Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Hijackthis Log


  • This topic is locked This topic is locked
21 replies to this topic

#1 rack04

rack04

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 04 November 2006 - 04:44 PM

Logfile of HijackThis v1.99.1
Scan saved at 3:37:29 PM, on 11/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\lwinroem.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~3\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\{EC75813A-0942-1033-0819-040405260001}\Update.exe
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\ismini.exe
C:\WINDOWS\TEMP\b122.exe
C:\Program Files\ipwins\ipwins.exe
C:\Temp\Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3C75813A-0942-1033-0819-040405260001}\MyToolBar.dll
O4 - HKLM\..\Run: [KEM] "C:\Program Files\Logitech\SetPoint\KEM.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvweg.dll,startup
O4 - HKLM\..\Run: [wwmexhe.dll] "C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\wwmexhe.dll,mkqeunb
O4 - HKLM\..\Run: [1pop06apelt3] C:\WINDOWS\octeltpop.exe
O4 - HKLM\..\Run: [whob136c] RUNDLL32.EXE w01b297d.dll,n 006b13660000000201b297d
O4 - HKLM\..\Run: [ms0543526-3278] C:\WINDOWS\ms0543526-3278.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\lwinroem.exe ELT001
O4 - HKLM\..\Run: [{58-81-13-3A-ZN}] c:\windows\system32\dwdsregt.exe ELT001
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\RunServices: [Mircosoft Windows Developer Enviroment] devenv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\nqdsregj.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\lwinroem.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Secure Online Account Numbers - {F74E75A5-96BF-40ef-A1C8-88EAEBB82AB6} - C:\Program Files\Secure Online Account Numbers\SOAN.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: Canon PIXMA iP6000D Memory Card Manager (PDUiP6000DMemCrdMgr) - CANON INC. - C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\SYSTEM32\RadClock.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

BC AdBot (Login to Remove)

 


#2 rack04

rack04
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 04 November 2006 - 04:47 PM

Several Programs are being installed including toolbar888, think ads search assistant, and oin.

AVG reports tojan download.generic2.tuj

folders are being created in My Documents called AppPatch, system, Symatec, system32, oracle, microsoft, and microsoft.net.

Everytime I run AVG and remove the trogan and restart the trogan come back.

Arrgh this stinks.

Edited by rack04, 04 November 2006 - 04:59 PM.


#3 rack04

rack04
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 04 November 2006 - 09:19 PM

Sorry for the multiple post but are there any other logs that I can post to better help with the dianosis?

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:34 PM

Posted 04 November 2006 - 11:25 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 rack04

rack04
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 04 November 2006 - 11:49 PM

Thank you very much for your reply. Here is an example of what I'm seeing in the system tray.

Posted Image

I will run the program you requested and report back.

#6 rack04

rack04
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 04 November 2006 - 11:59 PM

Is it typical for combofix to shut down?

Justin Rackley - 06-11-04 22:48:16.78 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Justin Rackley\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-10-04 to 2006-11-04 ))))))))))))))))))))))))))))))))))


2006-11-04 22:35 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-04 20:31 40,973 ---hs---- C:\WINDOWS\system32\rqrqoom.dll
2006-11-04 16:36 752,823 ---hs---- C:\WINDOWS\system32\prqss.bak2
2006-11-04 16:36 752,394 ---hs---- C:\WINDOWS\system32\prqss.ini2
2006-11-04 16:10 5,888 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
2006-11-04 16:10 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2006-11-04 16:10 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2006-11-04 16:10 127,488 --------- C:\WINDOWS\system32\drivers\imagesrv.sys
2006-11-04 15:36 40,973 ---hs---- C:\WINDOWS\system32\rqrsqon.dll
2006-11-04 12:45 59,392 --a------ C:\WINDOWS\system32\drvweg.dll
2006-11-04 12:45 40,973 ---hs---- C:\WINDOWS\system32\qomjhee.dll
2006-11-04 12:29 50,048 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2006-11-04 12:28 90,112 --a------ C:\WINDOWS\system32\RegDACL.exe
2006-11-04 12:28 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2006-11-04 12:28 38,400 --a------ C:\WINDOWS\system32\moveex.exe
2006-11-04 12:19 752,231 ---hs---- C:\WINDOWS\system32\prqss.bak1
2006-11-04 12:19 692,276 ---hs---- C:\WINDOWS\system32\ssqrp.dll
2006-11-04 12:19 60,436 --a------ C:\WINDOWS\system32\bplejmsy.dll
2006-11-04 12:19 110,612 --a------ C:\WINDOWS\system32\iqkplvor.exe
2006-11-04 11:42 684,032 --a------ C:\WINDOWS\system32\libeay32.dll
2006-11-04 11:42 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2006-11-04 11:42 155,648 --a------ C:\WINDOWS\system32\ssleay32.dll
2006-11-04 11:34 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-11-04 11:34 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-11-04 11:34 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-11-04 11:34 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-11-04 10:31 93,696 --a------ C:\WINDOWS\system32\wwmexhe.dll
2006-11-04 10:31 72,704 --a------ C:\WINDOWS\system32\zwijpol.dll
2006-11-04 10:31 59,392 --a------ C:\WINDOWS\system32\drvkud.dll
2006-11-04 10:31 40,973 ---hs---- C:\WINDOWS\system32\ssqpmkh.dll
2006-11-04 10:31 15,872 --------- C:\WINDOWS\system32\winwea32.dll
2006-11-03 12:33 5,120 --a------ C:\WINDOWS\system32\ff_vfw.dll
2006-11-03 00:16 516,096 --------- C:\WINDOWS\system32\ati2sgag.exe
2006-11-02 19:45 451,072 C:\WINDOWSRadeon Omega Drivers v3.8.291 Uninstall.exe
2006-10-31 22:25 31,878 --a------ C:\WINDOWS\system32\xvid-uninstall.exe
2006-10-31 20:02 200,704 --a------ C:\WINDOWS\system32\xvidvfw.dll
2006-10-31 19:56 1,097,728 --a------ C:\WINDOWS\system32\xvidcore.dll
2006-10-20 11:42 20,096 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2006-10-08 20:44 24,576 --a------ C:\WINDOWS\system32\STKIT432.DLL


