006 21:48:27.51
ComboFix.txt


Analyse.exe log:
Logfile of HijackThis v1.99.1
Scan saved at 7:31:15 PM, on 8/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\Symantec AntiVirus\DefWatch.exe
D:\Program Files\ewido anti-spyware 4.0\guard.exe
D:\Program Files\Spyware Doctor\sdhelp.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Symantec AntiVirus\Rtvscan.exe
D:\WINDOWS\system32\wdfmgr.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\hkcmd.exe
D:\Program Files\Analog Devices\Core\smax4pnp.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\PROGRA~1\SYMANT~1\VPTray.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\WINDOWS\system32\lxamsp32.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
D:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareGuard.exe
D:\WINDOWS\system32\taskmgr.exe
D:\Program Files\TGTSoft\StyleXP\StyleXP.exe
D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\BitComet\BitComet.exe
D:\Program Files\Spyware Doctor\swdoctor.exe
D:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareControl.exe
D:\Program Files\LexmarkX63\ACMonitor_X63.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\HijackThis\Analyse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5A3E97DD-2A08-48BC-8F43-C0DEABC90266} - D:\WINDOWS\system32\qomkkhg.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {8D1BFC36-8D27-4ED9-803B-70209B90F8C8} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {D4B46A55-7FD5-4352-8686-BE9CFF311860} - D:\WINDOWS\system32\vtsqq.dll
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] D:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] D:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PrinTray] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Dell AIO Printer A920] "D:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ashampoo AntiSpyWare Guard] D:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareGuard.exe
O4 - HKCU\..\Run: [STYLEXP] D:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [tunebite.exe] D:\Program Files\tunebite\tunebite.exe -hidden
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [BitComet] "D:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = D:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = D:\Program Files\LexmarkX63\ACMonitor_X63.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139925460781
O17 - HKLM\System\CCS\Services\Tcpip\..\{32E1D550-DED1-448B-9E8E-784C94A97920}: NameServer = 71.252.0.12 71.242.0.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{924C74BE-CFBA-46E3-A61B-63533B4860ED}: NameServer = 71.252.0.12,199.45.32.43
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - D:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - D:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: qomkkhg - qomkkhg.dll (file missing)
O20 - Winlogon Notify: vtsqq - D:\WINDOWS\system32\vtsqq.dll
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StyleXPService - Unknown owner - D:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec AntiVirus\Rtvscan.exe

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:26 AM

Posted 18 August 2006 - 02:32 AM

Hello,

Please perform my next steps in the right order!

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.


Delete next files:

D:\WINDOWS\system32\wcpit.exe
D:\WINDOWS\system32\ydpwwafg.exe
D:\WINDOWS\system32\htwrhyas.exe
D:\WINDOWS\system32\byxwuus.dll
D:\WINDOWS\system32\winjyg32.dll
D:\Program Files\Common Files\Y1123OA.exe
D:\WINDOWS\system32\urransxk.exe
D:\WINDOWS\system32\xpusjnqd.exe
D:\WINDOWS\system32\qomkkhg.dll

* Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.

Paste the following bold part into the Suspicious File Packer window:

D:\WINDOWS\system32\kernel1.exe
D:\WINDOWS\system32\wodfamoh.dll
D:\WINDOWS\system32\delme.exe


Allow SFP to pack the file. This will generate a CAB archive on your desktop.
Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.

Extra question, do you use a modified bootscreen? Because the kernel1.exe could be a part of your StyleXP, but I want to be sure here.

Then, go to start > run and copy and paste next command in the field:

"D:\Documents and Settings\K\Desktop\combofix.exe" /v vtsqq

Hit enter.
This should start the combofix again in another way.
Let it run. It will reboot and open a new log afterwards. I need that log later.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: (no name) - {5A3E97DD-2A08-48BC-8F43-C0DEABC90266} - D:\WINDOWS\system32\qomkkhg.dll (file missing)
O2 - BHO: (no name) - {8D1BFC36-8D27-4ED9-803B-70209B90F8C8} - (no file)
O2 - BHO: (no name) - {D4B46A55-7FD5-4352-8686-BE9CFF311860} - D:\WINDOWS\system32\vtsqq.dll
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O20 - AppInit_DLLs:
O20 - Winlogon Notify: qomkkhg - qomkkhg.dll (file missing)
O20 - Winlogon Notify: vtsqq - D:\WINDOWS\system32\vtsqq.dll


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Ignore the error you'll get in hijackthis.

