Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Pc Was Taken Over Earlier This Week...


  • This topic is locked This topic is locked
30 replies to this topic

#1 kai00051

kai00051

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 15 December 2006 - 09:23 AM

Hey guys, new to the forum and I 'advance' appreciate your help. Here's my gig. I was taken over on Monday and have been battling removing junk off my PC since. I noticed my wireless sending/receiving thousands of packets per minute. I also had random popups just generating. My internet (RoadRunner) was awfully slow, and always redirected me to updates.com. I have three sites in my 'Trusted Zone', but I cannot remove them.

So far, here is what I have tried.
1. As normal log-in, ran Windows Defender, Spybot, HijackThis Stinger.exe and Adware - found some stuff, but popups, lots of wireless packets and slowness remain.
2. As 'Administrator' in Safe-mode ran Windows Defender, Spybot, HijackThis Stinger.exe and Adware - found some stuff, but popups, lots of wireless packets and slowness remain.
3. Lastly, as my normal 'name' login in Safe-mode ran Windows Defender, Spybot, HijackThis Stinger.exe and Adware - found some stuff, but popups, lots of wireless packets and slowness remain.
4. I have tried 'System Restore' in normal and safe mode, and it won't complete. So, I cannot even restore my system back to a prior date (I tried like 3 dates...)
5. I tried to turn on Windows Firewall, it won't turn on. It errors out.

Here is my latest HijackThis log. Can anyone help? FWIW, HijackThis does not remove the three trusted sites, neither did removing them in safe mode??!! Wireless has been disabled. This thread is in Safe-Mode.

--------------
Logfile of HijackThis v1.99.1
Scan saved at 10:26:50 PM, on 12/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Casey\Desktop\Programs\HijackThis.exe

O15 - Trusted Zone: http://www.archiviosex.net
O15 - Trusted Zone: http://www.contentdiscount.info
O15 - Trusted Zone: http://www.extremeaccess.info
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
------------

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:02 PM

Posted 15 December 2006 - 09:33 AM

Hi kai00051 and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:
Your hijackthis log looks a little sparce. Have you been fixing many lines from your log already?

Let's see what we got here.


Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:02 PM

Posted 15 December 2006 - 09:35 AM

Hi kai00051, :flowers:

Can you please reboot to go into Normal mode, run HijackThis and post the log here by using the Add Reply button?

I'll be happy to look at it for you. :thumbsup:

#4 kai00051

kai00051
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 15 December 2006 - 09:49 AM

Here is my current HJT log in normal mode. I am working on combofix right now, and will post.

Thanks again!!!
===============
Logfile of HijackThis v1.99.1
Scan saved at 8:41:09 AM, on 12/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\PackethSvc.exe
C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\{E4B942B6-063A-1033-1203-011003010001}\Update.exe
C:\DOCUME~1\Casey\MYDOCU~1\ICROSO~1.NET\nslookup.exe
C:\Documents and Settings\Casey\Application Data\T?sks\msdtc.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Casey\Desktop\Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://registration.aol.com/mail?s_url=htt...ite-CurrentProd
R3 - URLSearchHook: (no name) - {DB9F3426-ACBF-8635-9AFD-86FA3FDB6FE6} - C:\WINDOWS\system32\nvpladof.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34B94~1\Bar888.dll
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvsor.dll,startup
O4 - HKCU\..\Run: [Aaou] "C:\DOCUME~1\Casey\MYDOCU~1\ICROSO~1.NET\nslookup.exe" -vt yazb
O4 - HKCU\..\Run: [Vcahfv] C:\Documents and Settings\Casey\Application Data\T?sks\msdtc.exe
O15 - Trusted Zone: http://www.archiviosex.net
O15 - Trusted Zone: http://www.contentdiscount.info
O15 - Trusted Zone: http://www.extremeaccess.info
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#5 kai00051

kai00051
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 15 December 2006 - 10:41 AM

Here is my combofix log, my internet is officially crippled!
--------------
Casey - 06-12-15 8:47:35.18 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Casey\Desktop"

