Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help, Did What I Could


  • This topic is locked This topic is locked
44 replies to this topic

#1 Hguzman

Hguzman

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:04:33 AM

Posted 13 November 2006 - 03:23 PM

[size=3]After trying everithing that suggest here, here is my Highjack Log:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mcdinet/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://mcdinet/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://farm.thinktarget.com/partners/ams/r...&o=0&q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://farm.thinktarget.com/partners/ams/r...&o=0&q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\dvygf.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,nqfkqwb.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Jffdjljo Class - {A16AC1F4-BCA7-4401-B5F5-22240F78E776} - C:\WINDOWS\system32\p2jlseh8.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [EPSON Stylus C62 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P32 "EPSON Stylus C62 Series (Copy 1)" /O6 "USB001" /M "Stylus C62"
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - HKLM\..\Run: [Redirector] C:\Program Files\Lantronix\Redirector\red32.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: zabbix_rep.lnk = C:\Documents and Settings\All Users\zabbix_rep.exe
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} -
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\lotus\notes\nslsvice.exe
O23 - Service: LpsSearchSvc - Lenel Systems International Inc. - C:\Program Files\Common Files\Lenel\LpsSearchSvc.exe
O23 - Service: LS Communication Server - Lenel Systems International Inc. - C:\Program Files\OnGuard\Lnlcomsrvr.exe
O23 - Service: LS DataExchange Server - Lenel Systems International, Inc. - C:\Program Files\OnGuard\DataExchangeService.exe
O23 - Service: LS Global Output Server - Lenel Systems International Inc. - C:\Program Files\OnGuard\GOSServer.exe
O23 - Service: LS License Server - Lenel Systems International, Inc. - C:\Program Files\OnGuard\LicenseServer.exe
O23 - Service: LS Linkage Server - Lenel Systems International Inc. - C:\Program Files\OnGuard\LSLServer.exe
O23 - Service: LS Login Driver - Lenel Systems International - C:\Program Files\OnGuard\logindrvr.exe
O23 - Service: LS OpenIT Message Queue Server - Lenel Systems International, Inc. - C:\Program Files\OnGuard\OpenITQueueServer.exe
O23 - Service: LS OpenIT Service - Lenel Systems International Inc. - C:\Program Files\OnGuard\WMIService.exe
O23 - Service: LS Replicator - Lenel Systems International Inc. - C:\Program Files\OnGuard\Replicator.exe
O23 - Service: LS Video Archive Server - Lenel Systems International, Inc. - C:\Program Files\OnGuard\LnlVideoComSrvr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\lotus\notes\ntmulti.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

I have Spybot - Search & Destroy, RegCure and XoftSpySE and windows still poping out. I think i still infected.

What i should do?
Thanks for the help.
Hiram

BC AdBot (Login to Remove)

 


m

#2 Hguzman

Hguzman
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:04:33 AM

Posted 14 November 2006 - 07:51 AM

here is my HighJack Log
Logfile of HijackThis v1.99.1
Scan saved at 7:47:29 AM, on 11/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\lotus\notes\nslsvice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Lenel\LpsSearchSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\lotus\notes\ntmulti.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\OnGuard\LicenseServer.exe
C:\Program Files\OnGuard\logindrvr.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lantronix\Redirector\red32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Lotus\Notes\NLNOTES.EXE
C:\Lotus\Notes\ntaskldr.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Hiram Guzman.MCD_CORP\Desktop\HijackThis_v1.99.1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mcdinet/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://mcdinet/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://farm.thinktarget.com/partners/ams/r...&o=0&q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://farm.thinktarget.com/partners/ams/r...&o=0&q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\dvygf.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,nqfkqwb.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Jffdjljo Class - {A16AC1F4-BCA7-4401-B5F5-22240F78E776} - C:\WINDOWS\system32\p2jlseh8.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [EPSON Stylus C62 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P32 "EPSON Stylus C62 Series (Copy 1)" /O6 "USB001" /M "Stylus C62"
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - HKLM\..\Run: [Redirector] C:\Program Files\Lantronix\Redirector\red32.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: zabbix_rep.lnk = C:\Documents and Settings\All Users\zabbix_rep.exe
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} -
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\lotus\notes\nslsvice.exe
O23 - Service: LpsSearchSvc - Lenel Systems International Inc. - C:\Program Files\Common Files\Lenel\LpsSearchSvc.exe
O23 - Service: LS Communication Server - Lenel Systems International Inc. - C:\Program Files\OnGuard\Lnlcomsrvr.exe
O23 - Service: LS DataExchange Server - Lenel Systems International, Inc. - C:\Program Files\OnGuard\DataExchangeService.exe
O23 - Service: LS Global Output Server - Lenel Systems International Inc. - C:\Program Files\OnGuard\GOSServer.exe
O23 - Service: LS License Server - Lenel Systems International, Inc. - C:\Program Files\OnGuard\LicenseServer.exe
O23 - Service: LS Linkage Server - Lenel Systems International Inc. - C:\Program Files\OnGuard\LSLServer.exe
O23 - Service: LS Login Driver - Lenel Systems International - C:\Program Files\OnGuard\logindrvr.exe
O23 - Service: LS OpenIT Message Queue Server - Lenel Systems International, Inc. - C:\Program Files\OnGuard\OpenITQueueServer.exe
O23 - Service: LS OpenIT Service - Lenel Systems International Inc. - C:\Program Files\OnGuard\WMIService.exe
O23 - Service: LS Replicator - Lenel Systems International Inc. - C:\Program Files\OnGuard\Replicator.exe
O23 - Service: LS Video Archive Server - Lenel Systems International, Inc. - C:\Program Files\OnGuard\LnlVideoComSrvr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\lotus\notes\ntmulti.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:33 AM

Posted 14 November 2006 - 10:26 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


I also need to see a different type of log from Hijackthis
  • Run Hijackthis.
  • Click on "Open the Misc Tools section".
  • Next click on "Open uninstall manager".
  • Press the button 'save list'. It will open a Notepad file.
  • Place the content of that file here in your in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#4 Hguzman

Hguzman
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:04:33 AM

Posted 14 November 2006 - 01:29 PM

Sam,
Thanks for your help.
here is the Combofix log:
Hiram Guzman - 05-11-14 13:13:29.15 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Hiram Guzman.MCD_CORP\Desktop"

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *


O4 - HKCU\...\Run C:\WINDOWS\system32\mmhcgr.exe
O4 - HKLM\...\Run C:\WINDOWS\system32\mmhcgr.exe
F2 -REG:system.ini: Shell C:\WINDOWS\system32\dvygf.exe
F2 -REG:system.ini: UserInit C:\WINDOWS\system32\nqfkqwb.exe


* * * PRE-RUN - Filepaths extracted by Memory Dump * * * * * * * * * * * * * * * * * * * * * *


C:\WINDOWS\system32\mmhcgr.exe
C:\WINDOWS\system32\sthcwam.dll
C:\WINDOWS\system32\nqfkqwb.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ettdm.exe
C:\WINDOWS\khojw.dll
C:\WINDOWS\system32\rjwfr.dat
C:\WINDOWS\system32\dvygf.exe


