Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud, Look2me, Amaena, Drivecleaner Massive Infection Fake Security Alerts, Need Help With Hijack This Analysis Please :o)


  • This topic is locked This topic is locked
30 replies to this topic

#1 winconline

winconline

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Toronto Ontario
  • Local time:08:25 AM

Posted 08 November 2006 - 01:01 AM

I was up late last night (graphic designer just outside Toronto). I got a few Fake Security Alerts, and they started to increase, I got AdAware, Spybot, Symatic Corporate, PestPatrol etc up and running, each time with a new set of malaware/adware infestations. Pop ups all over the place for drivecleaner, amaena, winantivirus etc, and alerts popping up in the system tray (one little red circle with yellow exclamation marks, and a flahing yellow triangle prompting me to do a full scan and download specific software). Thank god the porn has stopped flashing all over the screen, but I use this computer for my home business winconline.com and very rarely on anything questionable unless my comp is being used without my knowledge ... I've tried to have my dad acess my computer through MSN, and he was having no luck with it either. I finally gained control of internet explorer which seemed to be launching and linked to some fake security alert page.

I've been all over the net, done as many virus scans and such that I can, and each time we pull up less and less stuff, but still a substantial amount, did regcleaner a bunch of times, rebooted till the cows come home and this will be my first time using hijackthis, so I beg that you give a gal a little slack if I post incorrectly :thumbsup:)

This is my last attempt to spare my computer from flying out the window, and unfortunate but possibly necessary death.

Logfile of HijackThis v1.99.1
Scan saved at 12:43:14 AM, on 11/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Common Files\AOL\1154220229\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
C:\Program Files\Common Files\s?stem32\r?gsvr32.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\ismini.exe
C:\DOCUME~1\Reyn\MYDOCU~1\STEM~1\fast.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Reyn\Local Settings\Temp\HijackThis.exe

R3 - URLSearchHook: (no name) - {08EC55BC-9E06-CFA0-7D52-BFCE6EC9BCC7} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1154220229\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvgow.dll,startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Simple Star PhotoShow Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Nazqjng] C:\Program Files\Common Files\s?stem32\r?gsvr32.exe
O4 - HKCU\..\Run: [Bpht] "C:\DOCUME~1\Reyn\MYDOCU~1\STEM~1\fast.exe" -vt yazb
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.meilingchows.com
O16 - DPF: {23B1D1AE-A29F-4AE2-B76E-CAB6E14811C4} (DHCPConfiguration Class) - http://eserv.sympatico.ca/netassistant/con...adaPortalAX.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

PS, forgot to mention, the blue screen of death is now the black screen of death when I try to get into Safe Mode, for some reason it won't let me. I have downloaded the smitfraud fix and all that, just need some guidance.

Edited by winconline, 08 November 2006 - 01:10 AM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:25 AM

Posted 08 November 2006 - 04:09 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:


Set the computer down easy and back away from the window. We can fix this. :flowers:




Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 winconline

winconline
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Toronto Ontario
  • Local time:08:25 AM

Posted 09 November 2006 - 12:10 AM

Hey Sam - was going through the posts, and on several other lists and am glad to see that this is a problem a ton of people have had (meaning that it's obviously fixable) I've been through spybot, spyblaster, cwshredder, smitrem, smitfraud.zip still having the issue and now symantec is flashing up warnings in the top left of the monitor, but all files listed don't seem to exist in the pocket killbox. The majority of pop ups are for oiadserver.com, winantivirus.com, drivecleaner.com
_________________________________________________________________________________

The latest warning from symatec is as follows:

Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Dialer.Trojan
File: C:\Documents and Settings\Reyn\Local Settings\Temporary Internet Files\Content.IE5\6FQVU5K1\srvxcz[1].exe
Location: C:\Documents and Settings\Reyn\Local Settings\Temporary Internet Files\Content.IE5\6FQVU5K1
Computer: WENDY
User: Reyn
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Thursday, November 09, 2006 12:03:31 AM

_________________________________________________________________________________

I've survived the night, the computer is still here, with a slight impression of my foot in the wall beside it. I appreciate any help you can offer. I've imagined pulling a complete fingernail off to be less painful than this infestation.

_________________________________________________________________________________

Here's the ComboFix text file

Reyn - 06-11-08 22:40:56.77 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Reyn\Desktop"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Granting sedebugprivilege to Administrators ... successful


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\WINDOWS\system32\components

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Reyn\My Documents\STEM~1
C:\QooBox\Purity\Documents and Settings\Reyn\My Documents\STEM~1\??stem
C:\QooBox\Purity\Program Files\Common Files\RACLE~1
C:\QooBox\Purity\Program Files\Common Files\SSTEM3~1
C:\QooBox\Purity\Program Files\Common Files\SSTEM3~1\r?gsvr32.exe


((((((((((((((((((((((((((((((( Files Created from 2006-10-08 to 2006-11-08 ))))))))))))))))))))))))))))))))))