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Casey\Application Data\Dxccwrd.dll
C:\Documents and Settings\Casey\Application Data\Dxcknwrd.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\issearch.exe
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\WINDOWS\system32\components
C:\Program Files\Common Files\{34B942B6-063A-1033-1203-011003010001}
C:\Program Files\Common Files\{E4B942B6-063A-1033-1203-011003010001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Casey\Application Data\FNTS~1
C:\QooBox\Purity\Documents and Settings\Casey\Application Data\TSKS~1
C:\QooBox\Purity\Documents and Settings\Casey\Application Data\TSKS~1\msdtc.exe
C:\QooBox\Purity\Documents and Settings\Casey\My Documents\ICROSO~1.NET
C:\QooBox\Purity\Documents and Settings\Casey\My Documents\ICROSO~1.NET\nslookup.exe
C:\QooBox\Purity\Documents and Settings\Casey\My Documents\ICROSO~1.NET\?icrosoft.NET
C:\QooBox\Purity\Documents and Settings\Casey\My Documents\ICROSO~1.NET\?icrosoft.NET\ctxad-518.0000
C:\QooBox\Purity\Documents and Settings\Casey\My Documents\ICROSO~1.NET\?icrosoft.NET\ctxad-518.0001
C:\QooBox\Purity\Documents and Settings\Casey\My Documents\ICROSO~1.NET\?icrosoft.NET\ctxad-518.0002
C:\QooBox\Purity\Documents and Settings\Casey\My Documents\ICROSO~1.NET\?icrosoft.NET\ctxad-518.0003
C:\QooBox\Purity\WINDOWS\system32\CURITY~1


((((((((((((((((((((((((((((((( Files Created from 2006-11-15 to 2006-12-15 ))))))))))))))))))))))))))))))))))


2006-12-15 08:48 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2006-12-15 07:47 58,880 --a------ C:\WINDOWS\system32\nvpladof.dll
2006-12-15 07:46 72,704 --a------ C:\WINDOWS\system32\drvsor.dll
2006-12-15 07:46 40,973 ---hs---- C:\WINDOWS\system32\fccawxw.dll
2006-12-12 06:26 11,648 --a------ C:\WINDOWS\system32\drivers\pxscrmbl.sys
2006-12-11 22:06 72,704 --a------ C:\WINDOWS\system32\drvkux.dll
2006-12-11 22:06 40,973 ---hs---- C:\WINDOWS\system32\ssqponm.dll
2006-12-11 21:16 <DIR> d-------- C:\Documents and Settings\Casey\Application Data\Lavasoft
2006-12-11 20:16 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2006-12-11 19:14 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-12-11 16:12 <DIR> d-------- C:\WINDOWS\network diagnostic
2006-12-11 16:09 <DIR> d----c--- C:\15286ffbb46239b614171233dc95
2006-12-11 13:56 88,340 --a------ C:\WINDOWS\system32\ivlpcjyt.exe
2006-12-11 13:55 802,539 ---hs---- C:\WINDOWS\system32\hgjlm.bak1
2006-12-11 13:55 42,516 --a------ C:\WINDOWS\system32\lumhyuul.dll
2006-12-11 13:55 276,532 ---hs---- C:\WINDOWS\system32\mljgh.dll
2006-12-11 13:55 126,996 --a------ C:\WINDOWS\system32\svftfxeb.dll
2006-12-11 13:52 18,432 --a------ C:\WINDOWS\system32\mlraakb.dll
2006-12-11 13:50 93,696 --a------ C:\WINDOWS\system32\frsvabb.dll
2006-12-11 13:50 72,704 --a------ C:\WINDOWS\system32\drvnas.dll
2006-12-11 13:50 71,680 --a------ C:\WINDOWS\system32\viyjhai.dll
2006-12-11 13:50 2 --a------ C:\WINDOWS\system32\wnsapicc.exe
2006-12-11 13:03 3,072 -r-hsc--- C:\jrcfquoh1313543578.exe
2006-12-11 12:54 69,632 --a------ C:\WINDOWS\system32\bpggfbbl.dll
2006-12-11 12:53 276,480 --a------ C:\WINDOWS\system32\fxlraptjn.exe
2006-12-11 12:53 107,614 --a------ C:\WINDOWS\AtxPID30.exe
2006-12-11 12:53 107,610 --a------ C:\WINDOWS\AtxPID29.exe
2006-12-11 12:53 1,329 --a------ C:\WINDOWS\system32\qyd234e3.sys
2006-12-11 12:52 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2006-12-11 12:52 8,224 --a------ C:\WINDOWS\system32\sysmon.exe
2006-12-11 12:52 328,784 -r-hs---- C:\WINDOWS\qdgljuo.exe
2006-12-11 12:52 29,696 --------- C:\WINDOWS\system32\rpcc.dll
2006-12-11 12:52 18,944 --a------ C:\WINDOWS\system32\winpcy32.dll
2006-12-06 19:24 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2006-12-06 19:24 <DIR> d-------- C:\Program Files\Windows Defender