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06-11-13 14:52 127488 ettdm.exe.qoo
06-11-11 14:59 127488 rjwfr.dat.qoo
06-11-11 14:59 127488 mmhcgr.exe.qoo
06-11-11 14:59 51712 sthcwam.dll.qoo
05-11-13 13:54 28672 dvygf.exe.qoo
06-11-13 13:24 23552 nqfkqwb.exe.qoo
05-11-14 13:10 374 khojw.dll.qoo
06-11-12 14:29 53 neqcvq.dat.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Hiram Guzman.MCD_CORP\Application Data\Dxccwrd.dll
C:\Documents and Settings\Hiram Guzman.MCD_CORP\Application Data\Dxcdmns.dll
C:\Documents and Settings\Hiram Guzman.MCD_CORP\Application Data\Dxcknwrd.dll
C:\Documents and Settings\Hiram Guzman.MCD_CORP\Application Data\Dxcuknwrd.dll
C:\Program Files\DeluxeCommunications\DxcCore.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\dfndrff_e54.exe
C:\dfndrff_e55.exe
C:\deskbar_e55.exe
C:\kybrdff_e54.exe
C:\kybrdff_e55.exe
C:\MTE3NDI6ODoxNg12112006.exe
C:\MTE3NDI6ODoxNgMTE3NDI6ODoxNg.exe
C:\nwnmff_e54.exe
C:\nwnmff_e55.exe
C:\WINDOWS\offun.exe
C:\Program Files\Common Files\Yazzle1409OinAdmin.exe
C:\Program Files\Common Files\Yazzle1409OinUninstaller.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\system32\w005f880.dll
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\batty2
C:\Program Files\network monitor

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Hiram Guzman.MCD_CORP\My Documents\FNTS~1
C:\QooBox\Purity\WINDOWS\CURITY~1
C:\QooBox\Purity\WINDOWS\SMBOLS~1
C:\QooBox\Purity\WINDOWS\CURITY~1\r?gedit.exe
C:\QooBox\Purity\WINDOWS\SMBOLS~1\dllhost.exe
C:\QooBox\Purity\WINDOWS\SMBOLS~1\s?mbols
C:\QooBox\Purity\WINDOWS\system32\STEM32~1
C:\QooBox\Purity\WINDOWS\system32\STEM32~1\fast.exe
C:\QooBox\Purity\WINDOWS\system32\STEM32~1\??stem32
C:\QooBox\Purity\WINDOWS\system32\STEM32~1\??stem32\!update-4200.0000


((((((((((((((((((((((((((((((( Files Created from 2005-10-14 to 2005-11-14 ))))))))))))))))))))))))))))))))))