2006-11-08 22:35 110,612 --a------ C:\WINDOWS\system32\vjqifpwu.exe
2006-11-08 02:38 110,612 --a------ C:\WINDOWS\system32\aywggplm.exe
2006-11-08 02:19 110,612 --a------ C:\WINDOWS\system32\whfppjad.exe
2006-11-08 02:19 110,612 --a------ C:\WINDOWS\system32\tgveqbau.exe
2006-11-08 00:42 110,612 --a------ C:\WINDOWS\system32\ddikhgsl.exe
2006-11-08 00:29 40,973 ---hs---- C:\WINDOWS\system32\urqnkkj.dll
2006-11-08 00:27 110,612 --a------ C:\WINDOWS\system32\gnemdkfu.exe
2006-11-07 23:49 40,973 ---hs---- C:\WINDOWS\system32\gebabxv.dll
2006-11-07 23:37 110,612 --a------ C:\WINDOWS\system32\nmydyqyj.exe
2006-11-07 21:35 549,077 ---hs---- C:\WINDOWS\system32\yccdd.bak2
2006-11-07 21:35 110,612 --a------ C:\WINDOWS\system32\qytdkmty.exe
2006-11-07 21:34 60,436 --a------ C:\WINDOWS\system32\gjdcefpp.dll
2006-11-07 21:34 110,612 --a------ C:\WINDOWS\system32\shhvdycs.exe
2006-11-07 21:33 549,129 ---hs---- C:\WINDOWS\system32\yccdd.ini2
2006-11-07 17:56 40,973 ---hs---- C:\WINDOWS\system32\nnnolki.dll
2006-11-07 16:47 59,392 --a------ C:\WINDOWS\system32\drvgow.dll
2006-11-07 16:46 40,973 ---hs---- C:\WINDOWS\system32\cbxwtuv.dll
2006-11-07 04:59 692,276 ---hs---- C:\WINDOWS\system32\ddccy.dll
2006-11-07 04:59 60,436 --a------ C:\WINDOWS\system32\dstciykq.dll
2006-11-07 04:59 573,745 ---hs---- C:\WINDOWS\system32\yccdd.bak1
2006-11-07 04:59 110,612 --a------ C:\WINDOWS\system32\qmtysqnj.exe
2006-11-07 04:55 59,392 --a------ C:\WINDOWS\system32\drvmus.dll
2006-11-07 04:55 2 --a------ C:\WINDOWS\system32\wnstscc.exe
2006-11-07 04:53 40,973 ---hs---- C:\WINDOWS\system32\opnmkih.dll
2006-11-07 04:53 15,872 --a------ C:\WINDOWS\system32\winpdc32.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-08 22:43 -------- d-------- C:\Program Files\Symantec AntiVirus
2006-11-08 22:41 -------- d-------- C:\Program Files\Common Files
2006-11-08 22:35 -------- d-------- C:\Program Files\VSAdd-in
2006-11-08 02:39 -------- d-------- C:\Program Files\PestPatrol
2006-11-07 17:50 -------- d-------- C:\Program Files\InterMute
2006-11-07 16:02 -------- d-------- C:\Program Files\Internet Explorer
2006-11-07 06:06 -------- d-------- C:\Program Files\Windows NT
2006-11-07 05:41 -------- d-------- C:\Program Files\Windows Media Player
2006-11-07 05:39 -------- d-------- C:\Program Files\Messenger
2006-11-07 05:34 -------- d-------- C:\Program Files\Common Files\Services
2006-11-07 04:59 -------- d-------- C:\Program Files\Corel
2006-11-07 04:48 3974 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2006-11-07 04:43 104 -r-hs---- C:\WINDOWS\system32\5CAD685368.sys
2006-11-04 14:29 -------- d-------- C:\Program Files\WinHTTrack
2006-10-25 15:14 -------- d-------- C:\Program Files\Timesheets Express
2006-09-27 19:22 -------- d-------- C:\Documents and Settings\Reyn\Application Data\Simple Star
2006-09-27 19:20 67 --a------ C:\Documents and Settings\Reyn\Application Data\photoshow_express_45_efigsj[1].txt
2006-09-27 19:16 -------- d-------- C:\Program Files\Simple Star
2006-09-27 19:16 -------- d-------- C:\Program Files\Common Files\Simple Star Shared
2006-09-27 18:04 -------- d-------- C:\Documents and Settings\Reyn\Application Data\Downloaded Installations
2006-09-27 10:47 -------- d-------- C:\Documents and Settings\Reyn\Application Data\Adobe
2006-09-23 17:59 -------- d-------- C:\Program Files\AIM
2006-09-21 17:02 -------- d-------- C:\Program Files\Common Files\Designer
2006-09-21 17:01 -------- d-------- C:\Program Files\Common Files\Corel
2006-09-21 16:59 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-19 01:33 -------- d-------- C:\Program Files\AOD
2006-09-17 16:34 -------- d-------- C:\Program Files\Google
2006-09-17 16:34 -------- d-------- C:\Documents and Settings\Reyn\Application Data\Macromedia
2006-09-13 00:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-12 21:08 -------- d-------- C:\Program Files\WS_FTP
2006-08-25 10:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 07:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 04:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 06:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Aim6"=""
"LogitechSoftwareUpdate"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"
"Simple Star PhotoShow Media Manager"="C:\\PROGRA~1\\SIMPLE~1\\PHOTOS~1\\data\\Xtras\\mssysmgr.exe"
"Nazqjng"="C:\\Program Files\\Common Files\\s?stem32\\r?gsvr32.exe"
"Bpht"="\"C:\\DOCUME~1\\Reyn\\MYDOCU~1\\STEM~1\\fast.exe\" -vt yazb"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"PestPatrol Control Center"="c:\\PROGRA~1\\PESTPA~1\\PPControl.exe"
"PPMemCheck"="c:\\PROGRA~1\\PESTPA~1\\PPMemCheck.exe"
"CookiePatrol"="c:\\PROGRA~1\\PESTPA~1\\CookiePatrol.exe"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1154220229\\ee\\AOLSoftware.exe"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe "
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"Share-to-Web Namespace Daemon"="c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
@=""
"CTDrive"="rundll32.exe C:\\WINDOWS\\system32\\drvgow.dll,startup"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{F7999166-FDE6-49DA-9AFC-1F6A79E9D1F2}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxwtuv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winpdc32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-11-08 22:44:33.20
C:\ComboFix.txt ... 06-11-08 22:44

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:25 AM

Posted 09 November 2006 - 06:32 PM

You've got some stinkers in there, but nothing we can't handle in a couple steps.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt even if Vundofix found no infected files.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.


Also post a new log from Combofix.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 winconline

winconline
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Toronto Ontario
  • Local time:08:25 AM

Posted 09 November 2006 - 10:24 PM

I was stuck in an eternal ring of that program for a while, where it continued to tell me it couldn't delete the files. A few hiccups (the computer - not me) and a final reboot with nothing in the box. So ... I closed it without rescanning - hope that was right.

I think all of this looks like some sort of ET has taken control of my computer, and that I should be calling for an excersism.



Vundofix log follows:

______________________________________________________________________

VundoFix V6.2.8

Checking Java version...

Java version is 1.5.0.6

Scan started at 9:50:44 PM 11/9/2006

Listing files found while scanning....

C:\WINDOWS\system32\winpdc32.dll
C:\WINDOWS\system32\ddccy.dll
C:\WINDOWS\system32\yccdd.ini
C:\WINDOWS\system32\yccdd.bak1
C:\WINDOWS\system32\yccdd.bak2
C:\WINDOWS\system32\yccdd.ini2
C:\WINDOWS\system32\yccdd.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\system32\winpdc32.dll
C:\WINDOWS\system32\winpdc32.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ddccy.dll
C:\WINDOWS\system32\ddccy.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\yccdd.ini
C:\WINDOWS\system32\yccdd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\yccdd.bak1
C:\WINDOWS\system32\yccdd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\yccdd.bak2
C:\WINDOWS\system32\yccdd.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\yccdd.ini2
C:\WINDOWS\system32\yccdd.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\yccdd.tmp
C:\WINDOWS\system32\yccdd.tmp Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.8

Checking Java version...