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-12-15 09:02 -------- d-------- C:\Program Files\Common Files
2006-12-11 21:45 -------- d-------- C:\Program Files\Microsoft AntiSpyware
2006-12-11 21:26 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-11 21:16 -------- d-------- C:\Program Files\Lavasoft
2006-12-11 20:28 -------- d---s---- C:\Documents and Settings\Casey\Application Data\Microsoft
2006-12-11 19:50 -------- d-------- C:\Program Files\Windows Media Player
2006-12-11 19:50 -------- d-------- C:\Program Files\Internet Explorer
2006-12-11 16:39 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-12-11 13:36 -------- d-------- C:\Program Files\Common Files\Real
2006-12-11 13:16 -------- d-------- C:\Program Files\MSN
2006-12-07 20:06 -------- d-------- C:\Program Files\CompuServe 7.0
2006-12-06 19:24 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-12-03 11:56 -------- d-------- C:\Program Files\Java
2006-10-30 19:25 -------- d-------- C:\Documents and Settings\Casey\Application Data\Macromedia
2006-10-30 17:14 1080 --a--c--- C:\WINDOWS\AUTOLNCH.REG
2006-10-22 09:05 -------- d-------- C:\Program Files\Common Files\Nullsoft
2006-10-13 06:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Aaou"="\"C:\\DOCUME~1\\Casey\\MYDOCU~1\\ICROSO~1.NET\\nslookup.exe\" -vt yazb"
"Vcahfv"="C:\\Documents and Settings\\Casey\\Application Data\\T?sks\\msdtc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"CTDrive"="rundll32.exe C:\\WINDOWS\\system32\\drvsor.dll,startup"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"dylxv"="C:\\WINDOWS\\system32\\hkafuh.exe reg_run"
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"dylxv"="C:\\WINDOWS\\system32\\hkafuh.exe reg_run"
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{9cc1c589-4b22-4dae-8e12-4c3b5fa12b3f}"="gloomily"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{04CDB16C-AB38-43CD-A86A-6FEB90290939}"=""
"{9B0C7A02-A17A-4C81-BD7D-30A622701C36}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^armgb.exe]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\armgb.exe"
"backup"="C:\\WINDOWS\\pss\\armgb.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\armgb.exe"
"item"="armgb"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Picture Transfer Software.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\KODAK Picture Transfer Software.lnk"
"backup"="C:\\WINDOWS\\pss\\KODAK Picture Transfer Software.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Kodak\\KODAKP~2\\pts.exe "
"item"="KODAK Picture Transfer Software"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MI1933~1\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Works Calendar Reminders.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Works Calendar Reminders.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WORKSS~1\\wkcalrem.exe "
"item"="Microsoft Works Calendar Reminders"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPQEASYACC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="StartEAK"
"hkey"="HKLM"
"command"="C:\\Program Files\\Compaq\\Easy Access Button Support\\StartEAK.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="drvnas"
"hkey"="HKLM"
"command"="rundll32.exe C:\\WINDOWS\\system32\\drvnas.dll,startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeluxeCommunications]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Dxc"
"hkey"="HKLM"
"command"="C:\\Program Files\\DeluxeCommunications\\Dxc.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dylxv]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkafuh"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\hkafuh.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\frsvabb.dll]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="frsvabb"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\frsvabb.dll,mhomdtd"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fxlraptjn]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="fxlraptjn"
"hkey"="HKLM"
"command"="c:\\windows\\system32\\fxlraptjn.exe fxlraptjn"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hcewuf]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkafuh"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\hkafuh.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="optimize"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Internet Optimizer\\optimize.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kazaa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Kazaa\\kazaa.exe /SYSTRAY"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WksSb"
"hkey"="HKLM"
"command"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WkDetect"
"hkey"="HKCU"
"command"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Money Startup"
"hkey"="HKCU"
"command"="c:\\Program Files\\Microsoft Money\\System\\Money Startup.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NBJ"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NEWDOT~1"
"hkey"="HKLM"
"command"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~1.DLL,NewDotNetStartup -s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qdgljuoA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qdgljuoA"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\qdgljuoA.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qyd234e3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE w4e41463.dll,n 007234dc000000054e41463"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Smtray"
"hkey"="HKLM"
"command"="Smtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpyHunter"
"hkey"="HKLM"
"command"="C:\\Program Files\\Enigma Software Group\\SpyHunter\\SpyHunter.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="srmclean"
"hkey"="HKLM"
"command"="C:\\Cpqs\\Scom\\srmclean.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Systems]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sysmon"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\sysmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Sloopy7"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\Sloopy7.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tolulime]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tolulime"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\$NtUninstallKB842773$\\tolulime.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCOLOREAL]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="coloreal"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\COMPAQ\\Coloreal\\coloreal.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\win32090-45762081]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="win32090-45762081"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\win32090-45762081.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDOWS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hibkc"
"hkey"="HKLM"
"command"="c:\\hibkc.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MSASCui"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinMedia]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jrcfquoh1313543578"
"hkey"="HKCU"
"command"="\"C:\\jrcfquoh1313543578.exe\" "
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinUpdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jrcfquoh1313546625"
"hkey"="HKCU"
"command"="\"C:\\jrcfquoh1313546625.exe\" "
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljgh
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqponm
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winpcy32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, msnsspc.dll, digest.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Registration reminder 1.job
C:\WINDOWS\tasks\Registration reminder 2.job
C:\WINDOWS\tasks\Registration reminder 3.job