2005-11-29 12:42 26,496 --a------ C:\WINDOWS\system32\drivers\USBSTOR.SYS
2005-11-23 15:59 81,920 --------- C:\WINDOWS\system32\bwplay.exe
2005-11-23 15:59 200,704 --a------ C:\WINDOWS\system32\Bwbits50.dll
2005-11-23 15:59 20,992 --a------ C:\WINDOWS\system32\bwntsend.dll
2005-11-23 15:59 181,760 --a------ C:\WINDOWS\system32\patchw32.dll
2005-11-23 15:59 16,896 --a------ C:\WINDOWS\system32\bwnthook.dll
2005-11-23 15:59 116,736 --a------ C:\WINDOWS\system32\patchw.dll
2005-11-14 22:52 98,304 --a------ C:\WINDOWS\system32\tsccvid.dll
2005-11-10 10:03 61,490 --a------ C:\WINDOWS\system32\nwnspR32.dll
2005-11-10 10:00 155,648 --a------ C:\WINDOWS\system32\XESPJL.DLL
2005-11-07 13:42 9,817 --a------ C:\WINDOWS\system32\drivers\eacfilt.sys
2005-11-07 13:42 38,939 --a------ C:\WINDOWS\system32\eacfilt.dll
2005-11-07 13:42 32,837 --------- C:\WINDOWS\system32\exthook.dll
2005-11-07 13:42 117,760 --a------ C:\WINDOWS\system32\drivers\ipsecw2k.sys
2005-11-07 09:57 83,168 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2005-11-07 09:57 82,832 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2005-11-07 09:52 49,244 --a------ C:\WINDOWS\system32\nmasmsg.dll
2005-11-07 09:52 24,672 --a------ C:\WINDOWS\system32\ncc.exe
2005-11-07 09:52 221,276 --a------ C:\WINDOWS\system32\nmasncp.dll
2005-11-07 09:52 122,966 --a------ C:\WINDOWS\system32\nmas.dll
2005-11-07 09:51 880,640 --------- C:\WINDOWS\system32\ccsw32.dll
2005-11-07 09:05 77,824 --a------ C:\WINDOWS\system32\cwbuncob.dll
2005-11-07 09:05 73,728 --a------ C:\WINDOWS\system32\cwbunvba.dll
2005-11-07 09:05 61,440 --a------ C:\WINDOWS\system32\cwbunapi.dll
2005-11-07 09:05 57,344 --a------ C:\WINDOWS\system32\cwbmwpip.dll
2005-11-07 09:05 409,600 --a------ C:\WINDOWS\system32\cwbtfutl.dll
2005-11-07 09:05 36,864 --a------ C:\WINDOWS\system32\cwbmwmai.dll
2005-11-07 09:05 307,250 --a------ C:\WINDOWS\system32\cwbaffax.dll
2005-11-07 09:05 274,482 --a------ C:\WINDOWS\system32\cwbtfcrt.dll
2005-11-07 09:05 251 --a------ C:\WINDOWS\system32\drivers\hlldrvr.sys
2005-11-07 09:05 24,576 --a------ C:\WINDOWS\system32\cwbmwhst.dll
2005-11-07 09:05 24,576 --a------ C:\WINDOWS\system32\cwbmwcat.dll
2005-11-07 09:05 229,376 --a------ C:\WINDOWS\system32\cwbsogld.dll
2005-11-07 09:05 229,376 --a------ C:\WINDOWS\system32\cwbmwa32.dll
2005-11-07 09:05 212,992 --a------ C:\WINDOWS\system32\cwbmwutl.dll
2005-11-07 09:05 20,480 --a------ C:\WINDOWS\cwbmwsvr.exe
2005-11-07 09:05 17,408 --a------ C:\WINDOWS\system32\pcmfcenu.dll
2005-11-07 09:05 159,794 --a------ C:\WINDOWS\system32\cwbtfdlg.dll
2005-11-07 09:05 135,168 --a------ C:\WINDOWS\system32\cwbmwx32.dll
2005-11-07 09:05 114,688 --a------ C:\WINDOWS\system32\cwbmwprt.dll
2005-11-07 09:05 114,688 --a------ C:\WINDOWS\system32\cwbmwprp.dll
2005-11-07 09:05 110,592 --a------ C:\WINDOWS\system32\cwbmwmim.dll
2005-11-07 09:05 107,520 --a------ C:\WINDOWS\system32\ltscmn10.dll
2005-11-07 09:04 98,351 --a------ C:\WINDOWS\system32\cwbnl.dll
2005-11-07 09:04 98,351 --a------ C:\WINDOWS\system32\cwbcf.dll
2005-11-07 09:04 98,304 --a------ C:\WINDOWS\system32\cwbsocmn.dll
2005-11-07 09:04 98,304 --a------ C:\WINDOWS\system32\cwbprt.dll
2005-11-07 09:04 90,112 --a------ C:\WINDOWS\system32\bidiserv.dll
2005-11-07 09:04 89,488 --a------ C:\WINDOWS\system32\cwbsosmp.dll
2005-11-07 09:04 81,920 --a------ C:\WINDOWS\system32\qxdaedrs.dll
2005-11-07 09:04 73,728 --a------ C:\WINDOWS\system32\cwbbspc.dll
2005-11-07 09:04 69,632 --a------ C:\WINDOWS\system32\cwbuncon.dll
2005-11-07 09:04 69,632 --a------ C:\WINDOWS\system32\cwbbsspi.dll
2005-11-07 09:04 69,632 --a------ C:\WINDOWS\system32\cwbadnrt.dll
2005-11-07 09:04 65,583 --a------ C:\WINDOWS\system32\cwbrc.dll
2005-11-07 09:04 65,536 --a------ C:\WINDOWS\system32\cwbsoltr.dll
2005-11-07 09:04 65,536 --a------ C:\WINDOWS\system32\cwbsolet.dll
2005-11-07 09:04 61,440 --a------ C:\WINDOWS\system32\cwbmsgl.dll
2005-11-07 09:04 53,248 --a------ C:\WINDOWS\system32\cwbup.dll
2005-11-07 09:04 53,248 --a------ C:\WINDOWS\system32\cwbunssl.dll
2005-11-07 09:04 53,248 --a------ C:\WINDOWS\system32\cwbsoswp.dll
2005-11-07 09:04 53,248 --a------ C:\WINDOWS\system32\cwbad.dll
2005-11-07 09:04 53,248 --a------ C:\WINDOWS\cwbrxd.exe
2005-11-07 09:04 49,152 --a------ C:\WINDOWS\system32\cwbjbl.dll
2005-11-07 09:04 487,424 --a------ C:\WINDOWS\system32\cwbuna4d.dll
2005-11-07 09:04 454,656 --a------ C:\WINDOWS\system32\cwbsofui.dll
2005-11-07 09:04 45,056 --a------ C:\WINDOWS\system32\cwbsy.dll
2005-11-07 09:04 45,056 --a------ C:\WINDOWS\system32\cwbab.dll
2005-11-07 09:04 40,960 --a------ C:\WINDOWS\system32\cwbsorte.dll
2005-11-07 09:04 36,914 --a------ C:\WINDOWS\system32\cwbmsgbx.dll
2005-11-07 09:04 36,864 --a------ C:\WINDOWS\system32\cwbsotif.dll
2005-11-07 09:04 36,864 --a------ C:\WINDOWS\system32\cwbnl1.dll
2005-11-07 09:04 36,864 --a------ C:\WINDOWS\system32\cwblm.dll
2005-11-07 09:04 36,864 --a------ C:\WINDOWS\cwbrest.exe
2005-11-07 09:04 32,815 --a------ C:\WINDOWS\system32\cwbdt.dll
2005-11-07 09:04 32,768 --a------ C:\WINDOWS\system32\cwbsotca.dll
2005-11-07 09:04 32,768 --a------ C:\WINDOWS\system32\cwbsoapi.dll
2005-11-07 09:04 32,768 --a------ C:\WINDOWS\system32\cwbbb1.dll
2005-11-07 09:04 32,768 --a------ C:\WINDOWS\cwbback.exe
2005-11-07 09:04 28,720 --a------ C:\WINDOWS\system32\cwbad1.dll
2005-11-07 09:04 28,672 --a------ C:\WINDOWS\system32\cwbuiutl.dll
2005-11-07 09:04 28,672 --a------ C:\WINDOWS\system32\cwbuireg.dll
2005-11-07 09:04 28,672 --a------ C:\WINDOWS\system32\cwbdbfmt.dll
2005-11-07 09:04 28,672 --a------ C:\WINDOWS\system32\cwbbb.dll
2005-11-07 09:04 258,048 --a------ C:\WINDOWS\system32\cwbco.dll
2005-11-07 09:04 24,626 --a------ C:\WINDOWS\system32\cwbcftft.dll
2005-11-07 09:04 24,624 --a------ C:\WINDOWS\system32\cwbab1.dll
2005-11-07 09:04 24,624 --a------ C:\WINDOWS\rmtcmd.exe
2005-11-07 09:04 24,623 --a------ C:\WINDOWS\system32\cwbar.dll
2005-11-07 09:04 24,576 --a------ C:\WINDOWS\system32\cwbuierr.dll
2005-11-07 09:04 24,576 --a------ C:\WINDOWS\system32\cwbnltrn.dll
2005-11-07 09:04 24,576 --a------ C:\WINDOWS\system32\cwbnldlg.dll
2005-11-07 09:04 24,576 --a------ C:\WINDOWS\cwbviewr.exe
2005-11-07 09:04 24,576 --a------ C:\WINDOWS\cwbping.exe
2005-11-07 09:04 208,896 --a------ C:\WINDOWS\system32\cwbobj.dll
2005-11-07 09:04 20,530 --a------ C:\WINDOWS\cwbrxdsd.exe
2005-11-07 09:04 20,480 --a------ C:\WINDOWS\system32\cwbwiz.dll
2005-11-07 09:04 20,480 --a------ C:\WINDOWS\cwbunrse.exe
2005-11-07 09:04 196,608 --a------ C:\WINDOWS\system32\cwbdb.dll
2005-11-07 09:04 176,128 --a------ C:\WINDOWS\system32\cwbunpla.dll
2005-11-07 09:04 176,128 --a------ C:\WINDOWS\system32\cwbsof.dll
2005-11-07 09:04 172,032 --a------ C:\WINDOWS\system32\cwbrw.dll
2005-11-07 09:04 167,986 --a------ C:\WINDOWS\system32\cwbopcom.dll
2005-11-07 09:04 167,936 --a------ C:\WINDOWS\system32\cwbjob.dll
2005-11-07 09:04 159,744 --a------ C:\WINDOWS\system32\cwbsohwr.dll
2005-11-07 09:04 155,648 --a------ C:\WINDOWS\system32\cwbsoprf.dll
2005-11-07 09:04 147,456 --a------ C:\WINDOWS\system32\cwbuncmn.dll
2005-11-07 09:04 139,264 --a------ C:\WINDOWS\system32\cwbsfl.dll
2005-11-07 09:04 118,831 --a------ C:\WINDOWS\system32\cwbdq.dll
2005-11-07 09:04 114,688 --a------ C:\WINDOWS\system32\cwbsv.dll
2005-11-07 07:13 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2005-11-04 16:54 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2005-11-04 16:11 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2005-11-04 15:48 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2005-11-04 15:48 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2005-11-04 15:48 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2005-11-04 15:48 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2005-11-04 15:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2005-10-25 12:59 53,248 --a------ C:\WINDOWS\system32\DellSys.dll
2005-10-25 12:59 17,153 --a------ C:\WINDOWS\system32\drivers\omci.sys
2005-10-25 12:54 33,340 --------- C:\WINDOWS\system32\dbmsqlgc.dll
2005-10-25 12:54 24,576 --------- C:\WINDOWS\system32\dbmsgnet.dll
2005-10-25 12:53 24,816 --a------ C:\WINDOWS\system32\mdimon.dll
2005-10-25 12:48 91,823 --a------ C:\WINDOWS\system32\drivers\ozscr.sys
2005-10-25 12:48 40,960 --a------ C:\WINDOWS\system32\ct32.dll
2005-10-25 12:48 34,329 -r------- C:\WINDOWS\O2Remove.EXE
2005-10-25 12:48 16,128 --a------ C:\WINDOWS\system32\drivers\APPDRV.SYS
2005-10-25 12:47 17,056 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2005-10-25 12:34 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2005-10-25 12:34 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2005-10-25 12:34 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2005-10-25 12:34 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2005-10-25 12:34 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2005-10-25 12:34 1,654,784 --a------ C:\WINDOWS\system32\W29MLRES.dll
2005-10-25 12:33 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys
2005-10-25 12:33 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2005-10-25 12:33 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2005-10-25 12:33 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2005-10-25 12:33 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys
2005-10-25 12:33 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2005-10-25 12:33 28,672 -ra------ C:\WINDOWS\cttib1.dll
2005-10-25 12:33 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2005-10-25 12:33 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2005-10-25 12:33 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2005-10-25 12:31 9,344 --a------ C:\WINDOWS\system32\drivers\compbatt.sys