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-04 22:35 -------- d-------- C:\Program Files\Grisoft
2006-11-04 22:29 -------- d-------- C:\Program Files\HiJackThis
2006-11-04 22:15 -------- d-------- C:\Program Files\Windows Defender
2006-11-04 22:15 -------- d-------- C:\Program Files\Spyware Doctor
2006-11-04 22:10 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-11-04 22:08 -------- d-------- C:\Program Files\Internet Explorer
2006-11-04 22:08 -------- d-------- C:\Program Files\DAEMON Tools
2006-11-04 21:15 -------- d-------- C:\Program Files\Common Files
2006-11-04 16:10 -------- d-------- C:\Program Files\Common Files\Ahead
2006-11-04 16:10 -------- d-------- C:\Program Files\Ahead
2006-11-04 12:56 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\šasks
2006-11-04 12:56 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\šasks
2006-11-04 12:56 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\šasks
2006-11-04 12:55 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\?ymbols
2006-11-04 12:54 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\S?mantec
2006-11-04 12:54 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\S?mantec
2006-11-04 12:50 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\s?stem32
2006-11-04 12:50 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\s?stem32
2006-11-04 12:50 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\s?mbols
2006-11-04 12:50 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\s?mbols
2006-11-04 12:50 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\F?nts
2006-11-04 12:50 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\F?nts
2006-11-04 12:49 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\WholeSecurity
2006-11-04 12:49 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\M?crosoft.NET
2006-11-04 12:49 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\M?crosoft.NET
2006-11-04 12:49 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\A?pPatch
2006-11-04 12:49 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\A?pPatch
2006-11-04 12:49 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\?ystem32
2006-11-04 12:49 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\?racle
2006-11-04 12:49 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\?racle
2006-11-04 12:49 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\?icrosoft.NET
2006-11-04 12:48 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\W?nSxS
2006-11-04 12:48 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\a?sembly
2006-11-04 12:48 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\a?sembly
2006-11-04 12:48 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\?ecurity
2006-11-04 12:47 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\Ódobe
2006-11-04 12:47 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\T?sks
2006-11-04 12:47 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\T?sks
2006-11-04 12:47 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\?ystem
2006-11-04 12:47 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\?ymantec
2006-11-04 12:46 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\ÓppPatch
2006-11-04 12:46 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\ÓppPatch
2006-11-04 12:46 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\ÓppPatch
2006-11-04 12:46 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\s?curity
2006-11-04 12:46 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\s?curity
2006-11-04 12:46 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\?ssembly
2006-11-04 12:45 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\s?stem
2006-11-04 12:45 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\s?stem
2006-11-04 12:31 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\Azureus
2006-11-04 12:29 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\PC Tools
2006-11-04 12:19 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\SearchToolbarCorp
2006-11-03 23:28 -------- d-------- C:\Program Files\avc2avi
2006-11-03 13:39 -------- d-------- C:\Program Files\Logitech
2006-11-03 13:28 86016 --a------ C:\WINDOWS\system32\OpenAL32.dll
2006-11-03 13:28 262144 --a------ C:\WINDOWS\system32\wrap_oal.dll
2006-11-03 13:26 -------- d-------- C:\Program Files\Futuremark
2006-11-03 12:33 -------- d-------- C:\Program Files\ffdshow
2006-11-03 00:20 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\atitray
2006-11-03 00:16 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-03 00:15 451072 --a------ C:\WINDOWS\Radeon Omega Drivers v3.8.291 Uninstall.exe
2006-11-03 00:15 -------- d-------- C:\Program Files\Radeon Omega Drivers
2006-11-03 00:04 611064 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-11-03 00:01 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\Microsoft
2006-11-03 00:01 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\Microsoft
2006-11-03 00:01 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\Microsoft
2006-11-03 00:01 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\Microsoft
2006-11-02 21:54 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\ATI
2006-11-01 20:50 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\RipIt4Me
2006-10-29 20:57 -------- d-------- C:\Program Files\Registry Mechanic
2006-10-26 06:16 -------- d-------- C:\Program Files\DVD Decrypter
2006-10-24 20:19 -------- d-------- C:\Program Files\YAMB
2006-10-24 20:04 -------- d-------- C:\Program Files\CoreCodec
2006-10-24 19:57 -------- d-------- C:\Program Files\Haali
2006-10-24 17:29 -------- d-------- C:\Program Files\Ripit4me
2006-10-23 17:28 -------- d-------- C:\Program Files\MeGUI
2006-10-22 08:31 145 ---hs---- C:\Documents and Settings\Justin Rackley\Application Data\.zreglib
2006-10-22 08:31 -------- d-------- C:\Program Files\SlySoft
2006-10-21 14:14 -------- d-------- C:\Program Files\MediaInfo
2006-10-21 08:29 -------- d-------- C:\Program Files\DVD-RB PRO
2006-10-16 20:59 -------- d-------- C:\Program Files\GSpot
2006-10-12 17:34 120 --a------ C:\Documents and Settings\Justin Rackley\Application Data\FixVTS.ini
2006-10-05 05:42 333 --a------ C:\Documents and Settings\Justin Rackley\Application Data\AutoGK.ini
2006-10-04 22:01 -------- d-------- C:\Program Files\BeLight
2006-10-04 17:13 -------- d-------- C:\Program Files\Tranzcode
2006-10-03 22:01 -------- d-------- C:\Program Files\Audio2wav
2006-10-01 14:33 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\CoreCodec
2006-10-01 08:21 -------- d-------- C:\Program Files\DVD-RB Opt
2006-10-01 08:19 -------- d-------- C:\Program Files\DVD-RB Matrix Editor
2006-09-27 15:41 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-09-18 19:31 -------- d-------- C:\Program Files\PgcEdit
2006-09-15 14:26 -------- d-------- C:\Program Files\VirtualDub
2006-09-14 21:42 -------- d-------- C:\Program Files\AviSynth 2.5
2006-09-12 23:01 1084416 --------- C:\WINDOWS\system32\msxml3.dll
2006-09-11 18:47 -------- d-------- C:\Program Files\VirtualDubMod
2006-09-11 18:39 -------- d-------- C:\Program Files\ImgBurn
2006-09-11 18:39 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\ImgBurn
2006-09-10 20:58 -------- d-------- C:\Program Files\Google
2006-09-10 20:58 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\Google
2006-09-10 08:42 -------- d-------- C:\Program Files\CCleaner
2006-09-08 19:39 -------- d-------- C:\Program Files\Custom Technology
2006-09-08 19:33 14848 --a------ C:\WINDOWS\system32\BASSMOD.dll
2006-09-04 07:18 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\Elaborate Bytes
2006-09-04 07:06 -------- d-------- C:\Program Files\DVD Identifier
2006-08-25 09:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-22 21:11 307200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2006-08-22 20:53 260096 --a------ C:\WINDOWS\system32\ati2dvag.dll
2006-08-22 20:47 114688 --a------ C:\WINDOWS\system32\atipdlxx.dll
2006-08-22 20:46 86016 --a------ C:\WINDOWS\system32\ati2evxx.dll
2006-08-22 20:46 77824 --a------ C:\WINDOWS\system32\Oemdspif.dll
2006-08-22 20:46 41984 --a------ C:\WINDOWS\system32\ati2edxx.dll
2006-08-22 20:46 26112 --a------ C:\WINDOWS\system32\Ati2mdxx.exe
2006-08-22 20:45 413696 --a------ C:\WINDOWS\system32\ati2evxx.exe
2006-08-22 20:44 53248 --a------ C:\WINDOWS\system32\ATIDDC.DLL
2006-08-22 20:38 2401984 --a------ C:\WINDOWS\system32\ati3duag.dll
2006-08-22 20:33 303104 --a------ C:\WINDOWS\system32\ATIDEMGR.dll
2006-08-22 20:33 2510752 --a------ C:\WINDOWS\system32\ativvaxx.dll
2006-08-22 20:27 6684672 --a------ C:\WINDOWS\system32\atioglx1.dll
2006-08-22 20:24 5140480 --a------ C:\WINDOWS\system32\atioglxx.dll
2006-08-22 20:21 221184 --a------ C:\WINDOWS\system32\atikvmag.dll
2006-08-22 20:19 17408 --a------ C:\WINDOWS\system32\atitvo32.dll
2006-08-22 20:14 290816 --a------ C:\WINDOWS\system32\ati2cqag.dll
2006-08-21 06:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 03:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 05:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"H/PC Connection Agent"="\"C:\\PROGRA~1\\MICROS~3\\wcescomm.exe\""
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"KEM"="\"C:\\Program Files\\Logitech\\SetPoint\\KEM.exe\""
"KernelFaultCheck"="C:\\WINDOWS\\system32\\dumprep 0 -k"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"RegistryMechanic"=""
"NVMixerTray"="\"C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"AtiPTA"="atiptaxx.exe"
"CTDrive"="rundll32.exe C:\\WINDOWS\\system32\\drvweg.dll,startup"
"wwmexhe.dll"="\"C:\\WINDOWS\\system32\\rundll32.exe\" C:\\WINDOWS\\system32\\wwmexhe.dll,mkqeunb"
"1pop06apelt3"="C:\\WINDOWS\\octeltpop.exe"
"whob136c"="RUNDLL32.EXE w01b297d.dll,n 006b13660000000201b297d"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Mircosoft Windows Developer Enviroment"="devenv.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\