Java version is 1.5.0.6

Scan started at 9:56:59 PM 11/9/2006

Listing files found while scanning....

C:\WINDOWS\system32\winpdc32.dll
C:\WINDOWS\system32\ddccy.dll
C:\WINDOWS\system32\yccdd.ini
C:\WINDOWS\system32\yccdd.ini2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\winpdc32.dll
C:\WINDOWS\system32\winpdc32.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddccy.dll
C:\WINDOWS\system32\ddccy.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\yccdd.ini
C:\WINDOWS\system32\yccdd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\yccdd.ini2
C:\WINDOWS\system32\yccdd.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddccy.dll
C:\WINDOWS\system32\ddccy.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.2.8

Checking Java version...

Java version is 1.5.0.6

Scan started at 10:05:56 PM 11/9/2006

Listing files found while scanning....

C:\WINDOWS\system32\ddccy.dll
C:\WINDOWS\system32\yccdd.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddccy.dll
C:\WINDOWS\system32\ddccy.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\yccdd.ini
C:\WINDOWS\system32\yccdd.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddccy.dll
C:\WINDOWS\system32\ddccy.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\yccdd.ini
C:\WINDOWS\system32\yccdd.ini Has been deleted!

Performing Repairs to the registry.
Done!
____________________________________________________________________________

CombFix follows next:

Reyn - 06-11-09 22:15:13.25 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Reyn\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\STEM32~1
C:\QooBox\Purity\Program Files\STEM32~1\??stem32
C:\QooBox\Purity\WINDOWS\system32\ASEMBL~1


((((((((((((((((((((((((((((((( Files Created from 2006-10-09 to 2006-11-09 ))))))))))))))))))))))))))))))))))


2006-11-09 22:03 4,476 --a------ C:\WINDOWSvundofix.reg
2006-11-08 23:41 40,973 ---hs---- C:\WINDOWS\system32\rqrqnol.dll
2006-11-08 00:29 40,973 ---hs---- C:\WINDOWS\system32\urqnkkj.dll
2006-11-07 23:49 40,973 ---hs---- C:\WINDOWS\system32\gebabxv.dll
2006-11-07 17:56 40,973 ---hs---- C:\WINDOWS\system32\nnnolki.dll
2006-11-07 16:46 40,973 ---hs---- C:\WINDOWS\system32\cbxwtuv.dll
2006-11-07 04:59 692,276 --------- C:\WINDOWS\system32\ddccy.dll
2006-11-07 04:55 2 --a------ C:\WINDOWS\system32\wnstscc.exe
2006-11-07 04:53 40,973 ---hs---- C:\WINDOWS\system32\opnmkih.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-09 22:15 -------- d-------- C:\Program Files\Common Files
2006-11-09 22:14 -------- d-------- C:\Program Files\PestPatrol
2006-11-09 22:13 -------- d-------- C:\Program Files\Symantec AntiVirus
2006-11-09 21:48 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-08 23:46 -------- d-------- C:\Documents and Settings\Reyn\Application Data\Talkback
2006-11-08 23:45 -------- d-------- C:\Documents and Settings\Reyn\Application Data\Mozilla
2006-11-08 23:10 -------- d-------- C:\Program Files\SpywareBlaster
2006-11-08 22:46 -------- d-------- C:\Program Files\VSAdd-in
2006-11-07 17:50 -------- d-------- C:\Program Files\InterMute
2006-11-07 16:02 -------- d-------- C:\Program Files\Internet Explorer
2006-11-07 06:06 -------- d-------- C:\Program Files\Windows NT
2006-11-07 05:41 -------- d-------- C:\Program Files\Windows Media Player
2006-11-07 05:39 -------- d-------- C:\Program Files\Messenger
2006-11-07 05:34 -------- d-------- C:\Program Files\Common Files\Services
2006-11-07 04:59 -------- d-------- C:\Program Files\Corel
2006-11-07 04:48 3974 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2006-11-07 04:43 104 -r-hs---- C:\WINDOWS\system32\5CAD685368.sys
2006-11-04 14:29 -------- d-------- C:\Program Files\WinHTTrack
2006-10-25 15:14 -------- d-------- C:\Program Files\Timesheets Express
2006-09-27 19:22 -------- d-------- C:\Documents and Settings\Reyn\Application Data\Simple Star
2006-09-27 19:20 67 --a------ C:\Documents and Settings\Reyn\Application Data\photoshow_express_45_efigsj[1].txt
2006-09-27 19:16 -------- d-------- C:\Program Files\Simple Star
2006-09-27 19:16 -------- d-------- C:\Program Files\Common Files\Simple Star Shared
2006-09-27 18:04 -------- d-------- C:\Documents and Settings\Reyn\Application Data\Downloaded Installations
2006-09-27 10:47 -------- d-------- C:\Documents and Settings\Reyn\Application Data\Adobe
2006-09-23 17:59 -------- d-------- C:\Program Files\AIM
2006-09-21 17:02 -------- d-------- C:\Program Files\Common Files\Designer
2006-09-21 17:01 -------- d-------- C:\Program Files\Common Files\Corel
2006-09-21 16:59 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-19 01:33 -------- d-------- C:\Program Files\AOD
2006-09-17 16:34 -------- d-------- C:\Program Files\Google
2006-09-17 16:34 -------- d-------- C:\Documents and Settings\Reyn\Application Data\Macromedia
2006-09-13 00:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-12 21:08 -------- d-------- C:\Program Files\WS_FTP
2006-08-25 10:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 07:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 04:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 06:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Aim6"=""
"LogitechSoftwareUpdate"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"
"Simple Star PhotoShow Media Manager"="C:\\PROGRA~1\\SIMPLE~1\\PHOTOS~1\\data\\Xtras\\mssysmgr.exe"
"Nazqjng"="C:\\Program Files\\Common Files\\s?stem32\\r?gsvr32.exe"
"Bpht"="\"C:\\PROGRA~1\\STEM32~1\\rundll32.exe\" -vt yazb"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"PestPatrol Control Center"="C:\\PROGRA~1\\PESTPA~1\\PPControl.exe"
"PPMemCheck"="C:\\PROGRA~1\\PESTPA~1\\PPMemCheck.exe"
"CookiePatrol"="C:\\PROGRA~1\\PESTPA~1\\CookiePatrol.exe"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1154220229\\ee\\AOLSoftware.exe"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe "
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"Share-to-Web Namespace Daemon"="c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
@=""
"CTDrive"="rundll32.exe C:\\WINDOWS\\system32\\drvsew.dll,startup"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{F7999166-FDE6-49DA-9AFC-1F6A79E9D1F2}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxwtuv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccy

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-11-09 22:17:15.34
C:\ComboFix.txt ... 06-11-09 22:17
C:\ComboFix2.txt ... 06-11-08 22:44

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:25 AM

Posted 10 November 2006 - 09:37 AM

Click Start -> Run
Copy the command below and paste it into the Run box and click Ok.