2005-10-25 12:31 14,080 --a------ C:\WINDOWS\system32\drivers\CmBatt.sys
2005-10-25 12:31 14,080 --a------ C:\WINDOWS\system32\drivers\battc.sys
2005-10-25 12:28 94,235 --a------ C:\WINDOWS\system32\Vxdif.dll
2005-10-25 12:28 94,208 --a------ C:\WINDOWS\system32\atipdlxx.dll
2005-10-25 12:28 86,016 --a------ C:\WINDOWS\system32\mdmxsdk.dll
2005-10-25 12:28 80,384 --a------ C:\WINDOWS\system32\drivers\gtipci21.sys
2005-10-25 12:28 73,728 --a------ C:\WINDOWS\system32\Oemdspif.dll
2005-10-25 12:28 705,408 --a------ C:\WINDOWS\system32\drivers\HSF_CNXT.sys
2005-10-25 12:28 605,920 --a------ C:\WINDOWS\system32\ativvaxx.dll
2005-10-25 12:28 6,680,576 --a------ C:\WINDOWS\system32\atioglx1.dll
2005-10-25 12:28 53,248 --a------ C:\WINDOWS\system32\ATIDDC.DLL
2005-10-25 12:28 49,152 --a------ C:\WINDOWS\setpwrcg.exe
2005-10-25 12:28 46,080 --a------ C:\WINDOWS\system32\ati2evxx.dll
2005-10-25 12:28 458,752 --a------ C:\WINDOWS\system32\w29NCPA.dll
2005-10-25 12:28 453,120 --a------ C:\WINDOWS\system32\drivers\mrxsmb.sys
2005-10-25 12:28 4,820,992 --a------ C:\WINDOWS\system32\atioglxx.dll
2005-10-25 12:28 39,936 --a------ C:\WINDOWS\system32\ati2edxx.dll
2005-10-25 12:28 364,544 --a------ C:\WINDOWS\system32\ati2evxx.exe
2005-10-25 12:28 36,864 --a------ C:\WINDOWS\system32\drivers\ati2erec.dll
2005-10-25 12:28 332,928 --a------ C:\WINDOWS\system32\drivers\srv.sys
2005-10-25 12:28 33,818 --a------ C:\WINDOWS\system32\HSFCI010.dll
2005-10-25 12:28 3,210,496 --a------ C:\WINDOWS\system32\drivers\w29n51.sys
2005-10-25 12:28 299,008 --a------ C:\WINDOWS\system32\atiiiexx.dll
2005-10-25 12:28 273,168 --a------ C:\WINDOWS\system32\drivers\STAC97.sys
2005-10-25 12:28 25,088 --a------ C:\WINDOWS\system32\Ati2mdxx.exe
2005-10-25 12:28 24,064 --a------ C:\WINDOWS\system32\ativcoxx.dll
2005-10-25 12:28 226,816 --a------ C:\WINDOWS\system32\ati2dvag.dll
2005-10-25 12:28 208,384 --a------ C:\WINDOWS\system32\drivers\HSFHWICH.sys
2005-10-25 12:28 204,800 --a------ C:\WINDOWS\system32\ati2cqag.dll
2005-10-25 12:28 2,307,424 --a------ C:\WINDOWS\system32\ati3duag.dll
2005-10-25 12:28 192,512 --a------ C:\WINDOWS\system32\stac97co.dll
2005-10-25 12:28 17,408 --a------ C:\WINDOWS\system32\atitvo32.dll
2005-10-25 12:28 135,168 --a------ C:\WINDOWS\system32\atikvmag.dll
2005-10-25 12:28 13,059 --a------ C:\WINDOWS\system32\drivers\mdmxsdk.sys
2005-10-25 12:28 121,472 --a------ C:\WINDOWS\system32\drivers\b57xp32.sys
2005-10-25 12:28 108,791 --a------ C:\WINDOWS\system32\drivers\Apfiltr.sys
2005-10-25 12:28 1,132,544 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2005-10-25 12:28 1,041,536 --a------ C:\WINDOWS\system32\drivers\HSF_DP.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-08 10:19 11648 --a------ C:\WINDOWS\system32\drivers\pxscrmbl.sys
2006-08-21 04:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-16 04:37 225664 --a------ C:\WINDOWS\system32\drivers\tcpip6.sys
2006-07-14 14:03 14448 --a------ C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
2006-07-13 03:48 202240 --a------ C:\WINDOWS\system32\drivers\rmcast.sys
2006-05-05 04:47 174592 --a------ C:\WINDOWS\system32\drivers\rdbss.sys
2006-04-20 06:51 359808 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2006-03-16 19:33 262784 --a------ C:\WINDOWS\system32\drivers\http.sys
2005-12-21 08:38 62656 --a------ C:\WINDOWS\system32\drivers\ltxred.sys
2005-11-14 13:14 -------- d-------- C:\Program Files\Common Files
2005-11-14 12:38 -------- d-------- C:\Program Files\OnGuard
2005-11-14 12:34 -------- d-------- C:\Program Files\Identix
2005-11-14 12:34 -------- d-------- C:\Program Files\Common Files\Lenel
2005-11-13 14:04 -------- d-------- C:\Program Files\Yahoo!
2005-11-13 14:04 -------- d-------- C:\Program Files\STOPzilla!
2005-11-10 10:03 -------- d-------- C:\Program Files\DominoForOutlook
2005-11-09 18:44 394 --a------ C:\Documents and Settings\Hiram Guzman.MCD_CORP\Application Data\dm.ini
2005-11-09 08:13 -------- d-------- C:\Program Files\Lantronix
2005-11-07 14:31 -------- d-------- C:\Documents and Settings\Hiram Guzman.MCD_CORP\Application Data\Macromedia
2005-11-07 14:09 -------- d-------- C:\Program Files\Rainbow Technologies
2005-11-07 14:08 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2005-11-07 14:06 -------- d-------- C:\Program Files\Microsoft SQL Server
2005-11-07 14:05 -------- d-------- C:\Program Files\Nortel Networks
2005-11-07 09:58 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2005-11-07 09:57 -------- d-------- C:\Program Files\Symantec
2005-11-07 09:52 -------- d--h----- C:\Program Files\Zero G Registry
2005-11-07 09:51 -------- d-------- C:\Program Files\CUAgent
2005-11-07 09:04 -------- d-------- C:\Program Files\IBM
2005-11-04 17:20 -------- d-------- C:\Program Files\Windows Media Connect
2005-11-04 17:18 -------- d-------- C:\Program Files\HighMAT CD Writing Wizard
2005-11-04 17:12 -------- d-------- C:\Program Files\Microsoft Works
2005-10-25 12:54 -------- d-------- C:\Program Files\Microsoft Visual Studio .NET 2003
2005-10-25 12:54 -------- d-------- C:\Program Files\Common Files\Crystal Decisions
2005-10-25 12:53 -------- d-------- C:\Program Files\Microsoft ActiveSync
2005-10-25 12:52 -------- d-------- C:\Program Files\Microsoft.NET
2005-10-25 12:52 -------- d-------- C:\Program Files\Microsoft Visual Studio
2005-10-25 12:52 -------- d-------- C:\Program Files\Microsoft Office
2005-10-25 12:52 -------- d-------- C:\Program Files\Common Files\DESIGNER
2005-10-25 12:49 -------- d-------- C:\Program Files\NetWaiting
2005-10-25 12:49 -------- d-------- C:\Program Files\Digital Line Detect
2005-10-25 12:48 -------- d-------- C:\Program Files\Modem Helper
2005-10-25 12:48 -------- d-------- C:\Program Files\Dell
2005-10-25 12:48 -------- d-------- C:\Program Files\Common Files\InstallShield
2005-10-25 12:47 -------- d-------- C:\Program Files\Intel, Inc
2005-10-25 12:47 -------- d-------- C:\Program Files\Intel
2005-10-25 12:47 -------- d-------- C:\Program Files\Broadcom
2005-10-25 12:47 -------- d-------- C:\Documents and Settings\Hiram Guzman.MCD_CORP\Application Data\Intel
2005-10-25 12:46 -------- d-------- C:\Program Files\Java
2005-10-25 12:46 -------- d-------- C:\Documents and Settings\Hiram Guzman.MCD_CORP\Application Data\Sun
2005-10-25 12:45 -------- d-------- C:\Program Files\Common Files\Java
2005-10-25 12:33 -------- d-------- C:\Program Files\Sigmatel
2005-10-25 12:33 -------- d-------- C:\Program Files\CONEXANT
2005-10-20 17:20 1082368 --a------ C:\WINDOWS\system32\esent.dll
2005-10-17 16:14 80896 --a------ C:\WINDOWS\system32\fontsub.dll
2005-10-17 16:14 118272 --a------ C:\WINDOWS\system32\t2embed.dll
2005-10-05 19:05 1839488 --a------ C:\WINDOWS\system32\win32k.sys
2005-09-20 17:05 90112 --a------ C:\WINDOWS\system32\matcher5.dll
2005-09-09 20:53 2067968 --a------ C:\WINDOWS\system32\cdosys.dll
2005-08-31 20:41 291840 --a------ C:\WINDOWS\system32\winsrv.dll
2005-08-31 20:41 19968 --a------ C:\WINDOWS\system32\linkinfo.dll
2005-08-29 22:54 1287168 --a------ C:\WINDOWS\system32\quartz.dll
2005-08-22 22:35 123392 --a------ C:\WINDOWS\system32\umpnpmgr.dll
2005-08-22 13:29 197632 --a------ C:\WINDOWS\system32\netman.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
@=""
"IntelWireless"="C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe /tf Intel PROSet/Wireless"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Dell QuickSet"="C:\\Program Files\\Dell\\QuickSet\\quickset.exe"
"Client Access Service"="\"C:\\Program Files\\IBM\\Client Access\\cwbsvstr.exe\""
"Client Access Help Update"="\"C:\\Program Files\\IBM\\Client Access\\cwbinhlp.exe\""
"Client Access Check Version"="\"C:\\Program Files\\IBM\\Client Access\\cwbckver.exe\" LOGIN"
"Client Access Express Welcome"="\"C:\\Program Files\\IBM\\Client Access\\cwbwlwiz.exe\""
"NWTRAY"="NWTRAY.EXE"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"EPSON Stylus C62 Series (Copy 1)"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S0BIC1.EXE /P32 \"EPSON Stylus C62 Series (Copy 1)\" /O6 \"USB001\" /M \"Stylus C62\""
"tgcmd"="C:\\Program Files\\Support.com\\bin\\tgcmd.exe /server /startmonitor /deaf"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"AdwareAlert"="C:\\Program Files\\AdwareAlert\\AdwareAlert.exe -boot"
"Redirector"="C:\\Program Files\\Lantronix\\Redirector\\red32.exe"
"New.net Startup"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~2.DLL,ClientStartup -s"
"SpywareBot"="C:\\Program Files\\SpywareBot\\SpywareBot.exe -boot"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,fa,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,fa,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"iasuh"="C:\\WINDOWS\\system32\\mmhcgr.exe reg_run"
"PSCastor"="\"C:\\Program Files\\PSCastor\\PSCastor.exe\""
"Tair"="\"C:\\WINDOWS\\system32\\STEM32~1\\fast.exe\" -vt tzt"
"Wloxcil"="C:\\WINDOWS\\??curity\\r?gedit.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"iasuh"="C:\\WINDOWS\\system32\\mmhcgr.exe reg_run"
"PSCastor"="\"C:\\Program Files\\PSCastor\\PSCastor.exe\""
"Tair"="\"C:\\WINDOWS\\system32\\STEM32~1\\fast.exe\" -vt tzt"
"Wloxcil"="C:\\WINDOWS\\??curity\\r?gedit.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Wallpaper"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"CompatibleRUPSecurity"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"item"="MSMSGS"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"hkey"="HKEY"
"key"="Run"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\RegCure.job
C:\WINDOWS\tasks\XoftSpySE.job

