Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adware.purityscan Virus/winfixer?errorsafe


  • This topic is locked This topic is locked
10 replies to this topic

#1 Detmer09

Detmer09

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 12 October 2006 - 08:56 AM

Hello and many thanks in advance for helping. I contracted a virus and I have used the Symantec Antivirus software to try and remove these virus' and they seem to just keep coming back. I then used Spybot and the Adware SE programs and they do not seem to work.

I am hoping you are able to help me.

Here is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:47:59 AM, on 10/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\1872_Sprint\Fgrd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\rpachuta\APPLIC~1\ICROSO~1\mmc.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\lotus\notes\NLNOTES.EXE
C:\Program Files\lotus\notes\ntaskldr.EXE
C:\Program Files\Adobe\Adobe Photoshop CS2\Photoshop.exe
C:\DOCUME~1\rpachuta\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\rpachuta\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\rpachuta\My Documents\My Received Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.destaco.com/index.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://intranet.destaco.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Lfvrlq] C:\Program Files\Common Files\s?curity\svchost.exe
O4 - HKCU\..\Run: [Tair] "C:\DOCUME~1\rpachuta\APPLIC~1\ICROSO~1\mmc.exe" -vt yazb
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {12545791-AC9A-44B2-8964-0DA216C4A4E5} (Cnsweb3d Control) - http://www.partcommunity.com/PARTcommunity...3D/cnsweb3d.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DESTACO
O17 - HKLM\Software\..\Telephony: DomainName = destaco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DESTACO
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = DESTACO
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FGR Service - Fiberlink Communications Corporation - C:\Program Files\1872_Sprint\Fgrd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:42 PM

Posted 12 October 2006 - 10:11 AM

Hello,

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup
Then, Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

Then, Go to start > controlpanel > software > add/remove programs and uninstall next if present:

Oin
Yazzle by Oin
YazzleActiveX By OIN
Purityscan by Oin
Snowballwars by Oin
Cowabanga by OIN
or anything similar with Oin in it.


If OIN not listed, download and run this uninstaller.

Reboot when done! Really important!

After reboot,

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot, it should open a log, combofix.txt.
Post this log in your next reply.

Also, Can you rename Hijackthis.exe to Analyse.exe
Then scan with Analyse.exe and post the log in your next reply as well (which will be a hijackthislog ofcourse)

Edited by miekiemoes, 12 October 2006 - 10:12 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Detmer09

Detmer09
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 12 October 2006 - 12:00 PM

O.k. When I went into the Add/Remove programs I did not see any of the items you had listed, so I continued onto the next steps.

Here are the logs you requested:

ComboFix:

rpachuta - 06-10-12 12:48:13.00 Service Pack 2
ComboFix 06.10.12 - Running from: "C:\Documents and Settings\rpachuta\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Inetget2
C:\WINDOWS\system32\components
C:\Program Files\Common Files\{387DFF67-07CA-1033-1002-050504040001}
C:\Program Files\Common Files\{787DFF67-07CA-1033-1002-050504040001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\rpachuta\Application Data\ICROSO~1
C:\QooBox\Purity\Documents and Settings\rpachuta\Application Data\ICROSO~1\?icrosoft
C:\QooBox\Purity\Program Files\ASKS~1
C:\QooBox\Purity\Program Files\Common Files\SCURIT~1
C:\QooBox\Purity\WINDOWS\system32\SKS~1


((((((((((((((((((((((((((((((( Files Created from 2006-09-12 to 2006-10-12 ))))))))))))))))))))))))))))))))))