Then post a new hijackthislog together with the new log from combofix.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 Lorialo

Lorialo
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 21 August 2006 - 01:01 PM

Yes, I do use a modified bootscreen.

Here's the Combo Fix log:

(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


D:\WINDOWS\SYSTEM32\VTSQQ.DLL
D:\WINDOWS\SYSTEM32\QQSTV.INI
D:\WINDOWS\SYSTEM32\QQSTV.TMP


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



13:40:19.92
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-18 08:14:40 13844 ( A.... ) "D:\WINDOWS\system32\esagyuwt.exe"
2006-08-17 19:57:32 13844 ( A.... ) "D:\WINDOWS\system32\iwetvwkm.exe"
2006-08-16 23:04:28 12820 ( A.... ) "D:\WINDOWS\system32\jadumltx.exe"
2006-08-16 23:04:20 12308 ( A.... ) "D:\WINDOWS\system32\xepanpuu.exe"
2006-08-16 22:56:22 12308 ( A.... ) "D:\WINDOWS\system32\kugeihco.exe"
2006-08-16 22:56:08 12820 ( A.... ) "D:\WINDOWS\system32\bjswdjor.exe"
2006-08-16 22:47:32 12820 ( A.... ) "D:\WINDOWS\system32\vvyvpidq.exe"
2006-08-16 22:47:10 12308 ( A.... ) "D:\WINDOWS\system32\wvoxvbiu.exe"
2006-08-16 22:26:38 12308 ( A.... ) "D:\WINDOWS\system32\necrcxbm.exe"
2006-08-16 22:26:32 12820 ( A.... ) "D:\WINDOWS\system32\cklxnvay.exe"
2006-08-09 01:41:14 ( .D... ) "D:\Program Files\Trillian Pro"
2006-07-27 09:24:46 679424 ( A.... ) "D:\WINDOWS\system32\inetcomm.dll"
2006-07-21 04:24:44 72704 ( A.... ) "D:\WINDOWS\system32\hlink.dll"
2006-07-18 02:52:18 ( .D... ) "D:\Program Files\iTunes"
2006-07-18 02:52:18 ( .D... ) "D:\Program Files\iPod"
2006-07-17 21:28:48 ( .D... ) "D:\Program Files\PhotoParade Share Uploader"
2006-07-17 08:56:40 14848 ( A.... ) "D:\WINDOWS\system32\BASSMOD.dll"
2006-07-14 13:30:42 ( .D... ) "D:\Documents and Settings\K\Application Data\vlc"
2006-07-14 11:31:40 332288 ( A.... ) "D:\WINDOWS\system32\netapi32.dll"
2006-07-14 03:48:04 ( .D... ) "D:\Program Files\Windows Defender"
2006-07-13 09:33:28 8453632 ( A.... ) "D:\WINDOWS\system32\shell32.dll"
2006-07-05 06:55:02 984064 ( A.... ) "D:\WINDOWS\system32\kernel32.dll"
2006-06-29 02:56:34 ( .D... ) "D:\Program Files\SDP"
2006-06-28 15:27:10 ( .D... ) "D:\Program Files\HijackThis"
2006-06-26 13:37:10 148480 ( A.... ) "D:\WINDOWS\system32\dnsapi.dll"
2006-06-26 13:37:10 8192 ( A.... ) "D:\WINDOWS\system32\rasadhlp.dll"
2006-06-25 21:42:04 ( .D... ) "D:\Program Files\Spyware Doctor"
2006-06-21 19:36:16 ( .D... ) "D:\Program Files\MSBuild"
2006-06-21 19:35:38 ( .D... ) "D:\Program Files\Microsoft Visual Studio"
2006-06-21 19:35:38 ( .D... ) "D:\Program Files\Common Files\DESIGNER"
2006-06-21 19:33:02 ( .D... ) "D:\Program Files\Microsoft Works"
2006-06-21 19:32:58 ( .D... ) "D:\Program Files\Microsoft.NET"
2006-06-21 19:32:58 ( .D... ) "D:\Program Files\Common Files\ODBC"
2006-06-21 00:37:30 ( .D... ) "D:\Program Files\Ashampoo"
2006-06-19 16:20:42 702768 ( A.... ) "D:\WINDOWS\system32\WgaLogon.dll"