Completion time: 06-11-14 13:19:49.34
C:\ComboFix.txt ... 06-11-14 13:19

next post i do the HighJack log

#5 Hguzman

Hguzman
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:04:33 AM

Posted 14 November 2006 - 01:31 PM

Here is the HighJack log that you ASKed:
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat 6.0.1 Standard
Adobe Acrobat and Reader 6.0.3 Update
Adobe Acrobat and Reader 6.0.4 Update
Adobe Acrobat and Reader 6.0.5 Update
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Download Manager 1.2 (Remove Only)
Adobe Flash Player 9
Adobe Photoshop 7.0
Adobe Reader 6.0.1
ALPS Touch Pad Driver
ATI Control Panel
ATI Display Driver
AutoCAD LT 2006 - English
Autodesk DWF Viewer
BibleWorks 5
Broadcom Advanced Control Suite 2
Broadcom ASF Management Applications
Business Contact Manager for Outlook 2003
Comcast High-Speed Internet Install Wizard
Conexant D110 MDC V.92 Modem
Desktop Doctor
DeviceInstaller
Digital Line Detect
EDR
EPSON Printer Software
Express Rip Uninstall
EZWebCon
Finale NotePad 2006
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB896344)
IBM AS/400 Client Access Express for Windows
IBM AS/400 Client Access Express for Windows SI06804
IBM Lotus Domino Access for Microsoft Outlook
Intel® Integrated Performance Primitives RTI 4.0
Intel® PROSet/Wireless Software
Internal Network Card Power Management
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
LiveUpdate 2.0 (Symantec Corporation)
Lotus Notes 7.0.1
mCore
mDrWiFi
MediaTickets by OIN
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Office Professional Edition 2003
Microsoft SQL Server Desktop Engine
Microsoft XML Parser and SDK
mIWA
mIWCA
mLogView
mMHouse
Modem Helper
mPfMgr
mPfWiz
mProSafe
MSN
MSN Toolbar
mSSO
MSXML 4.0 SP2 (KB925672)
mToolkit
mWlsSafe
mXML
mZConfig
NetWaiting
New.net Domains 7.22
NICI (Shared) U.S./Worldwide (128 bit) (2.6.6-1)
NMAS Client (3.0.0.37)
Nortel Networks Contivity VPN Client
Novell Client for Windows
O2Micro Smartcard Driver
OnGuard 2005
PageViewer
Palm Desktop
Palm Desktop and Synchronization Software
QuickSet
QuickTime
Redirector
RegCure 1.0.0.43
Scientific-Atlanta WebSTAR 2000 series Cable Modem
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Sentinel System Driver
Spybot - Search & Destroy 1.3
Switch Uninstall
Symantec AntiVirus
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
WavePad Uninstall
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Connect
Windows Media Connect
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10
Windows Overlay Components
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
WinPane
WinZip
XoftSpySE
Yazzle by OIN

Thanks again

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:33 AM

Posted 14 November 2006 - 07:28 PM

Open Notepad, and copy everything in the code box below and paste it into a new notepad file. Change the "Save As Type" to "All Files". Save it as fixme.reg on your Desktop. Make sure there is NO blank line above "REGEDIT4"!

