Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Downloader (and More?)


  • This topic is locked This topic is locked
25 replies to this topic

#1 panivazka

panivazka

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 18 August 2006 - 04:32 PM

I have run NAV, AdAware, SpyBot, ewido, and Stinger. I have also used Killbox. I'm getting hundreds of pop-up messages from NAV telling me I still have the Downloader virus/trojan and my system locks up frequently and sometimes reboots randomly. My Windows firewall is not functioning, but I did download ZoneAlarm and have that up and running now. I would use more free scanners as suggested, but I'm afraid that my computer will reboot again so I've decided to just post my log while my computer is behaving itself. Here's my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:28:45 PM, on 8/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FontLoader\FontLoader.exe
C:\WINDOWS\DOBE~1\spool32.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {F519B8A2-5E32-20C8-1BD3-07F2CB751795} - C:\WINDOWS\system32\mtzu.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,vbtqywh.exe
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {68892810-CDDD-E820-A745-9E2B56E6D59E} - C:\WINDOWS\system32\alhcty.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {94AE55D1-3A19-41A3-B16B-E43DB956574A} - \
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O2 - BHO: (no name) - {E7A850E5-B286-4657-A1C9-7457567E5BE2} - C:\WINDOWS\system32\jkhfg.dll (file missing)
O2 - BHO: (no name) - {F519B8A2-5E32-20C8-1BD3-07F2CB751795} - C:\WINDOWS\system32\mtzu.dll
O2 - BHO: (no name) - {FADA5581-1BA5-4E01-AB60-7838043B9685} - \
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Kapsules] C:\Program Files\Carbon 6\Kapsules\Kapsules.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [loaddr] C:\bupjd.exe
O4 - HKLM\..\Run: [tnbanp] C:\WINDOWS\system32\uvvjor.exe reg_run
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FontLoader] C:\Program Files\FontLoader\FontLoader.exe
O4 - HKCU\..\Run: [Coatccq] C:\PROGRA~1\FNTS~1\MCONFI~1.EXE
O4 - HKCU\..\Run: [Notn] "C:\WINDOWS\DOBE~1\spool32.exe" -vt yazr
O4 - HKCU\..\Run: [qkhcp] C:\WINDOWS\system32\uvvjor.exe reg_run
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9E214F45-89C2-4DE3-94A9-530EB1D05F7E} (QuestActiveX Class) - http://www.quest3d.com/Quest3D_WebInstall.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs:
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\g38350609.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O20 - Winlogon Notify: sndu32 - sndu32.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winlkk32 - winlkk32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: MrobeService - Unknown owner - C:\WINDOWS\system32\MRobeService.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:35 AM

Posted 18 August 2006 - 07:28 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:



Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 panivazka

panivazka
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 18 August 2006 - 08:09 PM

Thank you, Sam. I ran ComboFix and the first time, it stalled and I restarted it...but it never produced a log. I ran it again and it worked. Here's the log (combofix.txt):

Owner - 06-08-18 18:54:41.35
ComboFix 06.08.18 - Running from: C:\Documents and Settings\Owner\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-07-27 14:41 118784 --a------ C:\WINDOWS\system32\pdfmona.dll


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06-07-31 16:57 125 sqdpf.dll.qoo.qoo
06-07-31 08:43 52 bqlenw.dat.qoo.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Owner\Application Data\Install.dat
C:\WINDOWS\uni_ehhh.exe
C:\Program Files\ToolBar888
C:\Program Files\Common Files\{A478EA26-0BB8-1033-1212-030810040001}
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Owner\Application Data\ASEMBL~1
C:\QooBox\Purity\Program Files\FNTS~1
C:\QooBox\Purity\Program Files\Common Files\CURITY~1


((((((((((((((((((((((((((((((( Files Created from 2006-07-18 to 2006-08-18 ))))))))))))))))))))))))))))))))))