"%userprofile%\desktop\combofix.exe" /v ddccy

When it's done running it will produce a log for you. Please post that log in your next reply.


==========



Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\WINDOWS\system32\rqrqnol.dll
    C:\WINDOWS\system32\urqnkkj.dll
    C:\WINDOWS\system32\gebabxv.dll
    C:\WINDOWS\system32\nnnolki.dll
    C:\WINDOWS\system32\cbxwtuv.dll
    C:\WINDOWS\system32\ddccy.dll
    C:\WINDOWS\system32\wnstscc.exe
    C:\WINDOWS\system32\opnmkih.dll



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

  • After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
  • Post this log in your next reply.
==============


Delete this folder.

C:\Program Files\VSAdd-in


==============



Please download AVG Anti-Spyware and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run Ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

  • Clean out your Temporary Internet files.
    • Internet Explorer
      • Close Internet Explorer and close any instances of Windows Explorer.
      • Click Start -> Control Panel and then double-click Internet Options.
      • On the General tab, click Delete Files under Temporary Internet Files.
      • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
      • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
      • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
      • Click OK.
    • Firefox (In case you also have Firefox installed)
      • Open Firefox and go to Tools -> Options.
      • Click Privacy in the menu on the left side of the Options window.
      • Click the Clear button located to the right of each option (History, Cookies, Cache).
      • Click OK to close the Options window.
        Alternatively, you can clear all information stored while browsing by clicking Clear All.
        A confirmation dialog box will be shown before clearing the information.
    IMPORTANT: Close all windows and do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:

  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
    • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
      Once the scan is complete do the following:
    • If you have any infections you will prompted, then select "Apply all actions"
    • Next select the "Reports" icon at the top.
    • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
    • Close AVG Anti-Spyware and reboot your system back into Normal Mode.
Please post the results of the AVG Anti-Spyware scan report along with a new Hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 winconline

winconline
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Toronto Ontario
  • Local time:08:25 AM

Posted 10 November 2006 - 06:13 PM

Okie dohkee.

New log ... and then I am on to do the other things :thumbsup:)

Reyn - 06-11-10 18:04:39.21 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Reyn\desktop"
Command switches used :: /v ddccy

(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ddccy.dll
C:\WINDOWS\system32\yccdd.bak2
C:\WINDOWS\system32\yccdd.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\STEM32~1
C:\QooBox\Purity\Program Files\STEM32~1\??stem32
C:\QooBox\Purity\WINDOWS\system32\ASEMBL~1


((((((((((((((((((((((((((((((( Files Created from 2006-10-10 to 2006-11-10 ))))))))))))))))))))))))))))))))))


2006-11-09 22:03 4,476 --a------ C:\WINDOWSvundofix.reg
2006-11-08 23:41 40,973 ---hs---- C:\WINDOWS\system32\rqrqnol.dll
2006-11-08 00:29 40,973 ---hs---- C:\WINDOWS\system32\urqnkkj.dll
2006-11-07 23:49 40,973 ---hs---- C:\WINDOWS\system32\gebabxv.dll
2006-11-07 17:56 40,973 ---hs---- C:\WINDOWS\system32\nnnolki.dll
2006-11-07 16:46 40,973 ---hs---- C:\WINDOWS\system32\cbxwtuv.dll
2006-11-07 04:55 2 --a------ C:\WINDOWS\system32\wnstscc.exe
2006-11-07 04:53 40,973 ---hs---- C:\WINDOWS\system32\opnmkih.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-10 18:06 -------- d-------- C:\Program Files\Symantec AntiVirus
2006-11-10 02:52 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-09 22:22 -------- d-------- C:\Program Files\PestPatrol
2006-11-09 22:15 -------- d-------- C:\Program Files\Common Files
2006-11-08 23:46 -------- d-------- C:\Documents and Settings\Reyn\Application Data\Talkback
2006-11-08 23:45 -------- d-------- C:\Documents and Settings\Reyn\Application Data\Mozilla
2006-11-08 23:10 -------- d-------- C:\Program Files\SpywareBlaster
2006-11-08 22:46 -------- d-------- C:\Program Files\VSAdd-in
2006-11-07 17:50 -------- d-------- C:\Program Files\InterMute
2006-11-07 16:02 -------- d-------- C:\Program Files\Internet Explorer
2006-11-07 06:06 -------- d-------- C:\Program Files\Windows NT
2006-11-07 05:41 -------- d-------- C:\Program Files\Windows Media Player
2006-11-07 05:39 -------- d-------- C:\Program Files\Messenger
2006-11-07 05:34 -------- d-------- C:\Program Files\Common Files\Services
2006-11-07 04:59 -------- d-------- C:\Program Files\Corel
2006-11-07 04:48 3974 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2006-11-07 04:43 104 -r-hs---- C:\WINDOWS\system32\5CAD685368.sys
2006-11-04 14:29 -------- d-------- C:\Program Files\WinHTTrack
2006-10-25 15:14 -------- d-------- C:\Program Files\Timesheets Express
2006-09-27 19:22 -------- d-------- C:\Documents and Settings\Reyn\Application Data\Simple Star
2006-09-27 19:20 67 --a------ C:\Documents and Settings\Reyn\Application Data\photoshow_express_45_efigsj[1].txt
2006-09-27 19:16 -------- d-------- C:\Program Files\Simple Star
2006-09-27 19:16 -------- d-------- C:\Program Files\Common Files\Simple Star Shared
2006-09-27 18:04 -------- d-------- C:\Documents and Settings\Reyn\Application Data\Downloaded Installations
2006-09-27 10:47 -------- d-------- C:\Documents and Settings\Reyn\Application Data\Adobe
2006-09-23 17:59 -------- d-------- C:\Program Files\AIM
2006-09-21 17:02 -------- d-------- C:\Program Files\Common Files\Designer
2006-09-21 17:01 -------- d-------- C:\Program Files\Common Files\Corel
2006-09-21 16:59 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-19 01:33 -------- d-------- C:\Program Files\AOD
2006-09-17 16:34 -------- d-------- C:\Program Files\Google
2006-09-17 16:34 -------- d-------- C:\Documents and Settings\Reyn\Application Data\Macromedia
2006-09-13 00:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-12 21:08 -------- d-------- C:\Program Files\WS_FTP
2006-08-25 10:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 07:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 04:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 06:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Aim6"=""
"LogitechSoftwareUpdate"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"
"Simple Star PhotoShow Media Manager"="C:\\PROGRA~1\\SIMPLE~1\\PHOTOS~1\\data\\Xtras\\mssysmgr.exe"
"Nazqjng"="C:\\Program Files\\Common Files\\s?stem32\\r?gsvr32.exe"
"Bpht"="\"C:\\PROGRA~1\\STEM32~1\\rundll32.exe\" -vt yazb"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"PestPatrol Control Center"="C:\\PROGRA~1\\PESTPA~1\\PPControl.exe"
"PPMemCheck"="C:\\PROGRA~1\\PESTPA~1\\PPMemCheck.exe"
"CookiePatrol"="C:\\PROGRA~1\\PESTPA~1\\CookiePatrol.exe"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1154220229\\ee\\AOLSoftware.exe"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe "
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"Share-to-Web Namespace Daemon"="c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
@=""
"CTDrive"="rundll32.exe C:\\WINDOWS\\system32\\drvsew.dll,startup"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{F7999166-FDE6-49DA-9AFC-1F6A79E9D1F2}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxwtuv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-11-10 18:07:10.68
C:\ComboFix.txt ... 06-11-10 18:07
C:\ComboFix2.txt ... 06-11-09 22:17
C:\ComboFix3.txt ... 06-11-08 22:44