#7 rack04

rack04
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 05 November 2006 - 12:10 AM

Each time I restart it states unable to find w01b297d.dll

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:34 PM

Posted 05 November 2006 - 09:57 AM

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3C75813A-0942-1033-0819-040405260001}\MyToolBar.dll
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvweg.dll,startup
O4 - HKLM\..\Run: [wwmexhe.dll] "C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\wwmexhe.dll,mkqeunb
O4 - HKLM\..\Run: [1pop06apelt3] C:\WINDOWS\octeltpop.exe
O4 - HKLM\..\Run: [whob136c] RUNDLL32.EXE w01b297d.dll,n 006b13660000000201b297d
O4 - HKLM\..\Run: [ms0543526-3278] C:\WINDOWS\ms0543526-3278.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\lwinroem.exe ELT001
O4 - HKLM\..\Run: [{58-81-13-3A-ZN}] c:\windows\system32\dwdsregt.exe ELT001
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\RunServices: [Mircosoft Windows Developer Enviroment] devenv.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\nqdsregj.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\lwinroem.exe



Reboot your computer.


==============


Click Start -> Run
Copy the command below and paste it into the Run box and click Ok.

"%userprofile%\desktop\combofix.exe" /v ssqrp

When it's done running it will produce a log for you. Please post that log in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 rack04

rack04
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 05 November 2006 - 12:07 PM

Here is my new HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:01:43 AM, on 11/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~3\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...ER}&ar=home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [KEM] "C:\Program Files\Logitech\SetPoint\KEM.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Secure Online Account Numbers - {F74E75A5-96BF-40ef-A1C8-88EAEBB82AB6} - C:\Program Files\Secure Online Account Numbers\SOAN.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: Canon PIXMA iP6000D Memory Card Manager (PDUiP6000DMemCrdMgr) - CANON INC. - C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\SYSTEM32\RadClock.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

Here is my new ComboFix log:

Justin Rackley - 06-11-05 10:56:30.65 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Justin Rackley\desktop"
Command switches used :: /v vssqrp

((((((((((((((((((((((((((((((( Files Created from 2006-10-05 to 2006-11-05 ))))))))))))))))))))))))))))))))))


2006-11-05 10:52 752,394 ---hs---- C:\WINDOWS\system32\prqss.ini2
2006-11-04 22:35 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-04 20:31 40,973 ---hs---- C:\WINDOWS\system32\rqrqoom.dll
2006-11-04 16:36 753,095 ---hs---- C:\WINDOWS\system32\prqss.bak2
2006-11-04 16:10 5,888 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
2006-11-04 16:10 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2006-11-04 16:10 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2006-11-04 16:10 127,488 --------- C:\WINDOWS\system32\drivers\imagesrv.sys
2006-11-04 15:36 40,973 ---hs---- C:\WINDOWS\system32\rqrsqon.dll
2006-11-04 12:45 59,392 --a------ C:\WINDOWS\system32\drvweg.dll
2006-11-04 12:45 40,973 ---hs---- C:\WINDOWS\system32\qomjhee.dll
2006-11-04 12:29 50,048 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2006-11-04 12:28 90,112 --a------ C:\WINDOWS\system32\RegDACL.exe
2006-11-04 12:28 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2006-11-04 12:28 38,400 --a------ C:\WINDOWS\system32\moveex.exe
2006-11-04 12:19 752,231 ---hs---- C:\WINDOWS\system32\prqss.bak1
2006-11-04 12:19 692,276 ---hs---- C:\WINDOWS\system32\ssqrp.dll
2006-11-04 12:19 60,436 --a------ C:\WINDOWS\system32\bplejmsy.dll
2006-11-04 12:19 110,612 --a------ C:\WINDOWS\system32\iqkplvor.exe
2006-11-04 11:42 684,032 --a------ C:\WINDOWS\system32\libeay32.dll
2006-11-04 11:42 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2006-11-04 11:42 155,648 --a------ C:\WINDOWS\system32\ssleay32.dll
2006-11-04 11:34 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-11-04 11:34 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-11-04 11:34 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-11-04 11:34 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-11-04 10:31 93,696 --a------ C:\WINDOWS\system32\wwmexhe.dll
2006-11-04 10:31 72,704 --a------ C:\WINDOWS\system32\zwijpol.dll
2006-11-04 10:31 59,392 --a------ C:\WINDOWS\system32\drvkud.dll
2006-11-04 10:31 40,973 ---hs---- C:\WINDOWS\system32\ssqpmkh.dll
2006-11-04 10:31 15,872 --------- C:\WINDOWS\system32\winwea32.dll
2006-11-03 12:33 5,120 --a------ C:\WINDOWS\system32\ff_vfw.dll
2006-11-03 00:16 516,096 --------- C:\WINDOWS\system32\ati2sgag.exe
2006-11-02 19:45 451,072 C:\WINDOWSRadeon Omega Drivers v3.8.291 Uninstall.exe
2006-10-31 22:25 31,878 --a------ C:\WINDOWS\system32\xvid-uninstall.exe
2006-10-31 20:02 200,704 --a------ C:\WINDOWS\system32\xvidvfw.dll
2006-10-31 19:56 1,097,728 --a------ C:\WINDOWS\system32\xvidcore.dll
2006-10-20 11:42 20,096 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2006-10-08 20:44 24,576 --a------ C:\WINDOWS\system32\STKIT432.DLL