2006-08-18 14:03 139,264 C:\WINDOWS\system32\mtzu.dll
2006-08-10 19:16 29,696 C:\WINDOWS\system32\Addon2VB.dll
2006-08-10 19:16 101,888 C:\WINDOWS\system32\Vb6stkit.dll
2006-07-31 08:43 26,280 C:\WINDOWS\system32\w1d5d9680.dll
2006-07-27 14:41 51,716 C:\WINDOWS\system32\pdf995mon.dll
2006-07-27 14:41 118,784 C:\WINDOWS\system32\pdfmona.dll
2006-07-23 10:24 24,048 C:\WINDOWS\system32\ddmon.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-08-18 18:43 -------- d-------- C:\Program Files\Common Files
2006-08-18 18:23 -------- d-------- C:\Program Files\Mozilla Firefox
2006-08-18 17:29 -------- d-------- C:\Documents and Settings\Owner\Application Data\MailWasherPro
2006-08-18 17:28 -------- d-------- C:\Program Files\Trillian
2006-08-18 15:28 -------- d-------- C:\Program Files\HijackThis
2006-08-18 14:03 2 --a------ C:\WINDOWS\system32\wnsapitr.exe
2006-08-18 13:36 -------- d-------- C:\Program Files\Zone Labs
2006-08-18 13:34 -------- d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2006-08-18 11:11 -------- d-------- C:\Program Files\support.com
2006-08-17 18:17 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-17 18:17 -------- d-------- C:\Program Files\Atari
2006-08-17 18:16 -------- d-------- C:\Program Files\Sim File Maid 2
2006-08-17 18:16 -------- d-------- C:\Program Files\Scholastic
2006-08-17 18:14 -------- d-------- C:\Program Files\PopCap Games
2006-08-17 18:13 -------- d-------- C:\Documents and Settings\Owner\Application Data\aignes
2006-08-14 11:41 139264 --a------ C:\WINDOWS\system32\mtzu.dll
2006-08-13 11:23 -------- d-------- C:\Program Files\The Adventure Company
2006-08-13 11:23 -------- d-------- C:\Program Files\Tetris Worlds
2006-08-13 11:23 -------- d-------- C:\Program Files\Google
2006-08-13 11:23 -------- d-------- C:\Program Files\Docudesk
2006-08-13 11:23 -------- d-------- C:\Program Files\D-Tools
2006-08-13 11:23 -------- d-------- C:\Documents and Settings\Owner\Application Data\pdf995
2006-08-13 11:23 -------- d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2006-08-13 11:22 -------- d-------- C:\Program Files\FBM Software
2006-08-13 11:22 -------- d-------- C:\Program Files\Cowabanga
2006-08-13 11:22 -------- d-------- C:\Documents and Settings\Owner\Application Data\Yahoo! Messenger
2006-08-13 11:22 -------- d-------- C:\Documents and Settings\Owner\Application Data\deskPDF
2006-08-13 11:21 -------- d-------- C:\Program Files\pdf995
2006-08-10 19:15 -------- d-------- C:\Program Files\eGames
2006-08-05 11:30 -------- d-------- C:\Program Files\Microsoft Games
2006-07-31 10:56 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-07-31 08:43 26280 --a------ C:\WINDOWS\system32\w1d5d9680.dll
2006-07-27 14:48 -------- d-------- C:\Program Files\Yahoo!
2006-07-27 14:41 51716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2006-07-27 14:41 118784 --a------ C:\WINDOWS\system32\pdfmona.dll
2006-07-27 12:00 131072 --a------ C:\WINDOWS\system32\datestamp.dll
2006-07-26 09:38 -------- d-------- C:\Program Files\NavNT
2006-07-23 10:42 1403 --a------ C:\Documents and Settings\Owner\Application Data\AdobeDLM.log
2006-07-23 10:42 0 --a------ C:\Documents and Settings\Owner\Application Data\dm.ini
2006-07-09 17:07 -------- d-------- C:\Program Files\Semagic
2006-06-29 08:54 -------- d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft
2006-06-29 08:53 -------- d-------- C:\Program Files\MSN Messenger
2006-06-21 09:25 -------- d-------- C:\Program Files\Internet Explorer
2006-06-20 18:58 -------- d-------- C:\Program Files\ConquerCam