#8 winconline

winconline
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Toronto Ontario
  • Local time:08:25 AM

Posted 10 November 2006 - 09:25 PM

Here are the text files - if you can clean us of this demon, let me know where to donate.




Logfile of HijackThis v1.99.1
Scan saved at 9:17:36 PM, on 11/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Common Files\AOL\1154220229\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Documents and Settings\Reyn\Desktop\HijackThis.exe

R3 - URLSearchHook: (no name) - {BC290CE0-9E0F-C9AA-2AE7-B49EFB40559E} - C:\WINDOWS\system32\rhac.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1154220229\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvsew.dll,startup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Simple Star PhotoShow Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Nazqjng] C:\Program Files\Common Files\s?stem32\r?gsvr32.exe
O4 - HKCU\..\Run: [Bpht] "C:\PROGRA~1\STEM32~1\rundll32.exe" -vt yazb
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.meilingchows.com
O16 - DPF: {23B1D1AE-A29F-4AE2-B76E-CAB6E14811C4} (DHCPConfiguration Class) - http://eserv.sympatico.ca/netassistant/con...adaPortalAX.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

_______________________________________________________________________________


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:12:44 PM 11/10/2006

+ Scan result:



HKLM\SOFTWARE\Classes\SigningModule.SigningModule -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\SigningModule.SigningModule.1 -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\SigningModule.SigningModule\CLSID -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\SigningModule.SigningModule\CurVer -> Adware.Altnet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4647E73A-3191-407B-9AE3-C5098E32336C}\RP120\A0021768.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1417001333-839522115-1003\Software\Kazaa\Promotions\Cydoor -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1417001333-839522115-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1417001333-839522115-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1417001333-839522115-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1417001333-839522115-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1068 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1417001333-839522115-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1074 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1417001333-839522115-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1417001333-839522115-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1417001333-839522115-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0\Seqn_4492 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1417001333-839522115-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0\Seqn_4496 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1417001333-839522115-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0\Seqn_4543 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1417001333-839522115-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1417001333-839522115-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_0 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1417001333-839522115-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_0\Seqn_1068 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1417001333-839522115-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_0\Seqn_1074 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1417001333-839522115-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1417001333-839522115-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_0 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1417001333-839522115-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_0\Seqn_1068 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1417001333-839522115-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_0\Seqn_1074 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1417001333-839522115-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1417001333-839522115-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1417001333-839522115-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0\Seqn_1116 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1417001333-839522115-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0\Seqn_1524 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1417001333-839522115-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0\Seqn_1553 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1417001333-839522115-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0\Seqn_1641 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1417001333-839522115-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Services -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1417001333-839522115-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Services\Queue -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1417001333-839522115-1003\Software\Kazaa\Promotions\Cydoor\Adwr_329\Services\Status -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4647E73A-3191-407B-9AE3-C5098E32336C}\RP120\A0020717.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4647E73A-3191-407B-9AE3-C5098E32336C}\RP120\A0020744.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4647E73A-3191-407B-9AE3-C5098E32336C}\RP120\A0022789.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4647E73A-3191-407B-9AE3-C5098E32336C}\RP120\A0022791.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4647E73A-3191-407B-9AE3-C5098E32336C}\RP120\A0022792.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4647E73A-3191-407B-9AE3-C5098E32336C}\RP120\A0025841.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4647E73A-3191-407B-9AE3-C5098E32336C}\RP123\A0030993.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4647E73A-3191-407B-9AE3-C5098E32336C}\RP120\A0020371.exe -> Downloader.Adload.nad : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4647E73A-3191-407B-9AE3-C5098E32336C}\RP122\A0027841.exe -> Downloader.PurityScan.co : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4647E73A-3191-407B-9AE3-C5098E32336C}\RP122\A0027842.exe -> Downloader.PurityScan.co : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4647E73A-3191-407B-9AE3-C5098E32336C}\RP120\A0021798.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4647E73A-3191-407B-9AE3-C5098E32336C}\RP122\A0030837.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4647E73A-3191-407B-9AE3-C5098E32336C}\RP123\A0030988.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4647E73A-3191-407B-9AE3-C5098E32336C}\RP120\A0024826.exe -> Downloader.PurityScan.dt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4647E73A-3191-407B-9AE3-C5098E32336C}\RP122\A0027836.exe -> Downloader.PurityScan.dt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4647E73A-3191-407B-9AE3-C5098E32336C}\RP122\A0030838.exe -> Downloader.PurityScan.dt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4647E73A-3191-407B-9AE3-C5098E32336C}\RP123\A0030987.exe -> Downloader.PurityScan.dt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4647E73A-3191-407B-9AE3-C5098E32336C}\RP120\A0019407.exe -> Downloader.Small.ajc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4647E73A-3191-407B-9AE3-C5098E32336C}\RP120\A0021795.exe -> Downloader.Zlob.aes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4647E73A-3191-407B-9AE3-C5098E32336C}\RP120\A0021773.exe -> Downloader.Zlob.auw : Cleaned with backup (quarantined).
F:\Documents and Settings\Wendy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jpg-278b703-604b3be9.zip/Gummy.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup (quarantined).
F:\Documents and Settings\Wendy\Local Settings\Temp\Cookies\wendy@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
F:\Documents and Settings\Wendy\Local Settings\Temp\Cookies\wendy@com[1].txt -> TrackingCookie.Com : Cleaned.
F:\Documents and Settings\Wendy\Local Settings\Temp\Cookies\wendy@e-2dj6wflikjdzkco.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
F:\Documents and Settings\Wendy\Local Settings\Temp\Cookies\wendy@e-2dj6wfmyulajoao.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
F:\Documents and Settings\Wendy\Local Settings\Temp\Cookies\wendy@e-2dj6wjkyghazafq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
F:\Documents and Settings\Wendy\Local Settings\Temp\Cookies\wendy@e-2dj6wjkygkajago.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
F:\Documents and Settings\Wendy\Local Settings\Temp\Cookies\wendy@e-2dj6wjlokhd5kao.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
F:\Documents and Settings\Wendy\Local Settings\Temp\Cookies\wendy@e-2dj6wjlyemczcdp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
F:\Documents and Settings\Wendy\Local Settings\Temp\Cookies\wendy@e-2dj6wjmioiczslo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
F:\Documents and Settings\Wendy\Local Settings\Temp\Cookies\wendy@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
F:\Documents and Settings\Wendy\Local Settings\Temp\Cookies\wendy@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\System Volume Information\_restore{4647E73A-3191-407B-9AE3-C5098E32336C}\RP123\A0031041.dll -> Trojan.Agent.vg : Cleaned with backup (quarantined).
C:\VundoFix Backups\winpdc32.dll.bad -> Trojan.Agent.vg : Cleaned with backup (quarantined).