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-05 10:48 -------- d-------- C:\Program Files\HiJackThis
2006-11-04 22:35 -------- d-------- C:\Program Files\Grisoft
2006-11-04 22:15 -------- d-------- C:\Program Files\Windows Defender
2006-11-04 22:15 -------- d-------- C:\Program Files\Spyware Doctor
2006-11-04 22:10 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-11-04 22:08 -------- d-------- C:\Program Files\Internet Explorer
2006-11-04 22:08 -------- d-------- C:\Program Files\DAEMON Tools
2006-11-04 21:15 -------- d-------- C:\Program Files\Common Files
2006-11-04 16:10 -------- d-------- C:\Program Files\Common Files\Ahead
2006-11-04 16:10 -------- d-------- C:\Program Files\Ahead
2006-11-04 12:56 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\šasks
2006-11-04 12:56 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\šasks
2006-11-04 12:56 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\šasks
2006-11-04 12:55 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\?ymbols
2006-11-04 12:54 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\S?mantec
2006-11-04 12:54 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\S?mantec
2006-11-04 12:50 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\s?stem32
2006-11-04 12:50 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\s?stem32
2006-11-04 12:50 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\s?mbols
2006-11-04 12:50 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\s?mbols
2006-11-04 12:50 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\F?nts
2006-11-04 12:50 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\F?nts
2006-11-04 12:49 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\WholeSecurity
2006-11-04 12:49 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\M?crosoft.NET
2006-11-04 12:49 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\M?crosoft.NET
2006-11-04 12:49 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\A?pPatch
2006-11-04 12:49 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\A?pPatch
2006-11-04 12:49 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\?ystem32
2006-11-04 12:49 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\?racle
2006-11-04 12:49 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\?racle
2006-11-04 12:49 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\?icrosoft.NET
2006-11-04 12:48 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\W?nSxS
2006-11-04 12:48 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\a?sembly
2006-11-04 12:48 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\a?sembly
2006-11-04 12:48 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\?ecurity
2006-11-04 12:47 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\Ódobe
2006-11-04 12:47 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\T?sks
2006-11-04 12:47 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\T?sks
2006-11-04 12:47 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\?ystem
2006-11-04 12:47 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\?ymantec
2006-11-04 12:46 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\ÓppPatch
2006-11-04 12:46 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\ÓppPatch
2006-11-04 12:46 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\ÓppPatch
2006-11-04 12:46 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\s?curity
2006-11-04 12:46 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\s?curity
2006-11-04 12:46 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\?ssembly
2006-11-04 12:45 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\s?stem
2006-11-04 12:45 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\s?stem
2006-11-04 12:31 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\Azureus
2006-11-04 12:29 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\PC Tools
2006-11-04 12:19 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\SearchToolbarCorp
2006-11-03 23:28 -------- d-------- C:\Program Files\avc2avi
2006-11-03 13:39 -------- d-------- C:\Program Files\Logitech
2006-11-03 13:28 86016 --a------ C:\WINDOWS\system32\OpenAL32.dll
2006-11-03 13:28 262144 --a------ C:\WINDOWS\system32\wrap_oal.dll
2006-11-03 13:26 -------- d-------- C:\Program Files\Futuremark
2006-11-03 12:33 -------- d-------- C:\Program Files\ffdshow
2006-11-03 00:20 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\atitray
2006-11-03 00:16 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-03 00:15 451072 --a------ C:\WINDOWS\Radeon Omega Drivers v3.8.291 Uninstall.exe
2006-11-03 00:15 -------- d-------- C:\Program Files\Radeon Omega Drivers
2006-11-03 00:04 611064 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-11-03 00:01 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\Microsoft
2006-11-03 00:01 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\Microsoft
2006-11-03 00:01 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\Microsoft
2006-11-03 00:01 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\Microsoft
2006-11-02 21:54 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\ATI
2006-11-01 20:50 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\RipIt4Me
2006-10-29 20:57 -------- d-------- C:\Program Files\Registry Mechanic
2006-10-26 06:16 -------- d-------- C:\Program Files\DVD Decrypter
2006-10-24 20:19 -------- d-------- C:\Program Files\YAMB
2006-10-24 20:04 -------- d-------- C:\Program Files\CoreCodec
2006-10-24 19:57 -------- d-------- C:\Program Files\Haali