Completion time: 06-12-15 9:04:49.43
C:\ComboFix.txt ... 06-12-15 09:04

#6 kai00051

kai00051
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 15 December 2006 - 11:15 AM

PS, anytime now I try to do my Windows Security Update, my PC Blue-screens and re-starts. Also, I now have a red bubble in the lower right hand corner with an exclamation point in it, indicating 'security issues'. I didn't do anything with this as I have never seen it before, however, I feel that it might be related to ComboFix???


Thanks

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:02 PM

Posted 15 December 2006 - 11:56 AM

No, that's not part of Combofix. It's due to one of the malware infections on your computer. Your computer is heavily infected. We're going to need some tools to clean it all up and this may take a few steps.

Download
http://www.uploads.ejvindh.net/rustbfix.exe
...and save it to your desktop.

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles.


==============


Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt even if Vundofix found no infected files.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.


Also post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 kai00051

kai00051
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 15 December 2006 - 12:26 PM

Internet is running faster :thumbsup:. Please note, all this was NOT done in SafeMode:
========
************************* Rustock.b-fix -- By ejvindh *************************
Fri 12/15/2006 11:02:30.32


******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....
Examine the Avenger-logfile in order to assess the success of the unload-procedure

Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 68968
Total size: 68968 bytes.
Attempting to remove ADS...
system32: deleted 68968 bytes in 1 streams.


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No streams found.


******************************* End of Logfile ********************************
=========
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\kdpxbmif

*******************

Script file located at: \??\C:\Documents and Settings\wypgpepp.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.
=========

VundoFix V6.2.13

Checking Java version...

Java version is 1.5.0.7

Java version is 1.5.0.9

Scan started at 11:08:39 AM 12/15/2006

Listing files found while scanning....

C:\WINDOWS\system32\winpcy32.dll
C:\WINDOWS\system32\mljgh.dll
C:\WINDOWS\system32\hgjlm.ini
C:\WINDOWS\system32\hgjlm.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\system32\winpcy32.dll
C:\WINDOWS\system32\winpcy32.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mljgh.dll
C:\WINDOWS\system32\mljgh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hgjlm.ini
C:\WINDOWS\system32\hgjlm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\hgjlm.bak1
C:\WINDOWS\system32\hgjlm.bak1 Has been deleted!