2006-10-12 12:35 98,324 --a------ C:\WINDOWS\system32\bwuljljy.dll
2006-10-12 08:23 505,295 ---hs---- C:\WINDOWS\system32\prqss.ini2
2006-10-12 08:04 98,324 --a------ C:\WINDOWS\system32\uwsseacw.dll
2006-10-11 18:08 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2006-10-11 17:52 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
2006-10-11 17:52 27,136 --a------ C:\WINDOWS\system32\irmon.dll
2006-10-11 17:52 152,576 --a------ C:\WINDOWS\system32\irftp.exe
2006-10-11 17:43 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2006-10-11 17:43 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2006-10-11 15:04 143,380 --a------ C:\WINDOWS\system32\ydjtpqtt.exe
2006-10-11 14:15 143,380 --a------ C:\WINDOWS\system32\jajgoxik.exe
2006-10-11 13:21 143,380 --a------ C:\WINDOWS\system32\tklrttxi.exe
2006-10-07 11:32 503,716 ---hs---- C:\WINDOWS\system32\prqss.bak2
2006-10-06 08:07 684,084 --ahs---- C:\WINDOWS\system32\ssqrp.dll
2006-10-06 08:07 504,070 ---hs---- C:\WINDOWS\system32\prqss.bak1
2006-10-06 08:01 94,208 --a------ C:\WINDOWS\system32\fvqmcgd.dll
2006-10-06 08:01 72,704 --a------ C:\WINDOWS\system32\vxreece.dll
2006-10-06 08:01 40,973 --ahs---- C:\WINDOWS\system32\xxwuvvt.dll
2006-09-19 15:23 157,352 --a------ C:\WINDOWS\system32\pxwma.dll
2006-09-19 15:23 115,880 --a------ C:\WINDOWS\system32\pxinsi64.exe
2006-09-19 15:23 114,856 --a------ C:\WINDOWS\system32\pxcpyi64.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-12 12:49 -------- d-------- C:\Program Files\Common Files
2006-10-12 12:46 -------- d-------- C:\Program Files\Symantec AntiVirus
2006-10-11 18:06 -------- d-------- C:\Program Files\Windows Media Player
2006-10-11 18:06 -------- d-------- C:\Program Files\Outlook Express
2006-10-11 18:06 -------- d-------- C:\Program Files\Internet Explorer
2006-10-11 18:06 -------- d-------- C:\Program Files\Common Files\System
2006-10-11 13:07 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\Lavasoft
2006-10-11 13:06 -------- d-------- C:\Program Files\Lavasoft
2006-10-11 08:42 -------- d-------- C:\Program Files\VSToolbar
2006-10-06 11:04 -------- d-------- C:\Program Files\Windows Defender
2006-10-05 11:34 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\Google
2006-10-05 11:32 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-05 11:32 -------- d-------- C:\Program Files\Google
2006-09-30 11:54 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\Adobe
2006-09-29 16:11 -------- d-------- C:\Program Files\Common Files\Adobe
2006-09-29 16:07 -------- d-------- C:\Program Files\Adobe
2006-09-25 15:29 -------- d-------- C:\Program Files\BearShare
2006-09-19 16:13 -------- d-------- C:\Program Files\Yahoo!
2006-09-19 15:23 -------- d-------- C:\Program Files\illiminable
2006-09-19 15:23 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-09-19 11:06 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\cadenas
2006-09-18 10:03 -------- d-------- C:\Program Files\Soundslides
2006-09-17 22:53 -------- d---s---- C:\Documents and Settings\rpachuta\Application Data\Microsoft
2006-09-14 15:10 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\SolidWorks
2006-09-11 13:27 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\Real
2006-09-11 13:26 -------- d-------- C:\Program Files\Real
2006-09-11 13:25 -------- d-------- C:\Program Files\Common Files\xing shared
2006-09-11 13:25 -------- d-------- C:\Program Files\Common Files\Real
2006-09-11 08:38 -------- d-------- C:\Program Files\QuickTime
2006-09-07 11:02 -------- d-------- C:\Program Files\WinRAR
2006-09-07 11:01 -------- d-------- C:\Program Files\RAR Password Cracker
2006-09-05 13:13 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\Sun
2006-09-05 12:39 -------- d-------- C:\Program Files\Java
2006-09-05 12:37 -------- d-------- C:\Program Files\Common Files\Java
2006-09-01 09:38 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\Opera
2006-08-29 21:35 -------- d-------- C:\Program Files\Zoto
2006-08-29 16:03 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\Macromedia
2006-08-27 11:26 -------- d-------- C:\Program Files\MyGlobalSearch
2006-08-26 11:09 -------- d-------- C:\Program Files\Winamp
2006-08-26 10:24 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\Canon
2006-08-25 14:59 -------- d-------- C:\Program Files\DWGeditor
2006-08-24 21:36 -------- d-------- C:\Program Files\Canon
2006-08-24 09:55 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\Quark
2006-08-24 09:48 -------- d-------- C:\Program Files\Quark
2006-08-24 09:34 -------- d-------- C:\Program Files\Common Files\Express Digital
2006-08-24 08:59 -------- d-------- C:\Program Files\Common Files\Canon
2006-08-24 08:38 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\DWGeditor
2006-08-24 08:36 -------- d-------- C:\Program Files\SolidWorks
2006-08-24 08:36 -------- d-------- C:\Program Files\Common Files\SolidWorks Shared
2006-08-24 08:34 -------- d-------- C:\Program Files\Common Files\DESIGNER
2006-08-24 08:34 -------- d-------- C:\Program Files\Bluebeam Software
2006-08-24 08:33 -------- d-------- C:\Program Files\Common Files\Bluebeam Software
2006-08-24 08:27 -------- d--h----- C:\Program Files\Uninstall Information
2006-08-24 08:27 -------- d-------- C:\Program Files\Common Files\Solidworks Data
2006-08-23 14:29 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\ExpressDigital
2006-08-23 14:15 -------- d-------- C:\Program Files\Common Files\Nikon
2006-08-23 14:14 -------- d-------- C:\Program Files\ExpressDigital
2006-08-23 10:09 -------- d-------- C:\Program Files\1872_Sprint
2006-08-23 10:06 -------- d-------- C:\Program Files\SolidWorks Viewer
2006-08-23 10:06 -------- d-------- C:\Program Files\Netscape
2006-08-23 10:04 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\AdobeUM
2006-08-23 09:43 -------- d-------- C:\Program Files\Messenger
2006-08-23 08:55 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\Intel
2006-08-23 08:55 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\Identities
2006-08-23 08:41 -------- d-------- C:\Program Files\Microsoft Works
2006-08-23 08:41 -------- d-------- C:\Program Files\Microsoft Visual Studio
2006-08-23 08:41 -------- d-------- C:\Program Files\Microsoft Office
2006-08-23 08:41 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-08-23 08:36 -------- d-------- C:\Program Files\Common Files\Adobe Systems Shared
2006-08-23 08:19 57344 --a------ C:\WINDOWS\uneng.exe
2006-08-23 08:19 30630 --a------ C:\WINDOWS\system32\drivers\Mmc_2k.sys
2006-08-23 08:19 25898 --a------ C:\WINDOWS\system32\drivers\Dvd_2k.sys
2006-08-23 08:19 206464 --a------ C:\WINDOWS\system32\drivers\udfreadr_xp.sys
2006-08-23 08:19 143834 --a------ C:\WINDOWS\system32\drivers\pwd_2K.sys
2006-08-23 08:19 -------- d-------- C:\Program Files\Roxio
2006-08-23 08:19 -------- d-------- C:\Program Files\Common Files\Adaptec Shared
2006-08-22 16:30 -------- d-------- C:\Program Files\Common Files\Autodesk Shared
2006-08-22 16:30 -------- d-------- C:\Program Files\Autodesk Volo View
2006-08-22 16:17 -------- d-------- C:\Program Files\CheckPoint
2006-08-22 16:16 -------- d-------- C:\Program Files\Common Files\eDrawings2006
2006-08-22 16:06 -------- d-------- C:\Program Files\WinZip
2006-08-22 16:06 -------- d-------- C:\Program Files\Oracle
2006-08-22 15:57 -------- d-------- C:\Program Files\lotus
2006-08-22 15:34 -------- d-------- C:\Program Files\BlueTooth
2006-08-22 15:32 -------- d-------- C:\Program Files\Toshiba
2006-08-22 15:15 21419 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2006-08-22 15:14 -------- d-------- C:\Program Files\Intel
2006-08-22 15:09 -------- d-------- C:\Program Files\Apoint
2006-08-22 14:50 -------- d-------- C:\Program Files\Dell
2006-08-22 14:43 -------- d-------- C:\Program Files\CONEXANT
2006-08-22 14:37 -------- d-------- C:\Program Files\SigmaTel
2006-08-22 14:37 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-08-22 14:33 -------- d-------- C:\Program Files\ATI Technologies
2006-08-22 13:45 -------- d-------- C:\Program Files\Online Services
2006-08-22 13:34 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-08-22 13:26 -------- d-------- C:\Program Files\Broadcom
2006-08-22 13:18 -------- d-------- C:\Program Files\Symantec
2006-08-22 13:08 0 -rahs---- C:\MSDOS.SYS
2006-08-22 13:08 0 -rahs---- C:\IO.SYS
2006-08-22 13:08 0 --a------ C:\CONFIG.SYS
2006-08-22 13:08 0 --a------ C:\AUTOEXEC.BAT
2006-08-22 13:08 -------- d-------- C:\Program Files\xerox
2006-08-22 13:08 -------- d-------- C:\Program Files\microsoft frontpage
2006-08-22 13:07 -------- d--h----- C:\Program Files\WindowsUpdate
2006-08-22 13:06 -------- d-------- C:\Program Files\NetMeeting
2006-08-22 13:06 -------- d-------- C:\Program Files\Movie Maker
2006-08-22 13:06 -------- d-------- C:\Program Files\Common Files\Services
2006-08-22 13:06 -------- d-------- C:\Program Files\Common Files\MSSoap
2006-08-22 13:05 -------- d-------- C:\Program Files\ComPlus Applications
2006-08-22 13:04 -------- d-------- C:\Program Files\Windows NT
2006-08-22 13:04 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-08-22 13:04 -------- d-------- C:\Program Files\MSN
2006-08-22 08:51 -------- d-------- C:\Program Files\Common Files\SpeechEngines
2006-08-22 08:51 -------- d-------- C:\Program Files\Common Files\ODBC
2006-08-22 08:50 62 --ahs---- C:\Documents and Settings\rpachuta\Application Data\desktop.ini
2006-08-14 12:43 36528 --a------ C:\WINDOWS\system32\drivers\PxHelp20.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Tair"="\"C:\\DOCUME~1\\rpachuta\\APPLIC~1\\ICROSO~1\\mmc.exe\" -vt yazb"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Dell QuickSet"="C:\\Program Files\\Dell\\QuickSet\\quickset.exe"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"IntelZeroConfig"="\"C:\\Program Files\\Intel\\Wireless\\bin\\ZCfgSvc.exe\""
"IntelWireless"="\"C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe\" /tf Intel PROSet/Wireless"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
@=""
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoWelcomeScreen"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableCAD"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^.protected]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\.protected"
"backup"="C:\\WINDOWS\\pss\\.protectedCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\.protected"
"item"=".protected"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^rpachuta^Start Menu^Programs^Startup^.protected]
"path"="C:\\Documents and Settings\\rpachuta\\Start Menu\\Programs\\Startup\\.protected"
"backup"="C:\\WINDOWS\\pss\\.protectedStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\rpachuta\\Start Menu\\Programs\\Startup\\.protected"
"item"=".protected"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winvtu32