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:25 AM

Posted 11 November 2006 - 04:07 PM

We're getting there.

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R3 - URLSearchHook: (no name) - {BC290CE0-9E0F-C9AA-2AE7-B49EFB40559E} - C:\WINDOWS\system32\rhac.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [Nazqjng] C:\Program Files\Common Files\s?stem32\r?gsvr32.exe
O4 - HKCU\..\Run: [Bpht] "C:\PROGRA~1\STEM32~1\rundll32.exe" -vt yazb



===========


Click Start -> Control Panel -> Add Remove Programs and uninstall these programs:

Viewpoint Manager


===========


We need to update your version of Java.
  • Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9 from HERE
    • Scroll down to where it says Java Runtime Environment (JRE) 5.0 Update 9
    • Click the "Download" button to the right.
    • Accept the license agreement.
    • Click Windows Offline Installation, Multi-language to download the file.
  • Once the program has finished downloading:
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
      • It should have next icon next to it: Posted Image
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-1_5_0_09-windowsi586-p.exe to install the newest version.
  • Go back into the Control Panel and double-click the Java Icon.
    • Under Temporary Internet Files, click the Delete Files button.
    • There are three options in the window to clear the cache - Leave ALL 3 Checked
      • Downloaded Applets
      • Downloaded Applications
      • Other Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Java Control Panel.
============


Reboot your computer and post a new log from Combofix.
Also post a new hijackthis log.

How is your computer running now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 winconline

winconline
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Toronto Ontario
  • Local time:08:25 AM

Posted 12 November 2006 - 12:40 AM

OK ... here are both logs! I find the computer is very slow opening outlook express, and still popping up a few virus warnings from time to time with symantec, but not nearly like it was. If I use MIE for anything, I still get the odd pop up, but I have the security set so high on there that it fails to load, and am now only using Mozilla.

Upon rebooting I get an error regarding the following not being able to be loaded. C:\WINDOWS\system32\drvsew.dll

Other than that, all icons in the trays are gone, pop ups are far fewer than before ... I can see a light at the end of the tunnel!!!




___________________________________________________________________________

Reyn - 06-11-12 0:30:02.10 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Reyn\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\STEM32~1
C:\QooBox\Purity\Program Files\STEM32~1\??stem32
C:\QooBox\Purity\WINDOWS\system32\ASEMBL~1


((((((((((((((((((((((((((((((( Files Created from 2006-10-12 to 2006-11-12 ))))))))))))))))))))))))))))))))))