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"CamMonitor"="c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\hpqcmon.exe"
"Share-to-Web Namespace Daemon"="c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"vptray"="C:\\Program Files\\NavNT\\vptray.exe"
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"Kapsules"="C:\\Program Files\\Carbon 6\\Kapsules\\Kapsules.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"AlcxMonitor"="ALCXMNTR.EXE"
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
@=""
"loaddr"="C:\\bupjd.exe"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"FontLoader"="C:\\Program Files\\FontLoader\\FontLoader.exe"
"Coatccq"="C:\\PROGRA~1\\FNTS~1\\MCONFI~1.EXE"
"Notn"="\"C:\\WINDOWS\\DOBE~1\\spool32.exe\" -vt yazr"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,40,01,00,00,00,00,00,00,00,05,00,00,8e,04,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,de,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,de,03,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{259BA022-2005-45E9-A965-10EDB9C00605}"="Windows Updater"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cfgmngr32
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sndu32
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winlkk32

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sndu32.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sndu64.sys

Completion time: Fri 08/18/2006 19:04:34.48
ComboFix.txt
ComboFix2.txt
ComboFix3.txt

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:35 AM

Posted 19 August 2006 - 04:53 PM

Your persistency will definitely pay off. Good job! :thumbsup:

Download haxfix.exe
and save it to your desktop.
  • Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
  • Checkmark "Create a desktop icon"
  • Click "Next"
  • When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
  • Click "Finish"
A red "dos window" (dos box) will open with options:
1. Make logfile
2. Run auto fix
3. Run manual fix
E. Exit Haxfix
  • Select option 1. Make logfile by typing 1 and then pressing Enter
  • Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt > (c:\haxfix.txt)
  • Copy the contents of that logfile and paste it into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 panivazka

panivazka
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 20 August 2006 - 02:57 PM

Hi again, Sam. Here's the logfile from Haxfix:

HAXFIX logfile - by Marckie
______________
version 4.10
Sun 08/20/2006 13:55:17.40

checking for haxdoor
--------------------
checking for a3d files....
a3d files not found

checking for matching notify keys....
matching notify keys found
sndu

checking for matching services....
matching services found
Aspi32
sndu32
sndu64

checking for matching safeboot services....
matching safeboot services found
sndu32.sys
sndu64.sys


Checking for goldun
-------------------
checking for notify keys....
no notify keys found

checking for services....
no services found

checking for other goldunfiles....


Finished

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:35 AM

Posted 20 August 2006 - 07:36 PM

Option 2 autofix
  • Open this folder program files > haxfix and double click on fix.bat (or double click on fix.bat desktop icon)
  • Close all other open windows since this step requires a reboot
  • Select option 2. Run auto fix by typing 2 and then pressing Enter
If an infection is found, you'll get a message to close all other open windows.
  • Close all open windows except the red dos window from haxfix and then press Enter
  • The computer will reboot
  • After reboot a logfile will open > (c:\haxfix.txt)
  • Post the contents of that logfile along with a new HijackThis log.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 panivazka

panivazka
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 20 August 2006 - 09:26 PM

UGH! My computer has rebooted 12 times in the last 30 minutes. It's driving me crazy.

Here's the Haxfix log:

HAXFIX logfile - by Marckie
--------------
version 4.10
Sun 08/20/2006 19:34:02.60

--- Auto Haxdoorfix ---


searching for services....
service sndu32 found
[SWSC] DeleteService SUCCESS
service sndu64 found
[SWSC] DeleteService SUCCESS


--- Goldunfix ---


searching for files:

searching for notifykeys:
no notifykeys found

searching for services:
no services found


.....rebooting the computer.....


searching for notifykeys

searching for notifykeys

notifykey sndu32 not found


searching for services

service sndu32 not found
service sndu64 not found


searching for safeboot services

safeboot service sndu32.sys not found
safeboot service sndu64.sys not found


searching for files

sndu32.dll exists
deleting sndu32.dll
sndu32.dll has been deleted

sndu32.sys exists
deleting sndu32.sys
sndu32.sys has been deleted

sndu64.sys exists
deleting sndu64.sys
sndu64.sys has been deleted


checking for other files

klgcptini.dat exists
deleting klgcptini.dat
klgcptini.dat has been deleted

stt82.ini exists
deleting stt82.ini
stt82.ini has been deleted


checking for a3d files

no a3d files found


Finished
searching for notifykeys

not needed


searching for services

service sndu32 not found
service sndu64 not found


searching for safeboot services

safeboot service sndu32.sys not found
safeboot service sndu64.sys not found


searching for files

sndu32.dll not found

sndu32.sys not found

sndu64.sys not found


checking for other files

No other files found


checking for a3d files

no a3d files found


Finished

Here's the HijackThis log:


Logfile of HijackThis v1.99.1
Scan saved at 8:23:21 PM, on 8/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FontLoader\FontLoader.exe
C:\WINDOWS\DOBE~1\spool32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {F519B8A2-5E32-20C8-1BD3-07F2CB751795} - C:\WINDOWS\system32\mtzu.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {68892810-CDDD-E820-A745-9E2B56E6D59E} - C:\WINDOWS\system32\alhcty.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {94AE55D1-3A19-41A3-B16B-E43DB956574A} - \
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {E7A850E5-B286-4657-A1C9-7457567E5BE2} - C:\WINDOWS\system32\jkhfg.dll (file missing)
O2 - BHO: (no name) - {F519B8A2-5E32-20C8-1BD3-07F2CB751795} - C:\WINDOWS\system32\mtzu.dll
O2 - BHO: (no name) - {FADA5581-1BA5-4E01-AB60-7838043B9685} - \
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Kapsules] C:\Program Files\Carbon 6\Kapsules\Kapsules.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [loaddr] C:\bupjd.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FontLoader] C:\Program Files\FontLoader\FontLoader.exe
O4 - HKCU\..\Run: [Coatccq] C:\PROGRA~1\FNTS~1\MCONFI~1.EXE
O4 - HKCU\..\Run: [Notn] "C:\WINDOWS\DOBE~1\spool32.exe" -vt yazr
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9E214F45-89C2-4DE3-94A9-530EB1D05F7E} (QuestActiveX Class) - http://www.quest3d.com/Quest3D_WebInstall.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs:
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\g38350609.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O20 - Winlogon Notify: sndu32 - sndu32.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winlkk32 - winlkk32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: MrobeService - Unknown owner - C:\WINDOWS\system32\MRobeService.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:35 AM

Posted 21 August 2006 - 08:01 PM

You've still got a lot of evil lurking in your computer, but we're removing a lot of it in this step.


Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {F519B8A2-5E32-20C8-1BD3-07F2CB751795} - C:\WINDOWS\system32\mtzu.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {68892810-CDDD-E820-A745-9E2B56E6D59E} - C:\WINDOWS\system32\alhcty.dll (file missing)
O2 - BHO: (no name) - {94AE55D1-3A19-41A3-B16B-E43DB956574A} - \
O2 - BHO: (no name) - {E7A850E5-B286-4657-A1C9-7457567E5BE2} - C:\WINDOWS\system32\jkhfg.dll (file missing)
O2 - BHO: (no name) - {F519B8A2-5E32-20C8-1BD3-07F2CB751795} - C:\WINDOWS\system32\mtzu.dll
O2 - BHO: (no name) - {FADA5581-1BA5-4E01-AB60-7838043B9685} - \
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [loaddr] C:\bupjd.exe
O4 - HKCU\..\Run: [FontLoader] C:\Program Files\FontLoader\FontLoader.exe
O4 - HKCU\..\Run: [Coatccq] C:\PROGRA~1\FNTS~1\MCONFI~1.EXE
O4 - HKCU\..\Run: [Notn] "C:\WINDOWS\DOBE~1\spool32.exe" -vt yazr
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs:
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\g38350609.dll (file missing)
O20 - Winlogon Notify: sndu32 - sndu32.dll (file missing)
O20 - Winlogon Notify: winlkk32 - winlkk32.dll (file missing)
O23 - Service: MrobeService - Unknown owner - C:\WINDOWS\system32\MRobeService.exe (file missing)



Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\WINDOWS\system32\mtzu.dll
    C:\bupjd.exe
    C:\Program Files\FontLoader\FontLoader.exe
    C:\PROGRA~1\FNTS~1\MCONFI~1.EXE
    C:\WINDOWS\DOBE~1\spool32.exe



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

  • After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
  • Post this log in your next reply.
============



Please open up Ewido Anti-spyware
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close Ewido anti-spyware, Do Not run a scan just yet, we will shortly.