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 06-10-12 12:51:20.06
ComboFix.txt



Analyse:

Logfile of HijackThis v1.99.1
Scan saved at 12:57:20 PM, on 10/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\1872_Sprint\Fgrd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Documents and Settings\rpachuta\My Documents\My Received Files\Analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.destaco.com/index.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://intranet.destaco.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\bwuljljy.dll
O2 - BHO: (no name) - {41EE1232-D663-CBE3-1CAC-073214EAB567} - C:\WINDOWS\system32\vxreece.dll
O2 - BHO: (no name) - {57C6C9D6-9A0C-459C-A52B-42B223DB48DA} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {D9F9A869-03B5-493F-9DB2-DCB433A18431} - C:\WINDOWS\system32\ssqrp.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Tair] "C:\DOCUME~1\rpachuta\APPLIC~1\ICROSO~1\mmc.exe" -vt yazb
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {12545791-AC9A-44B2-8964-0DA216C4A4E5} (Cnsweb3d Control) - http://www.partcommunity.com/PARTcommunity...3D/cnsweb3d.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DESTACO
O17 - HKLM\Software\..\Telephony: DomainName = destaco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DESTACO
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = DESTACO
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: ssqrp - C:\WINDOWS\system32\ssqrp.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winvtu32 - winvtu32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FGR Service - Fiberlink Communications Corporation - C:\Program Files\1872_Sprint\Fgrd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

I look forward to your next reply.
Many Thanks
Ray

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:42 PM

Posted 12 October 2006 - 12:10 PM

Let's use another tool first to deal with certain infections...
Perform my steps in the right order...

Please download VundoFix.exe to your C:\.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • In case it says that nothing was found, Right click the list box (white box) in the main VundoFix window.
  • Select Add More Files? from the menu that comes up. This will open a new VundoFix window.
  • In the Window: copy and paste next in the first field: C:\WINDOWS\system32\ssqrp.dll
  • Click the Add Files button.
  • Click the "Close Window" button.
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\bwuljljy.dll
O2 - BHO: (no name) - {41EE1232-D663-CBE3-1CAC-073214EAB567} - C:\WINDOWS\system32\vxreece.dll
O2 - BHO: (no name) - {57C6C9D6-9A0C-459C-A52B-42B223DB48DA} - (no file)
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: (no name) - {D9F9A869-03B5-493F-9DB2-DCB433A18431} - C:\WINDOWS\system32\ssqrp.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Tair] "C:\DOCUME~1\rpachuta\APPLIC~1\ICROSO~1\mmc.exe" -vt yazb
O16 - DPF: {12545791-AC9A-44B2-8964-0DA216C4A4E5} (Cnsweb3d Control) - http://www.partcommunity.com/PARTcommunity...3D/cnsweb3d.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O20 - Winlogon Notify: ssqrp - C:\WINDOWS\system32\ssqrp.dll
O20 - Winlogon Notify: winvtu32 - winvtu32.dll (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the Posted Image icon next to it.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-1_5_0_09-windowsi586-p.exe to install the newest version.
Then rerun combofix and post the new log from combofix in your next reply together with the contents of C:\vundofix.txt and a new HiJackThis log.
The combofix log should show what we still need to delete afterwards.

Edited by miekiemoes, 12 October 2006 - 12:11 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Detmer09

Detmer09
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 12 October 2006 - 02:10 PM

O.k. when I ran the Vundofix it seemed to delete all files it found with the exception of the C:\WINDOWS\system32\ssqrp.dll. I rebooted 3 times and it still could not delete it. I then cancelled and continued on to the next steps.