2006-11-11 18:13 660,003 ---hs---- C:\WINDOWS\system32\gjjlm.bak2
2006-11-10 18:18 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-10 18:13 699,211 ---hs---- C:\WINDOWS\system32\gjjlm.bak1
2006-11-10 18:13 692,276 ---hs---- C:\WINDOWS\system32\mljjg.dll
2006-11-09 22:03 4,476 --a------ C:\WINDOWSvundofix.reg
2006-11-08 23:41 40,973 --------- C:\WINDOWS\system32\rqrqnol.dll
2006-11-08 00:29 40,973 --------- C:\WINDOWS\system32\urqnkkj.dll
2006-11-07 23:49 40,973 --------- C:\WINDOWS\system32\gebabxv.dll
2006-11-07 17:56 40,973 --------- C:\WINDOWS\system32\nnnolki.dll
2006-11-07 16:46 40,973 --------- C:\WINDOWS\system32\cbxwtuv.dll
2006-11-07 04:55 2 --------- C:\WINDOWS\system32\wnstscc.exe
2006-11-07 04:53 40,973 --------- C:\WINDOWS\system32\opnmkih.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-12 00:29 -------- d-------- C:\Program Files\Symantec AntiVirus
2006-11-12 00:28 -------- d-------- C:\Program Files\PestPatrol
2006-11-12 00:25 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-12 00:24 -------- d-------- C:\Program Files\Java
2006-11-12 00:23 -------- d-------- C:\Program Files\Common Files\Java
2006-11-12 00:23 -------- d-------- C:\Program Files\Common Files
2006-11-12 00:20 -------- d-------- C:\Program Files\Viewpoint
2006-11-10 18:18 -------- d-------- C:\Program Files\Grisoft
2006-11-08 23:46 -------- d-------- C:\Documents and Settings\Reyn\Application Data\Talkback
2006-11-08 23:45 -------- d-------- C:\Documents and Settings\Reyn\Application Data\Mozilla
2006-11-08 23:10 -------- d-------- C:\Program Files\SpywareBlaster
2006-11-08 22:46 -------- d-------- C:\Program Files\VSAdd-in
2006-11-07 17:50 -------- d-------- C:\Program Files\InterMute
2006-11-07 16:02 -------- d-------- C:\Program Files\Internet Explorer
2006-11-07 06:06 -------- d-------- C:\Program Files\Windows NT
2006-11-07 05:41 -------- d-------- C:\Program Files\Windows Media Player
2006-11-07 05:39 -------- d-------- C:\Program Files\Messenger
2006-11-07 05:34 -------- d-------- C:\Program Files\Common Files\Services
2006-11-07 04:59 -------- d-------- C:\Program Files\Corel
2006-11-07 04:48 3974 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2006-11-07 04:43 104 -r-hs---- C:\WINDOWS\system32\5CAD685368.sys
2006-11-04 14:29 -------- d-------- C:\Program Files\WinHTTrack
2006-10-25 15:14 -------- d-------- C:\Program Files\Timesheets Express
2006-09-27 19:22 -------- d-------- C:\Documents and Settings\Reyn\Application Data\Simple Star
2006-09-27 19:20 67 --a------ C:\Documents and Settings\Reyn\Application Data\photoshow_express_45_efigsj[1].txt
2006-09-27 19:16 -------- d-------- C:\Program Files\Simple Star
2006-09-27 19:16 -------- d-------- C:\Program Files\Common Files\Simple Star Shared
2006-09-27 18:04 -------- d-------- C:\Documents and Settings\Reyn\Application Data\Downloaded Installations
2006-09-27 10:47 -------- d-------- C:\Documents and Settings\Reyn\Application Data\Adobe
2006-09-23 17:59 -------- d-------- C:\Program Files\AIM
2006-09-21 17:02 -------- d-------- C:\Program Files\Common Files\Designer
2006-09-21 17:01 -------- d-------- C:\Program Files\Common Files\Corel
2006-09-21 16:59 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-19 01:33 -------- d-------- C:\Program Files\AOD
2006-09-17 16:34 -------- d-------- C:\Program Files\Google
2006-09-17 16:34 -------- d-------- C:\Documents and Settings\Reyn\Application Data\Macromedia
2006-09-13 00:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-12 21:08 -------- d-------- C:\Program Files\WS_FTP
2006-08-25 10:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 07:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 04:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 06:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Aim6"=""
"LogitechSoftwareUpdate"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"
"Simple Star PhotoShow Media Manager"="C:\\PROGRA~1\\SIMPLE~1\\PHOTOS~1\\data\\Xtras\\mssysmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"PestPatrol Control Center"="C:\\PROGRA~1\\PESTPA~1\\PPControl.exe"
"PPMemCheck"="C:\\PROGRA~1\\PESTPA~1\\PPMemCheck.exe"
"CookiePatrol"="C:\\PROGRA~1\\PESTPA~1\\CookiePatrol.exe"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1154220229\\ee\\AOLSoftware.exe"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe "
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"Share-to-Web Namespace Daemon"="c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
@=""
"CTDrive"="rundll32.exe C:\\WINDOWS\\system32\\drvsew.dll,startup"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-11-12 0:31:17.70
C:\ComboFix.txt ... 06-11-12 00:31
C:\ComboFix2.txt ... 06-11-10 18:07
C:\ComboFix3.txt ... 06-11-09 22:17


__________________________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 12:31:36 AM, on 11/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Common Files\AOL\1154220229\ee\AOLSoftware.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Reyn\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1154220229\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvsew.dll,startup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Simple Star PhotoShow Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.meilingchows.com
O16 - DPF: {23B1D1AE-A29F-4AE2-B76E-CAB6E14811C4} (DHCPConfiguration Class) - http://eserv.sympatico.ca/netassistant/con...adaPortalAX.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:25 AM

Posted 12 November 2006 - 10:25 PM

It doesn't appear that Killbox took care of those files a few steps ago. This step should take care of what's left.

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:

C:\WINDOWS\system32\gjjlm.bak2
C:\WINDOWS\system32\gjjlm.bak1
C:\WINDOWS\system32\gjjlm.ini2
C:\WINDOWS\system32\gjjlm.ini1
C:\WINDOWS\system32\gjjlm.tmp
C:\WINDOWS\system32\mljjg.dll
C:\WINDOWS\system32\rqrqnol.dll
C:\WINDOWS\system32\urqnkkj.dll
C:\WINDOWS\system32\gebabxv.dll
C:\WINDOWS\system32\nnnolki.dll
C:\WINDOWS\system32\cbxwtuv.dll
C:\WINDOWS\system32\wnstscc.exe
C:\WINDOWS\system32\opnmkih.dll

Folders to delete:

C:\Program Files\Viewpoint
C:\Program Files\VSAdd-in



Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.



3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 winconline

winconline
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Toronto Ontario
  • Local time:08:25 AM

Posted 12 November 2006 - 11:35 PM

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Error: selected file does not appear to be a valid script.
Error code: 1114


It didn't want to do anything ... did I do something wrong?

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:25 AM

Posted 13 November 2006 - 05:38 PM

You have to be sure that you include all of the text in that box. Do you have Files to delete: copied?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 winconline

winconline
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Toronto Ontario
  • Local time:08:25 AM

Posted 14 November 2006 - 03:35 PM

Yep - I screwed up :thumbsup:

Here it is!




Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\butphqmu

*******************

Script file located at: \??\C:\WINDOWS\system32\nkbiobtn.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\gjjlm.bak2 deleted successfully.
File C:\WINDOWS\system32\gjjlm.bak1 deleted successfully.


File C:\WINDOWS\system32\gjjlm.ini2 not found!
Deletion of file C:\WINDOWS\system32\gjjlm.ini2 failed!

Could not process line:
C:\WINDOWS\system32\gjjlm.ini2
Status: 0xc0000034



File C:\WINDOWS\system32\gjjlm.ini1 not found!
Deletion of file C:\WINDOWS\system32\gjjlm.ini1 failed!