Performing Repairs to the registry.
Done!
=========
Logfile of HijackThis v1.99.1
Scan saved at 11:21:08 AM, on 12/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\PackethSvc.exe
C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Casey\Desktop\Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://registration.aol.com/mail?s_url=htt...ite-CurrentProd
R3 - URLSearchHook: (no name) - {DB9F3426-ACBF-8635-9AFD-86FA3FDB6FE6} - C:\WINDOWS\system32\nvpladof.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\lumhyuul.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7411F8BA-29A3-3216-9DE7-024AC0AAB9F6} - C:\WINDOWS\system32\viyjhai.dll
O2 - BHO: (no name) - {9B0C7A02-A17A-4C81-BD7D-30A622701C36} - C:\WINDOWS\system32\ssqponm.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34B94~1\Bar888.dll (file missing)
O2 - BHO: (no name) - {DB9F3426-ACBF-8635-9AFD-86FA3FDB6FE6} - C:\WINDOWS\system32\nvpladof.dll
O2 - BHO: (no name) - {f4d74aaa-a178-4463-846b-b4bc87a024e0} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: (no name) - {F6D43F1C-335A-4F71-9A66-ECECE0FFF43E} - C:\WINDOWS\system32\mljgh.dll (file missing)
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34B94~1\Bar888.dll (file missing)
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvsor.dll,startup
O4 - HKCU\..\Run: [Aaou] "C:\DOCUME~1\Casey\MYDOCU~1\ICROSO~1.NET\nslookup.exe" -vt yazb
O4 - HKCU\..\Run: [Vcahfv] C:\Documents and Settings\Casey\Application Data\T?sks\msdtc.exe
O15 - Trusted Zone: http://www.archiviosex.net
O15 - Trusted Zone: http://www.contentdiscount.info
O15 - Trusted Zone: http://www.extremeaccess.info
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: ssqponm - C:\WINDOWS\SYSTEM32\ssqponm.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
=========

Edited by kai00051, 15 December 2006 - 12:28 PM.


#9 kai00051

kai00051
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 15 December 2006 - 04:25 PM

Ahhh, Buckeye_Sam, where are you.

Go OSU!

#10 kai00051

kai00051
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 15 December 2006 - 08:28 PM

Buckeye, please tell me you didn't take a four day weekend! ahahahahaha :thumbsup:

#11 kai00051

kai00051
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 16 December 2006 - 09:43 AM

Oh no, am I alone on this one? helllppp, please! :thumbsup:

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:02 PM

Posted 16 December 2006 - 10:29 AM

Please be patient. I do have a job and a family, so I'm not here 24-7.


Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R3 - URLSearchHook: (no name) - {DB9F3426-ACBF-8635-9AFD-86FA3FDB6FE6} - C:\WINDOWS\system32\nvpladof.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\lumhyuul.dll
O2 - BHO: (no name) - {7411F8BA-29A3-3216-9DE7-024AC0AAB9F6} - C:\WINDOWS\system32\viyjhai.dll
O2 - BHO: (no name) - {9B0C7A02-A17A-4C81-BD7D-30A622701C36} - C:\WINDOWS\system32\ssqponm.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34B94~1\Bar888.dll (file missing)
O2 - BHO: (no name) - {DB9F3426-ACBF-8635-9AFD-86FA3FDB6FE6} - C:\WINDOWS\system32\nvpladof.dll
O2 - BHO: (no name) - {f4d74aaa-a178-4463-846b-b4bc87a024e0} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: (no name) - {F6D43F1C-335A-4F71-9A66-ECECE0FFF43E} - C:\WINDOWS\system32\mljgh.dll (file missing)
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34B94~1\Bar888.dll (file missing)
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvsor.dll,startup
O4 - HKCU\..\Run: [Aaou] "C:\DOCUME~1\Casey\MYDOCU~1\ICROSO~1.NET\nslookup.exe" -vt yazb
O4 - HKCU\..\Run: [Vcahfv] C:\Documents and Settings\Casey\Application Data\T?sks\msdtc.exe
O15 - Trusted Zone: http://www.archiviosex.net
O15 - Trusted Zone: http://www.contentdiscount.info
O15 - Trusted Zone: http://www.extremeaccess.info
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: ssqponm - C:\WINDOWS\SYSTEM32\ssqponm.dll
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)