2006-10-24 17:29 -------- d-------- C:\Program Files\Ripit4me
2006-10-23 17:28 -------- d-------- C:\Program Files\MeGUI
2006-10-22 08:31 145 ---hs---- C:\Documents and Settings\Justin Rackley\Application Data\.zreglib
2006-10-22 08:31 -------- d-------- C:\Program Files\SlySoft
2006-10-21 14:14 -------- d-------- C:\Program Files\MediaInfo
2006-10-21 08:29 -------- d-------- C:\Program Files\DVD-RB PRO
2006-10-16 20:59 -------- d-------- C:\Program Files\GSpot
2006-10-12 17:34 120 --a------ C:\Documents and Settings\Justin Rackley\Application Data\FixVTS.ini
2006-10-05 05:42 333 --a------ C:\Documents and Settings\Justin Rackley\Application Data\AutoGK.ini
2006-10-04 22:01 -------- d-------- C:\Program Files\BeLight
2006-10-04 17:13 -------- d-------- C:\Program Files\Tranzcode
2006-10-03 22:01 -------- d-------- C:\Program Files\Audio2wav
2006-10-01 14:33 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\CoreCodec
2006-10-01 08:21 -------- d-------- C:\Program Files\DVD-RB Opt
2006-10-01 08:19 -------- d-------- C:\Program Files\DVD-RB Matrix Editor
2006-09-27 15:41 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-09-18 19:31 -------- d-------- C:\Program Files\PgcEdit
2006-09-15 14:26 -------- d-------- C:\Program Files\VirtualDub
2006-09-14 21:42 -------- d-------- C:\Program Files\AviSynth 2.5
2006-09-12 23:01 1084416 --------- C:\WINDOWS\system32\msxml3.dll
2006-09-11 18:47 -------- d-------- C:\Program Files\VirtualDubMod
2006-09-11 18:39 -------- d-------- C:\Program Files\ImgBurn
2006-09-11 18:39 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\ImgBurn
2006-09-10 20:58 -------- d-------- C:\Program Files\Google
2006-09-10 20:58 -------- d-------- C:\Documents and Settings\Justin Rackley\Application Data\Google
2006-09-10 08:42 -------- d-------- C:\Program Files\CCleaner
2006-09-08 19:39 -------- d-------- C:\Program Files\Custom Technology
2006-09-08 19:33 14848 --a------ C:\WINDOWS\system32\BASSMOD.dll
2006-08-25 09:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-22 21:11 307200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2006-08-22 20:53 260096 --a------ C:\WINDOWS\system32\ati2dvag.dll
2006-08-22 20:47 114688 --a------ C:\WINDOWS\system32\atipdlxx.dll
2006-08-22 20:46 86016 --a------ C:\WINDOWS\system32\ati2evxx.dll
2006-08-22 20:46 77824 --a------ C:\WINDOWS\system32\Oemdspif.dll
2006-08-22 20:46 41984 --a------ C:\WINDOWS\system32\ati2edxx.dll
2006-08-22 20:46 26112 --a------ C:\WINDOWS\system32\Ati2mdxx.exe
2006-08-22 20:45 413696 --a------ C:\WINDOWS\system32\ati2evxx.exe
2006-08-22 20:44 53248 --a------ C:\WINDOWS\system32\ATIDDC.DLL
2006-08-22 20:38 2401984 --a------ C:\WINDOWS\system32\ati3duag.dll
2006-08-22 20:33 303104 --a------ C:\WINDOWS\system32\ATIDEMGR.dll
2006-08-22 20:33 2510752 --a------ C:\WINDOWS\system32\ativvaxx.dll
2006-08-22 20:27 6684672 --a------ C:\WINDOWS\system32\atioglx1.dll
2006-08-22 20:24 5140480 --a------ C:\WINDOWS\system32\atioglxx.dll
2006-08-22 20:21 221184 --a------ C:\WINDOWS\system32\atikvmag.dll
2006-08-22 20:19 17408 --a------ C:\WINDOWS\system32\atitvo32.dll
2006-08-22 20:14 290816 --a------ C:\WINDOWS\system32\ati2cqag.dll
2006-08-21 06:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 03:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 05:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"H/PC Connection Agent"="\"C:\\PROGRA~1\\MICROS~3\\wcescomm.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"KEM"="\"C:\\Program Files\\Logitech\\SetPoint\\KEM.exe\""
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"RegistryMechanic"=""
"NVMixerTray"="\"C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"AtiPTA"="atiptaxx.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG Free\\avgw.exe /RUNONCE"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG Free\\avgw.exe /RUNONCE"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{F7999166-FDE6-49DA-9AFC-1F6A79E9D1F2}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000000
"NoDrives"=dword:00000000
"NoViewOnDrive"=dword:00000000
"NoLogoff"=dword:00000000
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Harmony Remote.lnk]
"backup"="C:\\WINDOWS\\pss\\Logitech Harmony Remote.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Logitech\\Harmony Remote\\harmonyClient.exe "
"item"="Logitech Harmony Remote"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Justin Rackley^Start Menu^Programs^Startup^Adobe Gamma.lnk]
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\Calibration\\Adobe Gamma Loader.exe "
"item"="Adobe Gamma"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Justin Rackley^Start Menu^Programs^Startup^Shortcut to AnyDVD.lnk]
"backup"="C:\\WINDOWS\\pss\\Shortcut to AnyDVD.lnkStartup"
"location"="Startup"
"command"="c:\\program files\\slysoft\\anydvd\\anydvd.exe "
"item"="Shortcut to AnyDVD"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DkIcon"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDUiP6000DMon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDUiP6000DMon"
"hkey"="HKLM"
"command"="C:\\Program Files\\Canon\\Memory Card Utility\\PIXMA iP6000D\\PDUiP6000DMon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDUiP6000DTskbr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDUiP6000DTskbr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Canon\\Memory Card Utility\\PIXMA iP6000D\\PDUiP6000DTskbr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomjhee
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrp

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\{3E687F4D-F7F8-45C7-A71E-8BA1648AB293}_HOME-N7E5YNP0TL_Justin Rackley.job
C:\WINDOWS\tasks\{9EC195A3-4D75-4E0B-84FB-047DFA3E2EE6}_HOME-N7E5YNP0TL_Justin Rackley.job
C:\WINDOWS\tasks\{B4F50437-2289-4574-BD47-235FD54A23BF}_HOME-N7E5YNP0TL_Justin Rackley.job

Completion time: 06-11-05 10:58:28.23
C:\ComboFix.txt ... 06-11-05 10:58

#10 rack04

rack04
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 05 November 2006 - 01:16 PM

The red exclamation in the task bar is gone but I'm still getting errorsafe, winantivirus pro, and other virus/spyware popups while using Internet Explorer.

I'm worried about:
2006-11-04 10:31 93,696 --a------ C:\WINDOWS\system32\wwmexhe.dll
2006-11-04 10:31 72,704 --a------ C:\WINDOWS\system32\zwijpol.dll
2006-11-04 10:31 59,392 --a------ C:\WINDOWS\system32\drvkud.dll
2006-11-04 10:31 40,973 ---hs---- C:\WINDOWS\system32\ssqpmkh.dll
2006-11-04 10:31 15,872 --------- C:\WINDOWS\system32\winwea32.dll


VundoFix V6.2.6

Checking Java version...

Java version is 1.5.0.4

Scan started at 12:41:43 PM 11/5/2006

Listing files found while scanning....

C:\WINDOWS\system32\zwijpol.dll
C:\WINDOWS\system32\ssqrp.dll
C:\WINDOWS\system32\prqss.ini
C:\WINDOWS\system32\prqss.bak1
C:\WINDOWS\system32\prqss.bak2
C:\WINDOWS\system32\prqss.ini2
C:\WINDOWS\system32\prqss.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\system32\zwijpol.dll
C:\WINDOWS\system32\zwijpol.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqrp.dll
C:\WINDOWS\system32\ssqrp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\prqss.ini
C:\WINDOWS\system32\prqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\prqss.bak1
C:\WINDOWS\system32\prqss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\prqss.bak2
C:\WINDOWS\system32\prqss.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\prqss.ini2
C:\WINDOWS\system32\prqss.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\prqss.tmp
C:\WINDOWS\system32\prqss.tmp Has been deleted!

Performing Repairs to the registry.
Done!

Logfile of HijackThis v1.99.1
Scan saved at 12:55:22 PM, on 11/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~3\wcescomm.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...ER}&ar=home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {18D45C9B-483E-6360-A7D4-08C2F06E787F} - C:\WINDOWS\system32\zwijpol.dll (file missing)
O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - blank (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\Spyware Doctor\tools\iesdsg.dll
O2 - BHO: (no name) - {71459607-D01C-4DFF-B107-73F06A1CBB12} - C:\WINDOWS\system32\ssqrp.dll (file missing)
O2 - BHO: Discover deskshop Browser Helper Object - {8DB3D69D-DA5E-4165-B781-72A761790672} - C:\WINDOWS\system32\BhoDshop.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\bplejmsy.dll
O2 - BHO: (no name) - {F7999166-FDE6-49DA-9AFC-1F6A79E9D1F2} - C:\WINDOWS\system32\qomjhee.dll
O4 - HKLM\..\Run: [KEM] "C:\Program Files\Logitech\SetPoint\KEM.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O20 - Winlogon Notify: qomjhee - C:\WINDOWS\SYSTEM32\qomjhee.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: Canon PIXMA iP6000D Memory Card Manager (PDUiP6000DMemCrdMgr) - CANON INC. - C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\SYSTEM32\RadClock.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

Edited by rack04, 05 November 2006 - 01:59 PM.