You may want to print out these instructions as the rest of this fix will take place in safe mode.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
  • Clean out your Temporary Internet files
  • Close Internet Explorer and quit any instances of Windows Explorer.
  • Click Start -> Control Panel and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
IMPORTANT: Close all windows and do not open any other windows or programs while Ewido is scanning, it may interfere with the scanning proccess:
  • Lauch Ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • Ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close Ewido and reboot your system back into Normal Mode and post the results of the Ewido scan report along with a new Hijackthis log.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 panivazka

panivazka
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 22 August 2006 - 01:05 AM

Okay, my computer is so slow it's almost torture to run anything. It literally took me 30 minutes to get a browser window to load up without freezing. And the computer is still rebooting frequently. I can't run HijackThis right now; it freezes up at the end of the scan. I will attempt another scan tomorrow morning. But here are the Killbox and ewido logs:

Pocket Killbox version 2.0.0.648
Running on Windows XP as Owner(Administrator)
was started @ Monday, August 21, 2006, 9:02 PM

# 1 [Delete on Reboot]
Path = C:\Program Files\FontLoader\FontLoader.exe


# 2 [Delete on Reboot]
Path = C:\WINDOWS\DOBE~1\spool32.exe


I Rebooted @ 9:04:19 PM
Killbox Closed(Exit) @ 9:04:21 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Owner(Administrator)
was started @ Monday, August 21, 2006, 9:08 PM

ewido:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:51:40 AM 8/18/2006

+ Scan result:



C:\WINDOWS\system32\qm.dll -> Backdoor.Haxdoor.in : Cleaned.
C:\WINDOWS\system32\atlma.dat -> Downloader.Qoologic.bj : Cleaned.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\Cache\906DD4B9d01/patch.exe -> Downloader.Small.bwy : Cleaned.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\Cache\906DD7B9d01/patch.exe -> Downloader.Small.bwy : Cleaned.
C:\VSL.dl_ -> Downloader.Small.ctp : Cleaned.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\Cache\102F6AC2d01 -> Downloader.Small.ddp : Cleaned.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\Cache\B5DBD358d01 -> Dropper.Agent.asl : Cleaned.
C:\WINDOWS\unin101.exe -> Hijacker.Small : Cleaned.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\Cache\906DD4B9d01/crack.exe -> Hijacker.VB.fg : Cleaned.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\Cache\906DD7B9d01/crack.exe -> Hijacker.VB.fg : Cleaned.
C:\WINDOWS\system32\grpstpjo.dll -> Logger.VBStat.d : Cleaned.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\Cache\324D76C8d01 -> Not-A-Virus.Exploit.HTML.DialogArg : Cleaned.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\Cache\8EB02E94d01 -> Not-A-Virus.Exploit.HTML.DialogArg : Cleaned.
:mozilla.578:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.212:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.213:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.216:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.217:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.218:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.219:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.646:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.85:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned.
:mozilla.181:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.182:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.101:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.95:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.180:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.183:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.184:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.186:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.187:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.249:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.236:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.76:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Bfast : Cleaned.
:mozilla.428:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.246:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.247:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.248:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.298:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.299:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.300:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.301:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.302:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.303:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.707:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.255:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned.
:mozilla.318:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned.
:mozilla.567:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.568:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.569:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.570:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.20:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.626:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.627:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.575:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.576:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.459:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.460:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.461:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.462:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.463:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.100:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.94:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.96:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.97:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.98:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.99:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.490:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.536:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.196:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.197:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.198:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.594:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.657:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.167:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Hotlog : Cleaned.
:mozilla.84:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.86:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.239:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.240:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.241:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.242:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.171:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Popuptraffic : Cleaned.
:mozilla.173:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Popuptraffic : Cleaned.
:mozilla.237:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.238:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.518:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.519:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.520:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.521:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.522:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.523:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.524:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.525:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.323:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.381:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.382:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.383:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.384:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.396:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.397:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.398:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.399:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.454:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.455:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.456:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.457:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.458:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.168:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Spylog : Cleaned.
:mozilla.635:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Starware : Cleaned.
:mozilla.636:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Starware : Cleaned.
:mozilla.637:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Starware : Cleaned.
:mozilla.48:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.49:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.50:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.51:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.52:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.53:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.54:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.55:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.56:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.57:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.58:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.59:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.60:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.337:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.338:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.339:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.340:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.566:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.390:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.416:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.417:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.418:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.419:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.420:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.421:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.422:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.110:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.111:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.112:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.113:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.114:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.115:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.537:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.538:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.539:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.540:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.541:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.542:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.551:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned.
:mozilla.244:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.175:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Yadro : Cleaned.
:mozilla.78:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.79:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.80:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.81:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.82:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.83:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.207:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.208:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.209:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.210:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.211:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\4luw13mb.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
C:\WINDOWS\system32\bcixstde.exe -> Trojan.Agent.ny : Cleaned.
C:\WINDOWS\system32\gbswcdcu.exe -> Trojan.Agent.ny : Cleaned.
C:\WINDOWS\unwn.exe -> Trojan.Qoologic : Cleaned.