=============



Please download AVG Anti-Spyware and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run Ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

  • Clean out your Temporary Internet files.
    • Internet Explorer
      • Close Internet Explorer and close any instances of Windows Explorer.
      • Click Start -> Control Panel and then double-click Internet Options.
      • On the General tab, click Delete Files under Temporary Internet Files.
      • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
      • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
      • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
      • Click OK.
    • Firefox (In case you also have Firefox installed)
      • Open Firefox and go to Tools -> Options.
      • Click Privacy in the menu on the left side of the Options window.
      • Click the Clear button located to the right of each option (History, Cookies, Cache).
      • Click OK to close the Options window.
        Alternatively, you can clear all information stored while browsing by clicking Clear All.
        A confirmation dialog box will be shown before clearing the information.
    IMPORTANT: Close all windows and do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:

  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
    • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
      Once the scan is complete do the following:
    • If you have any infections you will prompted, then select "Apply all actions"
    • Next select the "Reports" icon at the top.
    • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
    • Close AVG Anti-Spyware and reboot your system back into Normal Mode.
Please post the results of the AVG Anti-Spyware scan report along with a new Combofix log.

Edited by Buckeye_Sam, 16 December 2006 - 10:30 AM.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 kai00051

kai00051
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 16 December 2006 - 11:55 AM

Thanks Buckeye again for your help. I currently am running AVG in safe mode and will report back when it's finished. A few things to note. When I re-ran HJT, it didn't report some of what you told me to delete, specifially the O2-BHO's. Also, when I got AVG, it started running on its own and tried to remove malware, I just stated 'ignore' as I figured running it in SafeMode is the best method. Results to come shortly. Thanks again!

#14 kai00051

kai00051
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 16 December 2006 - 03:35 PM

I ran AVG and tried to save the report, but it didn't allow me. I closed AVG and had to reboot and still couldn't see my desktop. So, I'll reboot normally and run ComboFix and generate that report along with a new HJT...thanks!

Edited by kai00051, 16 December 2006 - 03:39 PM.


#15 kai00051

kai00051
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 16 December 2006 - 04:20 PM

Here is my ComboFix log and HJT log. I was unable to get one from AVG. I do know though that it quarentined 51 items and detected 100 malware so far. AVG is now running on my machine. Everything you see here is in Normal Mode as in SafeMode I couldn't even see my desktop or get any menus. Thanks again for your help! (PS, popups still ocurring while I submit this.

=========
Casey - 06-12-16 14:37:38.62 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Casey\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Casey\Application Data\FNTS~1
C:\QooBox\Purity\Documents and Settings\Casey\Application Data\TSKS~1
C:\QooBox\Purity\Documents and Settings\Casey\Application Data\TSKS~1\msdtc.exe
C:\QooBox\Purity\Documents and Settings\Casey\My Documents\ICROSO~1.NET
C:\QooBox\Purity\Documents and Settings\Casey\My Documents\ICROSO~1.NET\?icrosoft.NET
C:\QooBox\Purity\Documents and Settings\Casey\My Documents\ICROSO~1.NET\?icrosoft.NET\ctxad-518.0000
C:\QooBox\Purity\Documents and Settings\Casey\My Documents\ICROSO~1.NET\?icrosoft.NET\ctxad-518.0001
C:\QooBox\Purity\Documents and Settings\Casey\My Documents\ICROSO~1.NET\?icrosoft.NET\ctxad-518.0002
C:\QooBox\Purity\Documents and Settings\Casey\My Documents\ICROSO~1.NET\?icrosoft.NET\ctxad-518.0003
C:\QooBox\Purity\WINDOWS\system32\CURITY~1


((((((((((((((((((((((((((((((( Files Created from 2006-11-16 to 2006-12-16 ))))))))))))))))))))))))))))))))))