#11 rack04

rack04
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 05 November 2006 - 02:41 PM

Symantec Online Scan shows C:\WINDOWS\system32\wwmexhe.dll is infected with Trojan.Busky

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:34 PM

Posted 05 November 2006 - 03:57 PM

Combofix is not working right for us for some reason.

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O2 - BHO: (no name) - {18D45C9B-483E-6360-A7D4-08C2F06E787F} - C:\WINDOWS\system32\zwijpol.dll (file missing)
O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - blank (file missing)
O2 - BHO: (no name) - {71459607-D01C-4DFF-B107-73F06A1CBB12} - C:\WINDOWS\system32\ssqrp.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\bplejmsy.dll
O2 - BHO: (no name) - {F7999166-FDE6-49DA-9AFC-1F6A79E9D1F2} - C:\WINDOWS\system32\qomjhee.dll
O20 - Winlogon Notify: qomjhee - C:\WINDOWS\SYSTEM32\qomjhee.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)



============



Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\WINDOWS\system32\bplejmsy.dll
    C:\WINDOWS\system32\qomjhee.dll
    C:\WINDOWS\system32\wwmexhe.dll



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

  • After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
  • Post this log in your next reply.
============



Download and scan with the free 15 day trial of Counterspy
Save the report when it's finished:
  • Once Counterspy has done scanning,the 'Scan Results' box will appear.
  • Click on 'View Results'.
  • Under (Recommended Action),using the drop down menus at the side of each entry found,set EVERYTHING to Remove.
  • Then click on Take Action.
  • Once everything has been removed,click on View Details.
  • Copy and Paste those details into your next reply here.
Also post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 rack04

rack04
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 05 November 2006 - 08:21 PM

Pocket Killbox version 2.0.0.881
Running on Windows XP as Justin Rackley(Administrator)
was started @ Sunday, November 05, 2006, 6:19 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\bplejmsy.dll


# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\qomjhee.dll


# 3 [Delete on Reboot]
Path = C:\WINDOWS\system32\wwmexhe.dll


Killbox Closed(Exit) @ 6:21:08 PM
__________________________________________________

Pocket Killbox version 2.0.0.881
Running on Windows XP as Justin Rackley(Administrator)
was started @ Sunday, November 05, 2006, 6:36 PM

Killbox Closed(Exit) @ 6:37:23 PM
__________________________________________________

Spyware Scan Details
Start Date: 11/5/2006 6:49:23 PM
End Date: 11/5/2006 7:07:22 PM
Total Time: 17 mins 59 secs

Detected spyware

Virtumonde Adware (General) more information...
Details: Virtumonde is an adware program that displays pop-up advertisements on the desktop. Virtumonde also downloads other software from various remote servers.
Status: Deleted

Infected files detected
c:\windows\system32\bdeeg.tmp
c:\windows\system32\bdeeg.ini
c:\windows\system32\bdeeg.bak1
c:\windows\system32\geedb.dll

Infected registry entries detected
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\geedb
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\geedb Asynchronous 1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\geedb DllName C:\WINDOWS\system32\geedb.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\geedb Impersonate 0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\geedb Startup SysLogon
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\geedb Logoff SysLogoff
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\geedb DllName C:\WINDOWS\System32\geedb.dll


Mirar Toolbar more information...
Details: Mirar is an adware application that installs a browser helper object (BHO) in the form of a toolbar.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75} SlowInfoCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75} Changed 0


Ipwins Adware (General) more information...
Status: Deleted

Infected registry entries detected
HKEY_CURRENT_USER\Software\IpWins
HKEY_CURRENT_USER\Software\IpWins remove ok


SpySheriff Rogue Security Program more information...
Details: SpySheriff is a purported anti-spyware application to scan for and remove spyware from users' computers.
Status: Deleted

Infected registry entries detected
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ForceActiveDesktopOn


Maxifiles Adware (General) more information...
Status: Deleted

Infected registry entries detected
HKEY_CURRENT_USER\Software\IDL
HKEY_CURRENT_USER\Software\IDL b103 yes
HKEY_CURRENT_USER\Software\IDL remove yes
HKEY_LOCAL_MACHINE\SOFTWARE\em
HKEY_LOCAL_MACHINE\SOFTWARE\em check yes


DisableKey Adware (General) more information...
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\AdwareDisableKey3
HKEY_LOCAL_MACHINE\SOFTWARE\AdwareDisableKey3 1463888650
HKEY_CURRENT_USER\SOFTWARE\AdwareDisableKey3
HKEY_CURRENT_USER\SOFTWARE\AdwareDisableKey3 1463888650


Cookie: Advertising.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\documents and settings\justin rackley\cookies\justin rackley@advertising[2].txt


Cookie: ATDMT.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\documents and settings\justin rackley\cookies\justin rackley@atdmt[2].txt


Cookie: ABetterInternet.Aurora Cookie Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\documents and settings\justin rackley\cookies\justin rackley@a[1].txt


Cookie: Claria.DashBar Cookie Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\documents and settings\justin rackley\cookies\justin rackley@belnk[1].txt


Cookie: CGI-Bin Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\documents and settings\justin rackley\cookies\justin rackley@cgi-bin[2].txt


Cookie: Mediaplex.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\documents and settings\justin rackley\cookies\justin rackley@mediaplex[1].txt


Cookie: statcounter.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\documents and settings\justin rackley\cookies\justin rackley@statcounter[2].txt

Logfile of HijackThis v1.99.1
Scan saved at 7:18:36 PM, on 11/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~3\wcescomm.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...ER}&ar=home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [KEM] "C:\Program Files\Logitech\SetPoint\KEM.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: Canon PIXMA iP6000D Memory Card Manager (PDUiP6000DMemCrdMgr) - CANON INC. - C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\SYSTEM32\RadClock.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

#14 rack04

rack04
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 05 November 2006 - 09:36 PM

Update:

I'm still seeing several internet explorer popups while browsing.