::Report end

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:35 AM

Posted 22 August 2006 - 08:21 AM

These are unnecessary programs running at startup that just contribute to your computer running slowly. Please fix these lines with Hijackthis.

O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Kapsules] C:\Program Files\Carbon 6\Kapsules\Kapsules.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Coatccq] C:\PROGRA~1\FNTS~1\MCONFI~1.EXE
O4 - HKCU\..\Run: [Notn] "C:\WINDOWS\DOBE~1\spool32.exe" -vt yazr
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe



Reboot your computer and let me know if there is any difference.

You can also try this while we sort things out.
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the option to run Windows in Safe Mode with Networking.
When you are able, post a new hijackthis log.
Let me know how things are working.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 panivazka

panivazka
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 22 August 2006 - 10:21 AM

Okay, here's the new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:18:06 AM, on 8/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Real\RealOne Player\RealPlay.exe
C:\Program Files\Real\RealOne Player\RealPlay.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9E214F45-89C2-4DE3-94A9-530EB1D05F7E} (QuestActiveX Class) - http://www.quest3d.com/Quest3D_WebInstall.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I have not rebooted it since doing this last HijackThis scan and log, because things are running somewhat okay right now and I'd hate to mess anything up while I actually have the computer functioning! Maybe I can actually get something done today...:thumbsup:

Thanks for your help.

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:35 AM

Posted 22 August 2006 - 07:19 PM

Well that's good to hear! :thumbsup:

Your log looks pretty good, but as badly as you were infected I'm certain that there is still malware on your computer. Although it doesn't appear to be active at this point.


Let's see if we can resolve the instability by running scandisc.

Go to My Computer and right click on Local Disk(C:).
Select Properties -> Tools.
Under Error Checking click on Check Now...
Check both boxes and click Start.
Click Yes at the prompt and reboot your computer.



Let me know how that goes.

I'd also like to see a new log from Combofix to give us an idea of what malware we still need to deal with.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 panivazka

panivazka
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 23 August 2006 - 12:47 AM

Okay, I ran the ScanDisc thing, and it finished...but when it went to reboot, it choked and I had to force a reboot by shutting off the computer and turning it back on. This happened several times. Then the computer kept rebooting (as before). It rebooted about 7 times in the last 20 minutes. Now it seems to be okay again, so I will try to run ComboFix and post the log either tonight or tomorrow morning.

#14 panivazka

panivazka
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 23 August 2006 - 12:49 AM

Here's the ComboFix log:

Owner - 06-08-22 23:46:49.67
ComboFix 06.08.18 - Running from: C:\Documents and Settings\Owner\Desktop

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Owner\Application Data\ASEMBL~1
C:\QooBox\Purity\Program Files\FNTS~1
C:\QooBox\Purity\Program Files\Common Files\CURITY~1


((((((((((((((((((((((((((((((( Files Created from 2006-07-22 to 2006-08-22 ))))))))))))))))))))))))))))))))))