REGEDIT4

[-HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]

[-HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
Locate fixme.reg on your Desktop and double-click on it. When it asks if you want to merge with the registry, click YES.


=============


Click Start -> Control Panel -> Add Remove Programs and uninstall these programs:

Java 2 Runtime Environment, SE v1.4.2_03
MediaTickets by OIN
New.net Domains 7.22
Windows Overlay Components
Yazzle by OIN



=============



Please download AVG Anti-Spyware and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run Ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

  • Clean out your Temporary Internet files.
    • Internet Explorer
      • Close Internet Explorer and close any instances of Windows Explorer.
      • Click Start -> Control Panel and then double-click Internet Options.
      • On the General tab, click Delete Files under Temporary Internet Files.
      • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
      • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
      • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
      • Click OK.
    • Firefox (In case you also have Firefox installed)
      • Open Firefox and go to Tools -> Options.
      • Click Privacy in the menu on the left side of the Options window.
      • Click the Clear button located to the right of each option (History, Cookies, Cache).
      • Click OK to close the Options window.
        Alternatively, you can clear all information stored while browsing by clicking Clear All.
        A confirmation dialog box will be shown before clearing the information.
    IMPORTANT: Close all windows and do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:

  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
    • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
      Once the scan is complete do the following:
    • If you have any infections you will prompted, then select "Apply all actions"
    • Next select the "Reports" icon at the top.
    • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
    • Close AVG Anti-Spyware and reboot your system back into Normal Mode.
Please post the results of the AVG Anti-Spyware scan report along with a new Hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Hguzman

Hguzman
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:04:33 AM

Posted 14 November 2006 - 10:01 PM

Sam,
I try to do what you said. There is couple thing that i need to mentioned before posting the report.

I could not find these program in the add/removed program:
MediaTickets by OIN
Windows Overlay Components (I think you mean some windows programs but I dont know which one is? More info I need int this one :huh:

When I ran the Anti-spyware in the first time in Whindows for updates, he found some files that was asking me what to do. I select clean :thumbsup: I hope , didnt mess that one up.... :flowers:

Here is the Report ( it took 1hr 15min :huh: ):
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:35:22 PM 11/14/2006

+ Scan result:



C:\Documents and Settings\All Users\Application Data\AutoSearch.dll -> Adware.AutoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP303\A0068114.exe -> Adware.Bagon : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP285\A0063257.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP285\A0063258.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP285\A0063260.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\stub_mm3.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP303\A0068119.dll -> Adware.CASClient : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP303\A0068120.exe -> Adware.CASClient : Cleaned with backup (quarantined).
C:\WINDOWS\system32\BattyRun2.dll -> Adware.CASClient : Cleaned with backup (quarantined).
C:\WINDOWS\SGlyYW0gR3V6bWFu\asappsrv.dll -> Adware.CommAd : Cleaned with backup (quarantined).
C:\WINDOWS\SGlyYW0gR3V6bWFu\command.exe -> Adware.CommAd : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Classes\AutoSearch.AutoSearchObj -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Classes\AutoSearch.AutoSearchObj.1 -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Classes\AutoSearch.AutoSearchObj\CLSID -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Classes\AutoSearch.AutoSearchObj\CurVer -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Classes\AutoSearch.AutoSearchObj -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Classes\AutoSearch.AutoSearchObj.1 -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Classes\AutoSearch.AutoSearchObj\CLSID -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Classes\AutoSearch.AutoSearchObj\CurVer -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\DeluxeCommunications -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\DeluxeCommunications -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\S-1-5-21-2884837916-3070325548-2578637608-1007\Software\Microsoft\Windows\CurrentVersion\Run\\DeluxeCommunications -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\456V83GB\yz02[1].exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\NewDotNet -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP285\A0061185.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP308\A0069097.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP308\A0069098.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP311\A0069233.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall6_38.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\yz02.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\New.net -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\New.net -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\KBBar.KBBarBand -> Adware.PowerStrip : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\KBBar.KBBarBand\CurVer -> Adware.PowerStrip : Cleaned with backup (quarantined).
C:\Documents and Settings\Hiram Guzman.MCD_CORP\Desktop\backups\backup-20061113-111318-483.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP286\A0064436.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\tgpf.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\hlvi6wkjc.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\WINDOWS\system32hlvi6wkjc.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP285\A0063295.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP285\A0063299.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W3YZIJ2F\xuf9rtpr[1].cab/rnnypbw.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP311\A0069234.dll -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\rnnypbw.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\DXC9.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IVQ34BCD\DXC9[1].exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP286\A0064403.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP286\A0064404.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP286\A0064405.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP289\A0065559.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP289\A0065564.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP303\A0068131.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\NDH1QVX0\TISED001[1].exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\U7WXA5I7\drsmartload136a[1].exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\U7WXA5I7\drsmartload136a[2].exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\U7WXA5I7\drsmartload44a[1].exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP285\A0061173.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP285\A0061205.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP285\A0061223.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP285\A0061243.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP285\A0062249.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP286\A0064434.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\mc44a54.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\456V83GB\loader[1].exe -> Downloader.Adload.ncp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP285\A0061174.exe -> Downloader.Adload.ncp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP285\A0061206.exe -> Downloader.Adload.ncp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP285\A0061224.exe -> Downloader.Adload.ncp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP285\A0062250.exe -> Downloader.Adload.ncp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP285\A0063298.exe -> Downloader.Adload.ncp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP285\A0061207.dll -> Downloader.Agent.agw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP285\A0063255.dll -> Downloader.Agent.agw : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\U7WXA5I7\mpnaaq7[1].exe -> Downloader.Agent.ala : Cleaned with backup (quarantined).
C:\mpnaaq7.exe -> Downloader.Agent.ala : Cleaned with backup (quarantined).
C:\QooBox\Purity\WINDOWS\system32\STEM32~1\fast.exe -> Downloader.PurityScan : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\U7WXA5I7\!update-4295[1].0000 -> Downloader.PurityScan.co : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP308\A0069099.exe -> Downloader.PurityScan.cq : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\U7WXA5I7\!update-4200[1].0000 -> Downloader.PurityScan.df : Cleaned with backup (quarantined).
C:\QooBox\Purity\WINDOWS\system32\STEM32~1\ѕуstem32\!update-4200.0000 -> Downloader.PurityScan.df : Cleaned with backup (quarantined).
C:\QooBox\Purity\WINDOWS\SMBOLS~1\dllhost.exe -> Downloader.PurityScan.dm : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IVQ34BCD\installerwnus[1].exe -> Downloader.Qoologic.at : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP285\A0061162.exe -> Downloader.Qoologic.at : Cleaned with backup (quarantined).
C:\QooBox\dvygf.exe.qoo -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\QooBox\ettdm.exe.qoo -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\QooBox\mmhcgr.exe.qoo -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\QooBox\nqfkqwb.exe.qoo -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\QooBox\rjwfr.dat.qoo -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\QooBox\sthcwam.dll.qoo -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP287\A0065505.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP289\A0065546.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP289\A0065547.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP289\A0065552.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP290\A0065648.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP290\A0065649.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP290\A0065651.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP290\snapshot\MFEX-1.DAT -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP299\A0066888.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP303\A0068122.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP303\A0068123.dll -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP303\A0068124.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP303\A0068125.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP303\A0068126.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP285\A0061158.exe -> Downloader.Small.ajc : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\U7WXA5I7\MTE3NDI6ODoxNg[1].exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP285\A0063297.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP303\A0068110.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP303\A0068111.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\Program Files\Messenger\hotegyt.dll -> Downloader.Small.ctp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP285\A0064338.exe -> Downloader.Small.dxm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP285\A0064337.dll -> Downloader.Zlob.aoi : Cleaned with backup (quarantined).
C:\162.exe -> Downloader.Zlob.avo : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\U7WXA5I7\162[1].exe -> Downloader.Zlob.avo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP303\A0068115.exe -> Dropper.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W3YZIJ2F\wallpap[1].exe -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\Documents and Settings\Hiram Guzman.MCD_CORP\aoaeqhfo.exe -> Not-A-Virus.Hoax.Win32.Renos.eo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP290\A0065650.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Cookies\system@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\mdorsey\Cookies\mdorsey@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\mdorsey\Cookies\mdorsey@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\mdorsey\Cookies\mdorsey@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\mdorsey\Cookies\mdorsey@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@enhance[1].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@goclick[2].txt -> TrackingCookie.Goclick : Cleaned.
C:\Documents and Settings\mdorsey\Cookies\mdorsey@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\mdorsey\Cookies\mdorsey@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@media.top-banners[2].txt -> TrackingCookie.Top-banners : Cleaned.
C:\Documents and Settings\Daniel Popescu\Cookies\daniel popescu@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\mdorsey\Cookies\mdorsey@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP285\A0061208.exe -> Trojan.Qoologic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP285\A0063254.exe -> Trojan.Qoologic : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W3YZIJ2F\xuf9rtpr[1].cab/tbiu5xkb.exe -> Trojan.Runner.j : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP289\A0065549.exe -> Trojan.Runner.j : Cleaned with backup (quarantined).
C:\WINDOWS\system32\tbiu5xkb.exe -> Trojan.Runner.j : Cleaned with backup (quarantined).
C:\WINDOWS\system32ysjaevwx.exe -> Trojan.Runner.j : Cleaned with backup (quarantined).