2006-06-07 00:10:44 32887 ( A.... ) "D:\WINDOWS\system32\delme.exe"
2006-06-06 21:33:26 816640 ( A..H. ) "D:\WINDOWS\system32\wodfamoh.dll"
2006-06-04 13:30:32 2317824 ( A.... ) "D:\WINDOWS\system32\kernel1.exe"
2006-06-04 00:24:28 352256 ( A.... ) "D:\WINDOWS\eSellerateEngine.dll"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-08-18 08:14 13,844 D:\WINDOWS\system32\esagyuwt.exe
2006-08-17 19:57 13,844 D:\WINDOWS\system32\iwetvwkm.exe
2006-08-16 23:04 12,820 D:\WINDOWS\system32\jadumltx.exe
2006-08-16 23:04 12,308 D:\WINDOWS\system32\xepanpuu.exe
2006-08-16 22:56 12,820 D:\WINDOWS\system32\bjswdjor.exe
2006-08-16 22:56 12,308 D:\WINDOWS\system32\kugeihco.exe
2006-08-16 22:47 12,820 D:\WINDOWS\system32\vvyvpidq.exe
2006-08-16 22:47 12,308 D:\WINDOWS\system32\wvoxvbiu.exe
2006-08-16 22:26 12,820 D:\WINDOWS\system32\cklxnvay.exe
2006-08-16 22:26 12,308 D:\WINDOWS\system32\necrcxbm.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="D:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="D:\\WINDOWS\\system32\\hkcmd.exe"
"SoundMAXPnP"="D:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"IMJPMIG8.1"="\"D:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"IMEKRMIG6.1"="D:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"
"MSPY2002"="D:\\WINDOWS\\System32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="D:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="D:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"PrinTray"="D:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\printray.exe"
"ccApp"="\"D:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="D:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"NeroFilterCheck"="D:\\WINDOWS\\system32\\NeroCheck.exe"
"TkBellExe"="\"D:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Dell AIO Printer A920"="\"D:\\Program Files\\Dell AIO Printer A920\\dlbkbmgr.exe\""
"QuickTime Task"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="D:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"lxamsp32.exe"="lxamsp32.exe"
"Windows Defender"="\"D:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"iTunesHelper"="\"D:\\Program Files\\iTunes\\iTunesHelper.exe\""
"Ashampoo AntiSpyWare Guard"="D:\\Program Files\\Ashampoo\\Ashampoo AntiSpyWare\\AntiSpyWareGuard.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"STYLEXP"="D:\\Program Files\\TGTSoft\\StyleXP\\StyleXP.exe -Hide"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"D:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""
"tunebite.exe"="D:\\Program Files\\tunebite\\tunebite.exe -hidden"
"updateMgr"="\"D:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7 -reboot 1"
"BitComet"="\"D:\\Program Files\\BitComet\\BitComet.exe\""
"Yahoo! Pager"="\"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"Spyware Doctor"="\"D:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000002