#15 rack04

rack04
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 06 November 2006 - 07:43 AM

Even after a scan and restart it seems that Virtumonde still exists. I can't tell if this is what's causing all my problems.


[11/06/2006, 6:51:51] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Justin Rackley\Desktop\VirtumundoBeGone.exe" )
[11/06/2006, 6:52:04] - Detected System Information:
[11/06/2006, 6:52:04] - Windows Version: 5.1.2600, Service Pack 2
[11/06/2006, 6:52:04] - Current Username: Justin Rackley (Admin)
[11/06/2006, 6:52:04] - Windows is in SAFE mode with Networking.
[11/06/2006, 6:52:04] - Searching for Browser Helper Objects:
[11/06/2006, 6:52:04] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[11/06/2006, 6:52:04] - BHO 2: {1787D782-95CE-42D6-B51C-6082921EF044} ()
[11/06/2006, 6:52:04] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/06/2006, 6:52:04] - Checking for HKLM\...\Winlogon\Notify\geedb
[11/06/2006, 6:52:04] - Found: HKLM\...\Winlogon\Notify\geedb - This is probably Virtumundo.
[11/06/2006, 6:52:04] - Assigning {1787D782-95CE-42D6-B51C-6082921EF044} MSEvents Object
[11/06/2006, 6:52:04] - BHO list has been changed! Starting over...
[11/06/2006, 6:52:04] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[11/06/2006, 6:52:04] - BHO 2: {1787D782-95CE-42D6-B51C-6082921EF044} (MSEvents Object)
[11/06/2006, 6:52:04] - ALERT: Found MSEvents Object!
[11/06/2006, 6:52:04] - BHO 3: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
[11/06/2006, 6:52:04] - BHO 4: {8DB3D69D-DA5E-4165-B781-72A761790672} (DeskshopBrowserHelper Class)
[11/06/2006, 6:52:04] - BHO 5: {B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor)
[11/06/2006, 6:52:04] - BHO 6: {F18F04B0-9CF1-4b93-B004-77A288BEE28B} ()
[11/06/2006, 6:52:04] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/06/2006, 6:52:04] - Checking for HKLM\...\Winlogon\Notify\hnwcyuck
[11/06/2006, 6:52:04] - Key not found: HKLM\...\Winlogon\Notify\hnwcyuck, continuing.
[11/06/2006, 6:52:04] - Finished Searching Browser Helper Objects
[11/06/2006, 6:52:04] - *** Detected MSEvents Object
[11/06/2006, 6:52:04] - Trying to remove MSEvents Object...
[11/06/2006, 6:52:05] - Terminating Process: IEXPLORE.EXE
[11/06/2006, 6:52:05] - Terminating Process: RUNDLL32.EXE
[11/06/2006, 6:52:05] - Disabling Automatic Shell Restart
[11/06/2006, 6:52:05] - Terminating Process: EXPLORER.EXE
[11/06/2006, 6:52:05] - Suspending the NT Session Manager System Service
[11/06/2006, 6:52:05] - Terminating Windows NT Logon/Logoff Manager
[11/06/2006, 6:52:06] - Re-enabling Automatic Shell Restart
[11/06/2006, 6:52:06] - File to disable: C:\WINDOWS\system32\geedb.dll
[11/06/2006, 6:52:06] - Renaming C:\WINDOWS\system32\geedb.dll -> C:\WINDOWS\system32\geedb.dll.vir
[11/06/2006, 6:52:06] - File successfully renamed!
[11/06/2006, 6:52:06] - Removing HKLM\...\Browser Helper Objects\{1787D782-95CE-42D6-B51C-6082921EF044}
[11/06/2006, 6:52:06] - Removing HKCR\CLSID\{1787D782-95CE-42D6-B51C-6082921EF044}
[11/06/2006, 6:52:06] - Adding Kill Bit for ActiveX for GUID: {1787D782-95CE-42D6-B51C-6082921EF044}
[11/06/2006, 6:52:06] - Deleting ATLEvents/MSEvents Registry entries
[11/06/2006, 6:52:06] - Removing HKLM\...\Winlogon\Notify\geedb
[11/06/2006, 6:52:06] - Searching for Browser Helper Objects:
[11/06/2006, 6:52:06] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[11/06/2006, 6:52:06] - BHO 2: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
[11/06/2006, 6:52:06] - BHO 3: {8DB3D69D-DA5E-4165-B781-72A761790672} (DeskshopBrowserHelper Class)
[11/06/2006, 6:52:06] - BHO 4: {B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor)
[11/06/2006, 6:52:06] - BHO 5: {F18F04B0-9CF1-4b93-B004-77A288BEE28B} ()
[11/06/2006, 6:52:06] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/06/2006, 6:52:06] - Checking for HKLM\...\Winlogon\Notify\hnwcyuck
[11/06/2006, 6:52:06] - Key not found: HKLM\...\Winlogon\Notify\hnwcyuck, continuing.
[11/06/2006, 6:52:06] - Finished Searching Browser Helper Objects
[11/06/2006, 6:52:06] - Finishing up...
[11/06/2006, 6:52:06] - A restart is needed.
[11/06/2006, 6:52:16] - Attempting to Restart via STOP error (Blue Screen!)

Edited by rack04, 06 November 2006 - 08:00 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users