Could not process line:
C:\WINDOWS\system32\gjjlm.ini1
Status: 0xc0000034



File C:\WINDOWS\system32\gjjlm.tmp not found!
Deletion of file C:\WINDOWS\system32\gjjlm.tmp failed!

Could not process line:
C:\WINDOWS\system32\gjjlm.tmp
Status: 0xc0000034

File C:\WINDOWS\system32\mljjg.dll deleted successfully.
File C:\WINDOWS\system32\rqrqnol.dll deleted successfully.
File C:\WINDOWS\system32\urqnkkj.dll deleted successfully.
File C:\WINDOWS\system32\gebabxv.dll deleted successfully.
File C:\WINDOWS\system32\nnnolki.dll deleted successfully.
File C:\WINDOWS\system32\cbxwtuv.dll deleted successfully.
File C:\WINDOWS\system32\wnstscc.exe deleted successfully.
File C:\WINDOWS\system32\opnmkih.dll deleted successfully.
Folder C:\Program Files\Viewpoint deleted successfully.
Folder C:\Program Files\VSAdd-in deleted successfully.

Completed script processing.

*******************

Finished! Terminate.//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\cclihigh

*******************

Script file located at: \??\C:\WINDOWS\system32\acucnscw.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\gjjlm.bak2 not found!
Deletion of file C:\WINDOWS\system32\gjjlm.bak2 failed!

Could not process line:
C:\WINDOWS\system32\gjjlm.bak2
Status: 0xc0000034



File C:\WINDOWS\system32\gjjlm.bak1 not found!
Deletion of file C:\WINDOWS\system32\gjjlm.bak1 failed!

Could not process line:
C:\WINDOWS\system32\gjjlm.bak1
Status: 0xc0000034



File C:\WINDOWS\system32\gjjlm.ini2 not found!
Deletion of file C:\WINDOWS\system32\gjjlm.ini2 failed!

Could not process line:
C:\WINDOWS\system32\gjjlm.ini2
Status: 0xc0000034



File C:\WINDOWS\system32\gjjlm.ini1 not found!
Deletion of file C:\WINDOWS\system32\gjjlm.ini1 failed!

Could not process line:
C:\WINDOWS\system32\gjjlm.ini1
Status: 0xc0000034



File C:\WINDOWS\system32\gjjlm.tmp not found!
Deletion of file C:\WINDOWS\system32\gjjlm.tmp failed!

Could not process line:
C:\WINDOWS\system32\gjjlm.tmp
Status: 0xc0000034



File C:\WINDOWS\system32\mljjg.dll not found!
Deletion of file C:\WINDOWS\system32\mljjg.dll failed!

Could not process line:
C:\WINDOWS\system32\mljjg.dll
Status: 0xc0000034



File C:\WINDOWS\system32\rqrqnol.dll not found!
Deletion of file C:\WINDOWS\system32\rqrqnol.dll failed!

Could not process line:
C:\WINDOWS\system32\rqrqnol.dll
Status: 0xc0000034



File C:\WINDOWS\system32\urqnkkj.dll not found!
Deletion of file C:\WINDOWS\system32\urqnkkj.dll failed!

Could not process line:
C:\WINDOWS\system32\urqnkkj.dll
Status: 0xc0000034



File C:\WINDOWS\system32\gebabxv.dll not found!
Deletion of file C:\WINDOWS\system32\gebabxv.dll failed!

Could not process line:
C:\WINDOWS\system32\gebabxv.dll
Status: 0xc0000034



File C:\WINDOWS\system32\nnnolki.dll not found!
Deletion of file C:\WINDOWS\system32\nnnolki.dll failed!

Could not process line:
C:\WINDOWS\system32\nnnolki.dll
Status: 0xc0000034



File C:\WINDOWS\system32\cbxwtuv.dll not found!
Deletion of file C:\WINDOWS\system32\cbxwtuv.dll failed!

Could not process line:
C:\WINDOWS\system32\cbxwtuv.dll
Status: 0xc0000034



File C:\WINDOWS\system32\wnstscc.exe not found!
Deletion of file C:\WINDOWS\system32\wnstscc.exe failed!

Could not process line:
C:\WINDOWS\system32\wnstscc.exe
Status: 0xc0000034



File C:\WINDOWS\system32\opnmkih.dll not found!
Deletion of file C:\WINDOWS\system32\opnmkih.dll failed!

Could not process line:
C:\WINDOWS\system32\opnmkih.dll
Status: 0xc0000034



Folder C:\Program Files\Viewpoint not found!
Deletion of folder C:\Program Files\Viewpoint failed!

Could not process line:
C:\Program Files\Viewpoint
Status: 0xc0000034



Folder C:\Program Files\VSAdd-in not found!
Deletion of folder C:\Program Files\VSAdd-in failed!

Could not process line:
C:\Program Files\VSAdd-in
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

_________________________________________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 3:31:45 PM, on 11/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Common Files\AOL\1154220229\ee\AOLSoftware.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Logitech\Video\ManifestEngine.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Reyn\Desktop\HijackThis.exe

O2 - BHO: (no name) - {00EB0A1A-DB9D-4BB9-8A69-395F88484596} - C:\WINDOWS\system32\mljjg.dll (file missing)
O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {BC290CE0-9E0F-C9AA-2AE7-B49EFB40559E} - (no file)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1154220229\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvsew.dll,startup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Simple Star PhotoShow Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.meilingchows.com
O16 - DPF: {23B1D1AE-A29F-4AE2-B76E-CAB6E14811C4} (DHCPConfiguration Class) - http://eserv.sympatico.ca/netassistant/con...adaPortalAX.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: mljjg - C:\WINDOWS\system32\mljjg.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:25 AM

Posted 14 November 2006 - 07:38 PM

It's a common ooops. :thumbsup:

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O2 - BHO: (no name) - {00EB0A1A-DB9D-4BB9-8A69-395F88484596} - C:\WINDOWS\system32\mljjg.dll (file missing)
O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - (no file)
O2 - BHO: (no name) - {BC290CE0-9E0F-C9AA-2AE7-B49EFB40559E} - (no file)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - (no file)
O20 - Winlogon Notify: mljjg - C:\WINDOWS\system32\mljjg.dll (file missing)



Reboot your computer.


We should be nearly done, but let's just be sure there are no leftovers that we missed.


Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.
Let me know how your computer is working now and any problems that you are still having.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users