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Wlha"="\"D:\\DOCUME~1\\K\\APPLIC~1\\STEM32~1\\javaw.exe\" -vt ndrv"
"Spyware Doctor"="\"D:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Wlha"="\"D:\\DOCUME~1\\K\\APPLIC~1\\STEM32~1\\javaw.exe\" -vt ndrv"
"Spyware Doctor"="\"D:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{553858A7-4922-4e7e-B1C1-97140C1C16EF}"="IE Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{5A3E97DD-2A08-48BC-8F43-C0DEABC90266}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MSMSGS"
"hkey"="HKCU"
"command"="\"D:\\Program Files\\Messenger\\MSMSGS.EXE\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="swdoctor"
"hkey"="HKCU"
"command"="\"D:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YAHOOM~1"
"hkey"="HKCU"
"command"="\"D:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"inimapping"="0"

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
DisableRegistryTools REG_DWORD 0 (0x0)

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WinDefend


Contents of the 'Scheduled Tasks' folder
D:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: Mon 08/21/2006 13:40:47.48
ComboFix ver 06.07.15/30 - This logfile is located at D:\ComboFix.txt

ComboFix.2006-08-21.125813.txt

HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 1:55:59 PM, on 8/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Symantec AntiVirus\DefWatch.exe
D:\Program Files\ewido anti-spyware 4.0\guard.exe
D:\Program Files\Spyware Doctor\sdhelp.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Symantec AntiVirus\Rtvscan.exe
D:\WINDOWS\system32\wdfmgr.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\hkcmd.exe
D:\Program Files\Analog Devices\Core\smax4pnp.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\PROGRA~1\SYMANT~1\VPTray.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
D:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareGuard.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\TGTSoft\StyleXP\StyleXP.exe
D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
D:\Program Files\tunebite\tunebite.exe
D:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareControl.exe
D:\Program Files\BitComet\BitComet.exe
D:\Program Files\Spyware Doctor\swdoctor.exe
D:\Program Files\LexmarkX63\ACMonitor_X63.exe
D:\Program Files\HijackThis\Analyse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] D:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] D:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] D:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PrinTray] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Dell AIO Printer A920] "D:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ashampoo AntiSpyWare Guard] D:\Program Files\Ashampoo\Ashampoo AntiSpyWare\AntiSpyWareGuard.exe
O4 - HKCU\..\Run: [STYLEXP] D:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [tunebite.exe] D:\Program Files\tunebite\tunebite.exe -hidden
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [BitComet] "D:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = D:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = D:\Program Files\LexmarkX63\ACMonitor_X63.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted IP range: http://202.67.220.225
O15 - Trusted IP range: http://59.148.220.121
O15 - Trusted IP range: http://62.4.84.53
O15 - Trusted IP range: http://82.98.235.58
O15 - Trusted IP range: http://85.12.25.90
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139925460781
O17 - HKLM\System\CCS\Services\Tcpip\..\{32E1D550-DED1-448B-9E8E-784C94A97920}: NameServer = 71.252.0.12 71.242.0.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{924C74BE-CFBA-46E3-A61B-63533B4860ED}: NameServer = 71.252.0.12,199.45.32.43
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - D:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - D:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StyleXPService - Unknown owner - D:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec AntiVirus\Rtvscan.exe


Thanks again,
Shal

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:26 AM

Posted 21 August 2006 - 03:34 PM

Hello,

Check and fix next entries in hijackthis:

O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted IP range: http://202.67.220.225
O15 - Trusted IP range: http://59.148.220.121
O15 - Trusted IP range: http://62.4.84.53
O15 - Trusted IP range: http://82.98.235.58
O15 - Trusted IP range: http://85.12.25.90

* Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.

Paste the following bold part into the Suspicious File Packer window:

D:\WINDOWS\system32\esagyuwt.exe
D:\WINDOWS\system32\iwetvwkm.exe
D:\WINDOWS\system32\jadumltx.exe
D:\WINDOWS\system32\xepanpuu.exe
D:\WINDOWS\system32\bjswdjor.exe
D:\WINDOWS\system32\kugeihco.exe
D:\WINDOWS\system32\vvyvpidq.exe
D:\WINDOWS\system32\wvoxvbiu.exe
D:\WINDOWS\system32\cklxnvay.exe
D:\WINDOWS\system32\necrcxbm.exe


Allow SFP to pack the file. This will generate a CAB archive on your desktop.
Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.

Delete next files manually:

D:\WINDOWS\system32\esagyuwt.exe
D:\WINDOWS\system32\iwetvwkm.exe
D:\WINDOWS\system32\jadumltx.exe
D:\WINDOWS\system32\xepanpuu.exe
D:\WINDOWS\system32\bjswdjor.exe
D:\WINDOWS\system32\kugeihco.exe
D:\WINDOWS\system32\vvyvpidq.exe
D:\WINDOWS\system32\wvoxvbiu.exe
D:\WINDOWS\system32\cklxnvay.exe
D:\WINDOWS\system32\necrcxbm.exe

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Wlha"=-

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Wlha"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5A3E97DD-2A08-48BC-8F43-C0DEABC90266}"=-

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Please download, install, and update Ewido anti-spyware
  • Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Then click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
  • Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Close Ewido and reboot!!
  • Post the contents of the Ewido log you saved in your next reply.

Edited by miekiemoes, 21 August 2006 - 03:39 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:26 AM

Posted 28 August 2006 - 01:03 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users