Here are the log files you requested:

ComboFix:

rpachuta - 06-10-12 14:58:26.68 Service Pack 2
ComboFix 06.10.12 - Running from: "C:\Documents and Settings\rpachuta\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\rpachuta\Application Data\ICROSO~1
C:\QooBox\Purity\Documents and Settings\rpachuta\Application Data\ICROSO~1\?icrosoft
C:\QooBox\Purity\Program Files\ASKS~1
C:\QooBox\Purity\Program Files\Common Files\SCURIT~1
C:\QooBox\Purity\WINDOWS\system32\SKS~1


((((((((((((((((((((((((((((((( Files Created from 2006-09-12 to 2006-10-12 ))))))))))))))))))))))))))))))))))


2006-10-12 14:12 98,324 --a------ C:\WINDOWS\system32\rlfadcht.dll
2006-10-12 12:35 98,324 --a------ C:\WINDOWS\system32\bwuljljy.dll
2006-10-12 08:04 98,324 --a------ C:\WINDOWS\system32\uwsseacw.dll
2006-10-11 18:08 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2006-10-11 17:52 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
2006-10-11 17:52 27,136 --a------ C:\WINDOWS\system32\irmon.dll
2006-10-11 17:52 152,576 --a------ C:\WINDOWS\system32\irftp.exe
2006-10-11 17:43 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2006-10-11 17:43 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2006-10-06 08:07 684,084 --------- C:\WINDOWS\system32\ssqrp.dll
2006-09-19 15:23 157,352 --a------ C:\WINDOWS\system32\pxwma.dll
2006-09-19 15:23 115,880 --a------ C:\WINDOWS\system32\pxinsi64.exe
2006-09-19 15:23 114,856 --a------ C:\WINDOWS\system32\pxcpyi64.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-12 14:57 -------- d-------- C:\Program Files\Java
2006-10-12 14:56 -------- d-------- C:\Program Files\Common Files\Java
2006-10-12 14:56 -------- d-------- C:\Program Files\Common Files
2006-10-12 14:55 -------- d-------- C:\Program Files\Symantec AntiVirus
2006-10-11 18:06 -------- d-------- C:\Program Files\Windows Media Player
2006-10-11 18:06 -------- d-------- C:\Program Files\Outlook Express
2006-10-11 18:06 -------- d-------- C:\Program Files\Internet Explorer
2006-10-11 18:06 -------- d-------- C:\Program Files\Common Files\System
2006-10-11 13:07 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\Lavasoft
2006-10-11 13:06 -------- d-------- C:\Program Files\Lavasoft
2006-10-11 08:42 -------- d-------- C:\Program Files\VSToolbar
2006-10-06 11:04 -------- d-------- C:\Program Files\Windows Defender
2006-10-05 11:34 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\Google
2006-10-05 11:32 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-05 11:32 -------- d-------- C:\Program Files\Google
2006-09-30 11:54 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\Adobe
2006-09-29 16:11 -------- d-------- C:\Program Files\Common Files\Adobe
2006-09-29 16:07 -------- d-------- C:\Program Files\Adobe
2006-09-25 15:29 -------- d-------- C:\Program Files\BearShare
2006-09-19 16:13 -------- d-------- C:\Program Files\Yahoo!
2006-09-19 15:23 -------- d-------- C:\Program Files\illiminable
2006-09-19 15:23 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-09-19 11:06 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\cadenas
2006-09-18 10:03 -------- d-------- C:\Program Files\Soundslides
2006-09-17 22:53 -------- d---s---- C:\Documents and Settings\rpachuta\Application Data\Microsoft
2006-09-14 15:10 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\SolidWorks
2006-09-11 13:27 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\Real
2006-09-11 13:26 -------- d-------- C:\Program Files\Real
2006-09-11 13:25 -------- d-------- C:\Program Files\Common Files\xing shared
2006-09-11 13:25 -------- d-------- C:\Program Files\Common Files\Real
2006-09-11 08:38 -------- d-------- C:\Program Files\QuickTime
2006-09-07 11:02 -------- d-------- C:\Program Files\WinRAR
2006-09-07 11:01 -------- d-------- C:\Program Files\RAR Password Cracker
2006-09-05 13:13 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\Sun
2006-09-01 09:38 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\Opera
2006-08-29 21:35 -------- d-------- C:\Program Files\Zoto
2006-08-29 16:03 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\Macromedia
2006-08-27 11:26 -------- d-------- C:\Program Files\MyGlobalSearch
2006-08-26 11:09 -------- d-------- C:\Program Files\Winamp
2006-08-26 10:24 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\Canon
2006-08-25 14:59 -------- d-------- C:\Program Files\DWGeditor
2006-08-24 21:36 -------- d-------- C:\Program Files\Canon
2006-08-24 09:55 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\Quark
2006-08-24 09:48 -------- d-------- C:\Program Files\Quark
2006-08-24 09:34 -------- d-------- C:\Program Files\Common Files\Express Digital
2006-08-24 08:59 -------- d-------- C:\Program Files\Common Files\Canon
2006-08-24 08:38 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\DWGeditor
2006-08-24 08:36 -------- d-------- C:\Program Files\SolidWorks
2006-08-24 08:36 -------- d-------- C:\Program Files\Common Files\SolidWorks Shared
2006-08-24 08:34 -------- d-------- C:\Program Files\Common Files\DESIGNER
2006-08-24 08:34 -------- d-------- C:\Program Files\Bluebeam Software
2006-08-24 08:33 -------- d-------- C:\Program Files\Common Files\Bluebeam Software
2006-08-24 08:27 -------- d--h----- C:\Program Files\Uninstall Information
2006-08-24 08:27 -------- d-------- C:\Program Files\Common Files\Solidworks Data
2006-08-23 14:29 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\ExpressDigital
2006-08-23 14:15 -------- d-------- C:\Program Files\Common Files\Nikon
2006-08-23 14:14 -------- d-------- C:\Program Files\ExpressDigital
2006-08-23 10:09 -------- d-------- C:\Program Files\1872_Sprint
2006-08-23 10:06 -------- d-------- C:\Program Files\SolidWorks Viewer
2006-08-23 10:06 -------- d-------- C:\Program Files\Netscape
2006-08-23 10:04 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\AdobeUM
2006-08-23 09:43 -------- d-------- C:\Program Files\Messenger
2006-08-23 08:55 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\Intel
2006-08-23 08:55 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\Identities
2006-08-23 08:41 -------- d-------- C:\Program Files\Microsoft Works
2006-08-23 08:41 -------- d-------- C:\Program Files\Microsoft Visual Studio
2006-08-23 08:41 -------- d-------- C:\Program Files\Microsoft Office
2006-08-23 08:41 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-08-23 08:36 -------- d-------- C:\Program Files\Common Files\Adobe Systems Shared
2006-08-23 08:19 57344 --a------ C:\WINDOWS\uneng.exe
2006-08-23 08:19 30630 --a------ C:\WINDOWS\system32\drivers\Mmc_2k.sys
2006-08-23 08:19 25898 --a------ C:\WINDOWS\system32\drivers\Dvd_2k.sys
2006-08-23 08:19 206464 --a------ C:\WINDOWS\system32\drivers\udfreadr_xp.sys
2006-08-23 08:19 143834 --a------ C:\WINDOWS\system32\drivers\pwd_2K.sys
2006-08-23 08:19 -------- d-------- C:\Program Files\Roxio
2006-08-23 08:19 -------- d-------- C:\Program Files\Common Files\Adaptec Shared
2006-08-22 16:30 -------- d-------- C:\Program Files\Common Files\Autodesk Shared
2006-08-22 16:30 -------- d-------- C:\Program Files\Autodesk Volo View
2006-08-22 16:17 -------- d-------- C:\Program Files\CheckPoint
2006-08-22 16:16 -------- d-------- C:\Program Files\Common Files\eDrawings2006
2006-08-22 16:06 -------- d-------- C:\Program Files\WinZip
2006-08-22 16:06 -------- d-------- C:\Program Files\Oracle
2006-08-22 15:57 -------- d-------- C:\Program Files\lotus
2006-08-22 15:34 -------- d-------- C:\Program Files\BlueTooth
2006-08-22 15:32 -------- d-------- C:\Program Files\Toshiba
2006-08-22 15:15 21419 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2006-08-22 15:14 -------- d-------- C:\Program Files\Intel
2006-08-22 15:09 -------- d-------- C:\Program Files\Apoint
2006-08-22 14:50 -------- d-------- C:\Program Files\Dell
2006-08-22 14:43 -------- d-------- C:\Program Files\CONEXANT
2006-08-22 14:37 -------- d-------- C:\Program Files\SigmaTel
2006-08-22 14:37 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-08-22 14:33 -------- d-------- C:\Program Files\ATI Technologies
2006-08-22 13:45 -------- d-------- C:\Program Files\Online Services
2006-08-22 13:34 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-08-22 13:26 -------- d-------- C:\Program Files\Broadcom
2006-08-22 13:18 -------- d-------- C:\Program Files\Symantec
2006-08-22 13:08 0 -rahs---- C:\MSDOS.SYS
2006-08-22 13:08 0 -rahs---- C:\IO.SYS
2006-08-22 13:08 0 --a------ C:\CONFIG.SYS
2006-08-22 13:08 0 --a------ C:\AUTOEXEC.BAT
2006-08-22 13:08 -------- d-------- C:\Program Files\xerox
2006-08-22 13:08 -------- d-------- C:\Program Files\microsoft frontpage
2006-08-22 13:07 -------- d--h----- C:\Program Files\WindowsUpdate
2006-08-22 13:06 -------- d-------- C:\Program Files\NetMeeting
2006-08-22 13:06 -------- d-------- C:\Program Files\Movie Maker
2006-08-22 13:06 -------- d-------- C:\Program Files\Common Files\Services
2006-08-22 13:06 -------- d-------- C:\Program Files\Common Files\MSSoap
2006-08-22 13:05 -------- d-------- C:\Program Files\ComPlus Applications
2006-08-22 13:04 -------- d-------- C:\Program Files\Windows NT
2006-08-22 13:04 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-08-22 13:04 -------- d-------- C:\Program Files\MSN
2006-08-22 08:51 -------- d-------- C:\Program Files\Common Files\SpeechEngines
2006-08-22 08:51 -------- d-------- C:\Program Files\Common Files\ODBC
2006-08-22 08:50 62 --ahs---- C:\Documents and Settings\rpachuta\Application Data\desktop.ini
2006-08-14 12:43 36528 --a------ C:\WINDOWS\system32\drivers\PxHelp20.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Dell QuickSet"="C:\\Program Files\\Dell\\QuickSet\\quickset.exe"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"IntelZeroConfig"="\"C:\\Program Files\\Intel\\Wireless\\bin\\ZCfgSvc.exe\""
"IntelWireless"="\"C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe\" /tf Intel PROSet/Wireless"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
@=""
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoWelcomeScreen"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableCAD"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^.protected]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\.protected"
"backup"="C:\\WINDOWS\\pss\\.protectedCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\.protected"
"item"=".protected"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^rpachuta^Start Menu^Programs^Startup^.protected]
"path"="C:\\Documents and Settings\\rpachuta\\Start Menu\\Programs\\Startup\\.protected"
"backup"="C:\\WINDOWS\\pss\\.protectedStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\rpachuta\\Start Menu\\Programs\\Startup\\.protected"
"item"=".protected"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrp

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 06-10-12 15:00:29.61
ComboFix.txt
combofix2.txt



VundoFix:

VundoFix V6.2.1

Checking Java version...

Java version is 1.5.0.6

Scan started at 2:02:57 PM 10/12/2006

Listing files found while scanning....

C:\WINDOWS\system32\fvqmcgd.dll
C:\WINDOWS\system32\vxreece.dll
C:\WINDOWS\system32\jajgoxik.exe
C:\WINDOWS\system32\tklrttxi.exe
C:\WINDOWS\system32\ydjtpqtt.exe
C:\WINDOWS\system32\ssqrp.dll
C:\WINDOWS\system32\prqss.ini
C:\WINDOWS\system32\prqss.bak1
C:\WINDOWS\system32\prqss.bak2
C:\WINDOWS\system32\prqss.ini2
C:\WINDOWS\system32\prqss.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\system32\fvqmcgd.dll
C:\WINDOWS\system32\fvqmcgd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vxreece.dll
C:\WINDOWS\system32\vxreece.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\jajgoxik.exe
C:\WINDOWS\system32\jajgoxik.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\tklrttxi.exe
C:\WINDOWS\system32\tklrttxi.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ydjtpqtt.exe
C:\WINDOWS\system32\ydjtpqtt.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqrp.dll
C:\WINDOWS\system32\ssqrp.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\prqss.ini
C:\WINDOWS\system32\prqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\prqss.bak1
C:\WINDOWS\system32\prqss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\prqss.bak2
C:\WINDOWS\system32\prqss.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\prqss.ini2
C:\WINDOWS\system32\prqss.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\prqss.tmp
C:\WINDOWS\system32\prqss.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqrp.dll
C:\WINDOWS\system32\ssqrp.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.2.1

Checking Java version...

Java version is 1.5.0.6

Scan started at 2:15:04 PM 10/12/2006

Listing files found while scanning....