::Report end

Next post the New HighJack log

#8 Hguzman

Hguzman
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:04:33 AM

Posted 14 November 2006 - 10:02 PM

Logfile of HijackThis v1.99.1
Scan saved at 9:47:18 PM, on 11/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\lotus\notes\nslsvice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Lenel\LpsSearchSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\lotus\notes\ntmulti.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\OnGuard\LicenseServer.exe
C:\Program Files\OnGuard\logindrvr.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lantronix\Redirector\red32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Hiram Guzman.MCD_CORP\Desktop\HijackThis_v1.99.1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mcdinet/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Jffdjljo Class - {A16AC1F4-BCA7-4401-B5F5-22240F78E776} - C:\WINDOWS\system32\p2jlseh8.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [EPSON Stylus C62 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P32 "EPSON Stylus C62 Series (Copy 1)" /O6 "USB001" /M "Stylus C62"
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - HKLM\..\Run: [Redirector] C:\Program Files\Lantronix\Redirector\red32.exe
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: zabbix_rep.lnk = C:\Documents and Settings\All Users\zabbix_rep.exe
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} -
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\lotus\notes\nslsvice.exe
O23 - Service: LpsSearchSvc - TODO: <Company name> - C:\Program Files\Common Files\Lenel\LpsSearchSvc.exe
O23 - Service: LS Communication Server - Lenel Systems International Inc. - C:\Program Files\OnGuard\Lnlcomsrvr.exe
O23 - Service: LS DataExchange Server - Lenel Systems International, Inc. - C:\Program Files\OnGuard\DataExchangeService.exe
O23 - Service: LS Global Output Server - Lenel Systems International Inc. - C:\Program Files\OnGuard\GOSServer.exe
O23 - Service: LS License Server - Lenel Systems International, Inc. - C:\Program Files\OnGuard\LicenseServer.exe
O23 - Service: LS Linkage Server - Lenel Systems International Inc. - C:\Program Files\OnGuard\LSLServer.exe
O23 - Service: LS Login Driver - Lenel Systems International - C:\Program Files\OnGuard\logindrvr.exe
O23 - Service: LS OpenIT Message Queue Server - Lenel Systems International, Inc. - C:\Program Files\OnGuard\OpenITQueueServer.exe
O23 - Service: LS OpenIT Service - Lenel Systems International Inc. - C:\Program Files\OnGuard\WMIService.exe
O23 - Service: LS Replicator - Lenel Systems International Inc. - C:\Program Files\OnGuard\Replicator.exe
O23 - Service: LS Video Archive Server - Lenel Systems International, Inc. - C:\Program Files\OnGuard\LnlVideoComSrvr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\lotus\notes\ntmulti.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

:thumbsup: Thanks Waiting for you response :flowers:

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:33 AM

Posted 15 November 2006 - 06:02 PM

You must disable Spybot's Teatimer function before proceeding with this fix. Otherwise it will intefere with hijackthis.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - (no file)
O2 - BHO: Jffdjljo Class - {A16AC1F4-BCA7-4401-B5F5-22240F78E776} - C:\WINDOWS\system32\p2jlseh8.dll (file missing)
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} -



Reboot and post a new hijackthis log.
How is your computer running now? Any problems?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 Hguzman

Hguzman
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:04:33 AM

Posted 15 November 2006 - 06:25 PM

Hello Sam,
Ok I did what you said. Since yesterday, twice the Norton Antivirus pop out the windows saying that he detect a virus and deleted. First one was kind o Trojan and the second one was W32.spybot.worm. Some time when I move trhu the internet a windows pop out about security.

In My desktop background, only I can change is colors but i can not change pictures to set up as my background. This is in the Display window. I have other problems with my works programs but i need to make sure Im clean of malaware and any virus before a re-installed those programs.

Also, You told me to unistalled some programs but some of them I could not find it.

Here is the new HighJack log:
Logfile of HijackThis v1.99.1
Scan saved at 6:11:07 PM, on 11/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\lotus\notes\nslsvice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Lenel\LpsSearchSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\lotus\notes\ntmulti.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\OnGuard\LicenseServer.exe
C:\Program Files\OnGuard\logindrvr.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lantronix\Redirector\red32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Documents and Settings\Hiram Guzman.MCD_CORP\Desktop\HijackThis_v1.99.1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mcdinet/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [EPSON Stylus C62 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P32 "EPSON Stylus C62 Series (Copy 1)" /O6 "USB001" /M "Stylus C62"
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - HKLM\..\Run: [Redirector] C:\Program Files\Lantronix\Redirector\red32.exe
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Startup: zabbix_rep.lnk = C:\Documents and Settings\All Users\zabbix_rep.exe
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\lotus\notes\nslsvice.exe
O23 - Service: LpsSearchSvc - TODO: <Company name> - C:\Program Files\Common Files\Lenel\LpsSearchSvc.exe
O23 - Service: LS Communication Server - Lenel Systems International Inc. - C:\Program Files\OnGuard\Lnlcomsrvr.exe
O23 - Service: LS DataExchange Server - Lenel Systems International, Inc. - C:\Program Files\OnGuard\DataExchangeService.exe
O23 - Service: LS Global Output Server - Lenel Systems International Inc. - C:\Program Files\OnGuard\GOSServer.exe
O23 - Service: LS License Server - Lenel Systems International, Inc. - C:\Program Files\OnGuard\LicenseServer.exe
O23 - Service: LS Linkage Server - Lenel Systems International Inc. - C:\Program Files\OnGuard\LSLServer.exe
O23 - Service: LS Login Driver - Lenel Systems International - C:\Program Files\OnGuard\logindrvr.exe
O23 - Service: LS OpenIT Message Queue Server - Lenel Systems International, Inc. - C:\Program Files\OnGuard\OpenITQueueServer.exe
O23 - Service: LS OpenIT Service - Lenel Systems International Inc. - C:\Program Files\OnGuard\WMIService.exe
O23 - Service: LS Replicator - Lenel Systems International Inc. - C:\Program Files\OnGuard\Replicator.exe
O23 - Service: LS Video Archive Server - Lenel Systems International, Inc. - C:\Program Files\OnGuard\LnlVideoComSrvr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\lotus\notes\ntmulti.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

Thanks for your help :thumbsup:

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:33 AM

Posted 15 November 2006 - 06:31 PM

Also, You told me to unistalled some programs but some of them I could not find it.