2006-08-20 13:54 90,112 C:\WINDOWS\system32\RegDACL.exe
2006-08-20 13:54 6,020 C:\clean.bat
2006-08-20 13:54 40,960 C:\WINDOWS\system32\swsc.exe
2006-08-20 13:54 4,096 C:\WINDOWS\system32\reboot.exe
2006-08-20 13:54 38,400 C:\WINDOWS\system32\moveex.exe
2006-08-10 19:16 29,696 C:\WINDOWS\system32\Addon2VB.dll
2006-08-10 19:16 101,888 C:\WINDOWS\system32\Vb6stkit.dll
2006-07-31 08:43 26,280 C:\WINDOWS\system32\w1d5d9680.dll
2006-07-27 14:41 51,716 C:\WINDOWS\system32\pdf995mon.dll
2006-07-27 14:41 118,784 C:\WINDOWS\system32\pdfmona.dll
2006-07-23 10:24 24,048 C:\WINDOWS\system32\ddmon.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-08-22 23:42 -------- d-------- C:\Program Files\Mozilla Firefox
2006-08-22 17:44 -------- d-------- C:\Program Files\Trillian
2006-08-22 17:41 -------- d-------- C:\Documents and Settings\Owner\Application Data\MailWasherPro
2006-08-22 09:18 -------- d-------- C:\Program Files\HijackThis
2006-08-21 21:15 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-21 21:05 -------- d-------- C:\Program Files\FontLoader
2006-08-20 19:34 -------- d-------- C:\Program Files\HaxFix
2006-08-18 18:43 -------- d-------- C:\Program Files\Common Files
2006-08-18 14:03 2 --a------ C:\WINDOWS\system32\wnsapitr.exe
2006-08-18 13:36 -------- d-------- C:\Program Files\Zone Labs
2006-08-18 13:34 -------- d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2006-08-18 11:11 -------- d-------- C:\Program Files\support.com
2006-08-17 18:17 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-17 18:17 -------- d-------- C:\Program Files\Atari
2006-08-17 18:16 -------- d-------- C:\Program Files\Sim File Maid 2
2006-08-17 18:16 -------- d-------- C:\Program Files\Scholastic
2006-08-17 18:14 -------- d-------- C:\Program Files\PopCap Games
2006-08-17 18:13 -------- d-------- C:\Documents and Settings\Owner\Application Data\aignes
2006-08-13 11:23 -------- d-------- C:\Program Files\The Adventure Company
2006-08-13 11:23 -------- d-------- C:\Program Files\Tetris Worlds
2006-08-13 11:23 -------- d-------- C:\Program Files\Google
2006-08-13 11:23 -------- d-------- C:\Program Files\Docudesk
2006-08-13 11:23 -------- d-------- C:\Program Files\D-Tools
2006-08-13 11:23 -------- d-------- C:\Documents and Settings\Owner\Application Data\pdf995
2006-08-13 11:23 -------- d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2006-08-13 11:22 -------- d-------- C:\Program Files\FBM Software
2006-08-13 11:22 -------- d-------- C:\Program Files\Cowabanga
2006-08-13 11:22 -------- d-------- C:\Documents and Settings\Owner\Application Data\Yahoo! Messenger
2006-08-13 11:22 -------- d-------- C:\Documents and Settings\Owner\Application Data\deskPDF
2006-08-13 11:21 -------- d-------- C:\Program Files\pdf995
2006-08-12 10:34 6020 --a------ C:\clean.bat
2006-08-10 19:15 -------- d-------- C:\Program Files\eGames
2006-08-05 11:30 -------- d-------- C:\Program Files\Microsoft Games
2006-07-31 08:43 26280 --a------ C:\WINDOWS\system32\w1d5d9680.dll
2006-07-27 14:48 -------- d-------- C:\Program Files\Yahoo!
2006-07-27 14:41 51716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2006-07-27 14:41 118784 --a------ C:\WINDOWS\system32\pdfmona.dll
2006-07-27 12:00 131072 --a------ C:\WINDOWS\system32\datestamp.dll
2006-07-26 09:38 -------- d-------- C:\Program Files\NavNT
2006-07-23 10:42 1403 --a------ C:\Documents and Settings\Owner\Application Data\AdobeDLM.log
2006-07-23 10:42 0 --a------ C:\Documents and Settings\Owner\Application Data\dm.ini
2006-07-09 17:07 -------- d-------- C:\Program Files\Semagic
2006-06-29 08:54 -------- d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft
2006-06-29 08:53 -------- d-------- C:\Program Files\MSN Messenger


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"vptray"="C:\\Program Files\\NavNT\\vptray.exe"
@=""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,40,01,00,00,00,00,00,00,00,05,00,00,8e,04,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,de,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,de,03,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{259BA022-2005-45E9-A965-10EDB9C00605}"="Windows Updater"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina


Completion time: Tue 08/22/2006 23:48:09.17
ComboFix.txt
ComboFix2.txt
ComboFix3.txt

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:35 AM

Posted 23 August 2006 - 07:01 AM

The rootkit is still there, so let's get rid of it now.

Download GMER from here:
http://www.gmer.net/files.php

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users