C:\WINDOWS\system32\vxreece.dll
C:\WINDOWS\system32\cnnqjvhk.exe
C:\WINDOWS\system32\ssqrp.dll
C:\WINDOWS\system32\prqss.ini
C:\WINDOWS\system32\prqss.ini2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\vxreece.dll
C:\WINDOWS\system32\vxreece.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cnnqjvhk.exe
C:\WINDOWS\system32\cnnqjvhk.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqrp.dll
C:\WINDOWS\system32\ssqrp.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\prqss.ini
C:\WINDOWS\system32\prqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\prqss.ini2
C:\WINDOWS\system32\prqss.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.1

Checking Java version...

Java version is 1.5.0.6

Scan started at 2:23:24 PM 10/12/2006

Listing files found while scanning....

C:\WINDOWS\system32\ssqrp.dll
C:\WINDOWS\system32\prqss.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ssqrp.dll
C:\WINDOWS\system32\ssqrp.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\prqss.ini
C:\WINDOWS\system32\prqss.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ssqrp.dll
C:\WINDOWS\system32\ssqrp.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\prqss.ini
C:\WINDOWS\system32\prqss.ini Has been deleted!

Performing Repairs to the registry.
Done!



Analyse:

Logfile of HijackThis v1.99.1
Scan saved at 2:35:53 PM, on 10/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\1872_Sprint\Fgrd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Documents and Settings\rpachuta\My Documents\My Received Files\Analyse.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.destaco.com/index.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://intranet.destaco.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\bwuljljy.dll
O2 - BHO: (no name) - {41EE1232-D663-CBE3-1CAC-073214EAB567} - C:\WINDOWS\system32\vxreece.dll (file missing)
O2 - BHO: (no name) - {523593BF-9AC7-47A6-A625-C790FDD419C7} - C:\WINDOWS\system32\ssqrp.dll
O2 - BHO: (no name) - {57C6C9D6-9A0C-459C-A52B-42B223DB48DA} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Tair] "C:\DOCUME~1\rpachuta\APPLIC~1\ICROSO~1\mmc.exe" -vt yazb
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {12545791-AC9A-44B2-8964-0DA216C4A4E5} (Cnsweb3d Control) - http://www.partcommunity.com/PARTcommunity...3D/cnsweb3d.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DESTACO
O17 - HKLM\Software\..\Telephony: DomainName = destaco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DESTACO
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = DESTACO
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: ssqrp - C:\WINDOWS\system32\ssqrp.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winvtu32 - winvtu32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FGR Service - Fiberlink Communications Corporation - C:\Program Files\1872_Sprint\Fgrd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


I look forward to your next reply.

Again, thank you
Ray

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:42 PM

Posted 12 October 2006 - 02:23 PM

Hello,

Did you check and fix the entries in Hijackthis as I asked you before? Because none of the entries are being fixed...

So, perform next again..


* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\bwuljljy.dll
O2 - BHO: (no name) - {41EE1232-D663-CBE3-1CAC-073214EAB567} - C:\WINDOWS\system32\vxreece.dll (file missing)
O2 - BHO: (no name) - {523593BF-9AC7-47A6-A625-C790FDD419C7} - C:\WINDOWS\system32\ssqrp.dll
O2 - BHO: (no name) - {57C6C9D6-9A0C-459C-A52B-42B223DB48DA} - (no file)
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt0.dll (file missing)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Tair] "C:\DOCUME~1\rpachuta\APPLIC~1\ICROSO~1\mmc.exe" -vt yazb
O16 - DPF: {12545791-AC9A-44B2-8964-0DA216C4A4E5} (Cnsweb3d Control) - http://www.partcommunity.com/PARTcommunity...3D/cnsweb3d.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O20 - Winlogon Notify: ssqrp - C:\WINDOWS\system32\ssqrp.dll
O20 - Winlogon Notify: winvtu32 - winvtu32.dll (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Don't worry if some entries won't get fixed yet.

Then, go to start > run and copy and paste next command in the field:

"C:\Documents and Settings\rpachuta\Desktop\Combofix.exe" /v ssqrp uwsseacw bwuljljy rlfadcht

Hit enter

This starts Combofix in abother way, telling to delete certain files. So don't run combofix by doubleclicking combofix.exe
It really should be done by copying and pasting above command in start > run, otherwise it won't delete anything.

Combofix will reboot your computer. After reboot, post the new combofix log in your next reply, together with a new hijackthislog.

Edited by miekiemoes, 12 October 2006 - 02:29 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Detmer09

Detmer09
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 12 October 2006 - 02:49 PM

I did check most of the files you requested with the exception of the oracle initiator and partcommunity as these are part of programs that I use for work. All others were checked.

I don't believe I reran hijackthis after I clicked on Fix Checked.

Here are the new log files:

ComboFix:

rpachuta - 06-10-12 15:38:19.68 Service Pack 2
ComboFix 06.10.12 - Running from: "C:\Documents and Settings\rpachuta\Desktop"
Command switches used :: /v ssqrp uwsseacw bwuljljy rlfadcht

(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ssqrp.dll
C:\WINDOWS\system32\uwsseacw.dll
C:\WINDOWS\system32\bwuljljy.dll
C:\WINDOWS\system32\rlfadcht.dll
C:\WINDOWS\system32\prqss.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\rpachuta\Application Data\ICROSO~1
C:\QooBox\Purity\Documents and Settings\rpachuta\Application Data\ICROSO~1\?icrosoft
C:\QooBox\Purity\Program Files\ASKS~1
C:\QooBox\Purity\Program Files\Common Files\SCURIT~1
C:\QooBox\Purity\WINDOWS\system32\SKS~1


((((((((((((((((((((((((((((((( Files Created from 2006-09-12 to 2006-10-12 ))))))))))))))))))))))))))))))))))