2006-12-16 14:36 44,052 --a------ C:\WINDOWS\system32\xutbcawe.dll
2006-12-16 10:42 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-16 10:42 <DIR> d-------- C:\Program Files\Grisoft
2006-12-15 11:23 665,372 ---hs---- C:\WINDOWS\system32\ilnmp.bak1
2006-12-15 11:23 44,052 --a------ C:\WINDOWS\system32\igvsgegq.dll
2006-12-15 11:23 276,532 ---hs---- C:\WINDOWS\system32\pmnli.dll
2006-12-15 11:08 <DIR> d----c--- C:\VundoFix Backups
2006-12-15 11:08 <DIR> d----c--- C:\avenger
2006-12-15 11:02 <DIR> d----c--- C:\Rustbfix
2006-12-15 08:48 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2006-12-15 07:46 72,704 --a------ C:\WINDOWS\system32\drvsor.dll
2006-12-12 06:26 11,648 --a------ C:\WINDOWS\system32\drivers\pxscrmbl.sys
2006-12-11 22:06 72,704 --a------ C:\WINDOWS\system32\drvkux.dll
2006-12-11 21:16 <DIR> d-------- C:\Documents and Settings\Casey\Application Data\Lavasoft
2006-12-11 20:16 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2006-12-11 19:14 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-12-11 16:12 <DIR> d-------- C:\WINDOWS\network diagnostic
2006-12-11 16:09 <DIR> d----c--- C:\15286ffbb46239b614171233dc95
2006-12-11 13:56 88,340 --a------ C:\WINDOWS\system32\ivlpcjyt.exe
2006-12-11 13:55 42,516 --a------ C:\WINDOWS\system32\lumhyuul.dll
2006-12-11 13:55 126,996 --a------ C:\WINDOWS\system32\svftfxeb.dll
2006-12-11 13:52 18,432 --a------ C:\WINDOWS\system32\mlraakb.dll
2006-12-11 13:50 72,704 --a------ C:\WINDOWS\system32\drvnas.dll
2006-12-11 12:53 276,480 --a------ C:\WINDOWS\system32\fxlraptjn.exe
2006-12-11 12:53 107,614 --a------ C:\WINDOWS\AtxPID30.exe
2006-12-11 12:53 107,610 --a------ C:\WINDOWS\AtxPID29.exe
2006-12-11 12:53 1,329 --a------ C:\WINDOWS\system32\qyd234e3.sys
2006-12-11 12:52 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2006-12-11 12:52 29,696 --------- C:\WINDOWS\system32\rpcc.dll
2006-12-06 19:24 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2006-12-06 19:24 <DIR> d-------- C:\Program Files\Windows Defender