AVG may have removed some of these programs already, so that's not too worrisome.



Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.



Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 Hguzman

Hguzman
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:04:33 AM

Posted 15 November 2006 - 08:24 PM

Ok Sam, here again.

Incident Status Location

Potentially unwanted tool:application/seekmo Not disinfected c:\documents and settings\all users\start menu\programs\Seekmo Search Assistant
Dialer:dialer.su Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\uninstall\Switch
Spyware:spyware/new.net Not disinfected Windows Registry
Adware:Adware/BookedSpace Not disinfected C:\165.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Hiram Guzman.MCD_CORP\Desktop\SmitFraudFix\SmitfraudFix\Process.exe
Possible Virus. Not disinfected C:\Documents and Settings\Hiram Guzman.MCD_CORP\Desktop\SmitFraudFix\SmitfraudFix\swsc.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Hiram Guzman.MCD_CORP\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Possible Virus. Not disinfected C:\Documents and Settings\Hiram Guzman.MCD_CORP\Desktop\SmitfraudFix.zip[SmitfraudFix/swsc.exe]
Adware:Adware/PurityScan Not disinfected C:\Program Files\PSCastor\PSCastor.exe
Adware:Adware/Maxifiles Not disinfected C:\Program Files\support.com\temp\ComcastToolbar.exe[²ÜÇ\nsProcess.dll]
Possible Virus. Renamed C:\QooBox\Purity\WINDOWS\CURITY~1\r?gedit.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\SmitFraudFix\SmitfraudFix\Process.exe
Possible Virus. Not disinfected C:\SmitFraudFix\SmitfraudFix\swsc.exe
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\ac3_0008.exe[PSCastor.exe]
Adware:Adware/CommAd Not disinfected C:\WINDOWS\SGlyYW0gR3V6bWFu\m35VsqX0lapdvqIR.vbs
Logfile of HijackThis v1.99.1
Scan saved at 8:19:43 PM, on 11/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\lotus\notes\nslsvice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Lenel\LpsSearchSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\lotus\notes\ntmulti.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\OnGuard\LicenseServer.exe
C:\Program Files\OnGuard\logindrvr.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Lantronix\Redirector\red32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Hiram Guzman.MCD_CORP\Desktop\HijackThis_v1.99.1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mcdinet/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [EPSON Stylus C62 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P32 "EPSON Stylus C62 Series (Copy 1)" /O6 "USB001" /M "Stylus C62"
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - HKLM\..\Run: [Redirector] C:\Program Files\Lantronix\Redirector\red32.exe
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Startup: zabbix_rep.lnk = C:\Documents and Settings\All Users\zabbix_rep.exe
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\lotus\notes\nslsvice.exe
O23 - Service: LpsSearchSvc - TODO: <Company name> - C:\Program Files\Common Files\Lenel\LpsSearchSvc.exe
O23 - Service: LS Communication Server - Lenel Systems International Inc. - C:\Program Files\OnGuard\Lnlcomsrvr.exe
O23 - Service: LS DataExchange Server - Lenel Systems International, Inc. - C:\Program Files\OnGuard\DataExchangeService.exe
O23 - Service: LS Global Output Server - Lenel Systems International Inc. - C:\Program Files\OnGuard\GOSServer.exe
O23 - Service: LS License Server - Lenel Systems International, Inc. - C:\Program Files\OnGuard\LicenseServer.exe
O23 - Service: LS Linkage Server - Lenel Systems International Inc. - C:\Program Files\OnGuard\LSLServer.exe
O23 - Service: LS Login Driver - Lenel Systems International - C:\Program Files\OnGuard\logindrvr.exe
O23 - Service: LS OpenIT Message Queue Server - Lenel Systems International, Inc. - C:\Program Files\OnGuard\OpenITQueueServer.exe
O23 - Service: LS OpenIT Service - Lenel Systems International Inc. - C:\Program Files\OnGuard\WMIService.exe
O23 - Service: LS Replicator - Lenel Systems International Inc. - C:\Program Files\OnGuard\Replicator.exe
O23 - Service: LS Video Archive Server - Lenel Systems International, Inc. - C:\Program Files\OnGuard\LnlVideoComSrvr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\lotus\notes\ntmulti.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

:thumbsup: :flowers: :huh:

Thanks again

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:33 AM

Posted 16 November 2006 - 05:06 PM

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\165.exe
    C:\Program Files\PSCastor\PSCastor.exe
    C:\Program Files\support.com\temp\ComcastToolbar.exe
    C:\WINDOWS\ac3_0008.exe
    C:\WINDOWS\SGlyYW0gR3V6bWFu\m35VsqX0lapdvqIR.vbs
    C:\Program Files\PSCastor



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

  • After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
  • Post this log in your next reply.
==============


Are you getting any more warnings from Norton?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 Hguzman

Hguzman
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:04:33 AM

Posted 16 November 2006 - 05:40 PM

Hello Sam Again. I hope you doing well.

I did not have any Norton activities today. I didnt use the computer like i use to do it every day. I can tell that the speed of the computer has improve tremendously. Now I notice that my Instand Window Messager version when down to 4 version.

Here is the log:
Pocket Killbox version 2.0.0.881
Running on Windows XP as Hiram Guzman(Administrator)
was started @ Thursday, November 16, 2006, 5:23 PM

# 1 [Delete on Reboot]
Path = C:\165.exe


# 2 [Delete on Reboot]
Path = C:\Program Files\PSCastor\PSCastor.exe


# 3 [Delete on Reboot]
Path = C:\Program Files\support.com\temp\ComcastToolbar.exe


# 4 [Delete on Reboot]
Path = C:\WINDOWS\ac3_0008.exe


# 5 [Delete on Reboot]
Path = C:\WINDOWS\SGlyYW0gR3V6bWFu\m35VsqX0lapdvqIR.vbs


# 6 [Delete on Reboot]
Path = C:\Program Files\PSCastor


I Rebooted @ 5:25:29 PM
Killbox Closed(Exit) @ 5:25:35 PM
__________________________________________________

Pocket Killbox version 2.0.0.881
Running on Windows XP as Hiram Guzman(Administrator)
was started @ Thursday, November 16, 2006, 5:29 PM

You are not going to beliave this :thumbsup: but when i was doing this reply i have this notification from Symantec:
Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: W32.Spybot.Worm
File: C:\WINDOWS\system32\eraseme_16486.exe
Location: C:\WINDOWS\system32
Computer: HIRAMGUZMAN
User: SYSTEM
Action taken: Clean failed : Quarantine failed : Delete succeeded : Access denied
Date found: Thursday, November 16, 2006 5:33:28 PM

:flowers: Any way I wait for your next response.

Thanks SAM :huh:

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:33 AM

Posted 16 November 2006 - 05:45 PM

It looks like we'd better run through another virus scan.


Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users