2006-10-11 18:08 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2006-10-11 17:52 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
2006-10-11 17:52 27,136 --a------ C:\WINDOWS\system32\irmon.dll
2006-10-11 17:52 152,576 --a------ C:\WINDOWS\system32\irftp.exe
2006-10-11 17:43 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2006-10-11 17:43 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2006-09-19 15:23 157,352 --a------ C:\WINDOWS\system32\pxwma.dll
2006-09-19 15:23 115,880 --a------ C:\WINDOWS\system32\pxinsi64.exe
2006-09-19 15:23 114,856 --a------ C:\WINDOWS\system32\pxcpyi64.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-12 15:41 -------- d-------- C:\Program Files\Symantec AntiVirus
2006-10-12 14:57 -------- d-------- C:\Program Files\Java
2006-10-12 14:56 -------- d-------- C:\Program Files\Common Files\Java
2006-10-12 14:56 -------- d-------- C:\Program Files\Common Files
2006-10-11 18:06 -------- d-------- C:\Program Files\Windows Media Player
2006-10-11 18:06 -------- d-------- C:\Program Files\Outlook Express
2006-10-11 18:06 -------- d-------- C:\Program Files\Internet Explorer
2006-10-11 18:06 -------- d-------- C:\Program Files\Common Files\System
2006-10-11 13:07 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\Lavasoft
2006-10-11 13:06 -------- d-------- C:\Program Files\Lavasoft
2006-10-11 08:42 -------- d-------- C:\Program Files\VSToolbar
2006-10-06 11:04 -------- d-------- C:\Program Files\Windows Defender
2006-10-05 11:34 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\Google
2006-10-05 11:32 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-05 11:32 -------- d-------- C:\Program Files\Google
2006-09-30 11:54 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\Adobe
2006-09-29 16:11 -------- d-------- C:\Program Files\Common Files\Adobe
2006-09-29 16:07 -------- d-------- C:\Program Files\Adobe
2006-09-25 15:29 -------- d-------- C:\Program Files\BearShare
2006-09-19 16:13 -------- d-------- C:\Program Files\Yahoo!
2006-09-19 15:23 -------- d-------- C:\Program Files\illiminable
2006-09-19 15:23 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-09-19 11:06 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\cadenas
2006-09-18 10:03 -------- d-------- C:\Program Files\Soundslides
2006-09-17 22:53 -------- d---s---- C:\Documents and Settings\rpachuta\Application Data\Microsoft
2006-09-14 15:10 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\SolidWorks
2006-09-11 13:27 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\Real
2006-09-11 13:26 -------- d-------- C:\Program Files\Real
2006-09-11 13:25 -------- d-------- C:\Program Files\Common Files\xing shared
2006-09-11 13:25 -------- d-------- C:\Program Files\Common Files\Real
2006-09-11 08:38 -------- d-------- C:\Program Files\QuickTime
2006-09-07 11:02 -------- d-------- C:\Program Files\WinRAR
2006-09-07 11:01 -------- d-------- C:\Program Files\RAR Password Cracker
2006-09-05 13:13 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\Sun
2006-09-01 09:38 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\Opera
2006-08-29 21:35 -------- d-------- C:\Program Files\Zoto
2006-08-29 16:03 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\Macromedia
2006-08-27 11:26 -------- d-------- C:\Program Files\MyGlobalSearch
2006-08-26 11:09 -------- d-------- C:\Program Files\Winamp
2006-08-26 10:24 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\Canon
2006-08-25 14:59 -------- d-------- C:\Program Files\DWGeditor
2006-08-24 21:36 -------- d-------- C:\Program Files\Canon
2006-08-24 09:55 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\Quark
2006-08-24 09:48 -------- d-------- C:\Program Files\Quark
2006-08-24 09:34 -------- d-------- C:\Program Files\Common Files\Express Digital
2006-08-24 08:59 -------- d-------- C:\Program Files\Common Files\Canon
2006-08-24 08:38 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\DWGeditor
2006-08-24 08:36 -------- d-------- C:\Program Files\SolidWorks
2006-08-24 08:36 -------- d-------- C:\Program Files\Common Files\SolidWorks Shared
2006-08-24 08:34 -------- d-------- C:\Program Files\Common Files\DESIGNER
2006-08-24 08:34 -------- d-------- C:\Program Files\Bluebeam Software
2006-08-24 08:33 -------- d-------- C:\Program Files\Common Files\Bluebeam Software
2006-08-24 08:27 -------- d--h----- C:\Program Files\Uninstall Information
2006-08-24 08:27 -------- d-------- C:\Program Files\Common Files\Solidworks Data
2006-08-23 14:29 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\ExpressDigital
2006-08-23 14:15 -------- d-------- C:\Program Files\Common Files\Nikon
2006-08-23 14:14 -------- d-------- C:\Program Files\ExpressDigital
2006-08-23 10:09 -------- d-------- C:\Program Files\1872_Sprint
2006-08-23 10:06 -------- d-------- C:\Program Files\SolidWorks Viewer
2006-08-23 10:06 -------- d-------- C:\Program Files\Netscape
2006-08-23 10:04 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\AdobeUM
2006-08-23 09:43 -------- d-------- C:\Program Files\Messenger
2006-08-23 08:55 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\Intel
2006-08-23 08:55 -------- d-------- C:\Documents and Settings\rpachuta\Application Data\Identities
2006-08-23 08:41 -------- d-------- C:\Program Files\Microsoft Works
2006-08-23 08:41 -------- d-------- C:\Program Files\Microsoft Visual Studio
2006-08-23 08:41 -------- d-------- C:\Program Files\Microsoft Office
2006-08-23 08:41 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-08-23 08:36 -------- d-------- C:\Program Files\Common Files\Adobe Systems Shared
2006-08-23 08:19 57344 --a------ C:\WINDOWS\uneng.exe
2006-08-23 08:19 30630 --a------ C:\WINDOWS\system32\drivers\Mmc_2k.sys
2006-08-23 08:19 25898 --a------ C:\WINDOWS\system32\drivers\Dvd_2k.sys
2006-08-23 08:19 206464 --a------ C:\WINDOWS\system32\drivers\udfreadr_xp.sys
2006-08-23 08:19 143834 --a------ C:\WINDOWS\system32\drivers\pwd_2K.sys
2006-08-23 08:19 -------- d-------- C:\Program Files\Roxio
2006-08-23 08:19 -------- d-------- C:\Program Files\Common Files\Adaptec Shared
2006-08-22 16:30 -------- d-------- C:\Program Files\Common Files\Autodesk Shared
2006-08-22 16:30 -------- d-------- C:\Program Files\Autodesk Volo View
2006-08-22 16:17 -------- d-------- C:\Program Files\CheckPoint
2006-08-22 16:16 -------- d-------- C:\Program Files\Common Files\eDrawings2006
2006-08-22 16:06 -------- d-------- C:\Program Files\WinZip
2006-08-22 16:06 -------- d-------- C:\Program Files\Oracle
2006-08-22 15:57 -------- d-------- C:\Program Files\lotus
2006-08-22 15:34 -------- d-------- C:\Program Files\BlueTooth
2006-08-22 15:32 -------- d-------- C:\Program Files\Toshiba
2006-08-22 15:15 21419 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2006-08-22 15:14 -------- d-------- C:\Program Files\Intel
2006-08-22 15:09 -------- d-------- C:\Program Files\Apoint
2006-08-22 14:50 -------- d-------- C:\Program Files\Dell
2006-08-22 14:43 -------- d-------- C:\Program Files\CONEXANT
2006-08-22 14:37 -------- d-------- C:\Program Files\SigmaTel
2006-08-22 14:37 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-08-22 14:33 -------- d-------- C:\Program Files\ATI Technologies
2006-08-22 13:45 -------- d-------- C:\Program Files\Online Services
2006-08-22 13:34 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-08-22 13:26 -------- d-------- C:\Program Files\Broadcom
2006-08-22 13:18 -------- d-------- C:\Program Files\Symantec
2006-08-22 13:08 0 -rahs---- C:\MSDOS.SYS
2006-08-22 13:08 0 -rahs---- C:\IO.SYS
2006-08-22 13:08 0 --a------ C:\CONFIG.SYS
2006-08-22 13:08 0 --a------ C:\AUTOEXEC.BAT
2006-08-22 13:08 -------- d-------- C:\Program Files\xerox
2006-08-22 13:08 -------- d-------- C:\Program Files\microsoft frontpage
2006-08-22 13:07 -------- d--h----- C:\Program Files\WindowsUpdate
2006-08-22 13:06 -------- d-------- C:\Program Files\NetMeeting
2006-08-22 13:06 -------- d-------- C:\Program Files\Movie Maker
2006-08-22 13:06 -------- d-------- C:\Program Files\Common Files\Services
2006-08-22 13:06 -------- d-------- C:\Program Files\Common Files\MSSoap
2006-08-22 13:05 -------- d-------- C:\Program Files\ComPlus Applications
2006-08-22 13:04 -------- d-------- C:\Program Files\Windows NT
2006-08-22 13:04 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-08-22 13:04 -------- d-------- C:\Program Files\MSN
2006-08-22 08:51 -------- d-------- C:\Program Files\Common Files\SpeechEngines
2006-08-22 08:51 -------- d-------- C:\Program Files\Common Files\ODBC
2006-08-22 08:50 62 --ahs---- C:\Documents and Settings\rpachuta\Application Data\desktop.ini
2006-08-14 12:43 36528 --a------ C:\WINDOWS\system32\drivers\PxHelp20.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Dell QuickSet"="C:\\Program Files\\Dell\\QuickSet\\quickset.exe"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"IntelZeroConfig"="\"C:\\Program Files\\Intel\\Wireless\\bin\\ZCfgSvc.exe\""
"IntelWireless"="\"C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe\" /tf Intel PROSet/Wireless"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
@=""
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoWelcomeScreen"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableCAD"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^.protected]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\.protected"
"backup"="C:\\WINDOWS\\pss\\.protectedCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\.protected"
"item"=".protected"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^rpachuta^Start Menu^Programs^Startup^.protected]
"path"="C:\\Documents and Settings\\rpachuta\\Start Menu\\Programs\\Startup\\.protected"
"backup"="C:\\WINDOWS\\pss\\.protectedStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\rpachuta\\Start Menu\\Programs\\Startup\\.protected"
"item"=".protected"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 06-10-12 15:41:54.79
ComboFix.txt
combofix2.txt
combofix3.txt