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-15 18:33 -------- d-------- C:\Program Files\CompuServe 7.0
2006-12-15 09:02 -------- d-------- C:\Program Files\Common Files
2006-12-11 21:45 -------- d-------- C:\Program Files\Microsoft AntiSpyware
2006-12-11 21:26 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-11 21:16 -------- d-------- C:\Program Files\Lavasoft
2006-12-11 20:28 -------- d---s---- C:\Documents and Settings\Casey\Application Data\Microsoft
2006-12-11 19:50 -------- d-------- C:\Program Files\Windows Media Player
2006-12-11 19:50 -------- d-------- C:\Program Files\Internet Explorer
2006-12-11 16:39 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-12-11 13:36 -------- d-------- C:\Program Files\Common Files\Real
2006-12-11 13:16 -------- d-------- C:\Program Files\MSN
2006-12-06 19:24 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-12-03 11:56 -------- d-------- C:\Program Files\Java
2006-10-30 19:25 -------- d-------- C:\Documents and Settings\Casey\Application Data\Macromedia
2006-10-30 17:14 1080 --a--c--- C:\WINDOWS\AUTOLNCH.REG
2006-10-22 09:05 -------- d-------- C:\Program Files\Common Files\Nullsoft
2006-10-13 06:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"dylxv"="C:\\WINDOWS\\system32\\hkafuh.exe reg_run"
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"dylxv"="C:\\WINDOWS\\system32\\hkafuh.exe reg_run"
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{9cc1c589-4b22-4dae-8e12-4c3b5fa12b3f}"="gloomily"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{04CDB16C-AB38-43CD-A86A-6FEB90290939}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^armgb.exe]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\armgb.exe"
"backup"="C:\\WINDOWS\\pss\\armgb.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\armgb.exe"
"item"="armgb"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Picture Transfer Software.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\KODAK Picture Transfer Software.lnk"
"backup"="C:\\WINDOWS\\pss\\KODAK Picture Transfer Software.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Kodak\\KODAKP~2\\pts.exe "
"item"="KODAK Picture Transfer Software"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MI1933~1\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Works Calendar Reminders.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Works Calendar Reminders.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WORKSS~1\\wkcalrem.exe "
"item"="Microsoft Works Calendar Reminders"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPQEASYACC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="StartEAK"
"hkey"="HKLM"
"command"="C:\\Program Files\\Compaq\\Easy Access Button Support\\StartEAK.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="drvnas"
"hkey"="HKLM"
"command"="rundll32.exe C:\\WINDOWS\\system32\\drvnas.dll,startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeluxeCommunications]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Dxc"
"hkey"="HKLM"
"command"="C:\\Program Files\\DeluxeCommunications\\Dxc.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dylxv]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkafuh"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\hkafuh.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\frsvabb.dll]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="frsvabb"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\frsvabb.dll,mhomdtd"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fxlraptjn]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="fxlraptjn"
"hkey"="HKLM"
"command"="c:\\windows\\system32\\fxlraptjn.exe fxlraptjn"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hcewuf]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkafuh"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\hkafuh.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="optimize"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Internet Optimizer\\optimize.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kazaa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Kazaa\\kazaa.exe /SYSTRAY"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WksSb"
"hkey"="HKLM"
"command"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WkDetect"
"hkey"="HKCU"
"command"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Money Startup"
"hkey"="HKCU"
"command"="c:\\Program Files\\Microsoft Money\\System\\Money Startup.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NBJ"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NEWDOT~1"
"hkey"="HKLM"
"command"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~1.DLL,NewDotNetStartup -s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qdgljuoA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qdgljuoA"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\qdgljuoA.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qyd234e3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE w4e41463.dll,n 007234dc000000054e41463"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Smtray"
"hkey"="HKLM"
"command"="Smtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpyHunter"
"hkey"="HKLM"
"command"="C:\\Program Files\\Enigma Software Group\\SpyHunter\\SpyHunter.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="srmclean"
"hkey"="HKLM"
"command"="C:\\Cpqs\\Scom\\srmclean.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Systems]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sysmon"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\sysmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Sloopy7"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\Sloopy7.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tolulime]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tolulime"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\$NtUninstallKB842773$\\tolulime.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCOLOREAL]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="coloreal"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\COMPAQ\\Coloreal\\coloreal.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\win32090-45762081]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="win32090-45762081"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\win32090-45762081.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDOWS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hibkc"
"hkey"="HKLM"
"command"="c:\\hibkc.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MSASCui"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinMedia]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jrcfquoh1313543578"
"hkey"="HKCU"
"command"="\"C:\\jrcfquoh1313543578.exe\" "
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinUpdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jrcfquoh1313546625"
"hkey"="HKCU"
"command"="\"C:\\jrcfquoh1313546625.exe\" "
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnli
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, msnsspc.dll, digest.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Registration reminder 1.job
C:\WINDOWS\tasks\Registration reminder 2.job
C:\WINDOWS\tasks\Registration reminder 3.job

Completion time: 06-12-16 14:50:13.75
C:\ComboFix.txt ... 06-12-16 14:50
C:\ComboFix2.txt ... 06-12-15 09:04
=========
Logfile of HijackThis v1.99.1
Scan saved at 3:13:09 PM, on 12/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\PackethSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Casey\Desktop\Programs\HijackThis.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O15 - Trusted Zone: http://www.archiviosex.net
O15 - Trusted Zone: http://www.contentdiscount.info
O15 - Trusted Zone: http://www.extremeaccess.info
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINDOWS\System32\DRIVERS\dcfssvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



=========

Edited by kai00051, 16 December 2006 - 04:21 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users