Analyse:

Logfile of HijackThis v1.99.1
Scan saved at 3:46:52 PM, on 10/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\1872_Sprint\Fgrd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\rpachuta\My Documents\My Received Files\Analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.destaco.com/index.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://intranet.destaco.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DESTACO
O17 - HKLM\Software\..\Telephony: DomainName = destaco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DESTACO
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = DESTACO
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FGR Service - Fiberlink Communications Corporation - C:\Program Files\1872_Sprint\Fgrd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:42 PM

Posted 12 October 2006 - 03:10 PM

Almost there... :thumbsup:

I did check most of the files you requested with the exception of the oracle initiator and partcommunity as these are part of programs that I use for work


The Oracle Initiator is an orphaned entry:

O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -

So there's no file attached to it anyway, that's why you may fix it. Teatimer is responsible for leaving those in the registry.

Now I see it's partCommunity, I've read PartyCommunity instead, which looked suspicious.
Anyway, whether you fixed it or not, O16 entries are just activeX/downloaded files. When you go to the site again and the O16 (ActiveX) is not present on your system anymore, it will reinstall itself again, asking you to install the ActiveX.

Let's deal with the leftovers now..

A remark first..
I see Bearshare installed. In case you didn't pay for it, I strongly recommend you uninstall it -- because the free version is bundled with spyware.
Also look in your start > controlpanel > software > add/remove programs if VSToolbar and MyGlobalSearch are present there and uninstall it.

Then delete next files and folders manually:

C:\WINDOWS\pss\.protectedCommon Startup
C:\WINDOWS\pss\.protectedStartup
C:\Program Files\VSToolbar <== folder
C:\Program Files\BearShare <== folder, in case you uninstalled it because you had the free version installed.
C:\Program Files\MyGlobalSearch <== folder

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^.protected]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^rpachuta^Start Menu^Programs^Startup^.protected]

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Let me know in your next reply how things are running now. :flowers:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Detmer09

Detmer09
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 12 October 2006 - 03:29 PM

Things seem to be running much much better. I am not receiving any pop ups at the moment....crossing my fingers. Should I run into any further issues, I will be replying to this message again.

Again, thank you very much for your time and effort.

Many Thanks
Ray

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:42 PM

Posted 12 October 2006 - 03:35 PM

Hi Ray,

Normally popups should be gone now.. No more drivercleaner and Winantivirus popups anymore as well now.. :thumbsup:

It won't hurt to scan again with an updated antivirus to get rid of the leftovers if still present.

Glad I could help. :flowers:

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

Also visit this Free Online Scanner for PC Health and Safety and Microsoft Security At Home for tips to Protect your Pc, Protect yourself and Protect your Family.

More info on how to prevent malware you can also find here (By Tony Klein)
and here: http://wiki.castlecops.com/Malware_Prevent...nt_Re-infection

Also read: Simple and easy ways to keep your computer safe and secure on the Internet

Happy surfing again! :huh:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:42 PM

Posted 18 October 2006 - 04:47 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users