Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud-c.toolbar888


  • Please log in to reply
8 replies to this topic

#1 midz

midz

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 07 February 2007 - 12:02 AM

I've ran spybot s&d several times and followed the "extra" directions that it told me to do (kill the processes within winlogon.exe) and I still have had no luck getting rid of this. I've ran Ad-Aware several times and I've also ran both programs in safe mode and not in safe mode. My firewall has been popping up with several strangely-named programs attempting to connect to the internet including Explorer.exe and mshtml2.exe. (Is HJT supposed to connect to the internet??) I can't get rid of these things and I have no idea what else to do! Please help!!! Here's my HJT log:



Logfile of HijackThis v1.99.1
Scan saved at 11:34:49 PM, on 2/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\eEye Digital Security\Blink\blinksvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\eEye Digital Security\Blink\BLINK.EXE
C:\PROGRA~1\PeoplePC\ISP6200\Browser\PPShared.exe
C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
C:\Program Files\PeoplePC\ISP6200\Browser\Bartshel.exe
C:\Program Files\PeoplePC\ISP6200\Browser\Bartshel.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\TEMP\mshtml2.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Common Files\{C43F9BAE-0510-1033-1109-040308200001}\Update.exe
C:\Documents and Settings\t04d\Desktop\STUFF\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D1A2FF3-1ADF-4935-A2A7-CA9DCE67D450} - C:\WINDOWS\system32\awtqnkk.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\PPCToolbar.dll
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\PPCToolbar.dll
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [RandMAC] C:\Documents and Settings\t04d\Desktop\MadMACs\MadMACs\MadMACs.exe doittoit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6200\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\system32\v6.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [{C43F9BAE-0510-1033-1109-040308200001}] "C:\Program Files\Common Files\{C43F9BAE-0510-1033-1109-040308200001}\Update.exe" mc-110-12-0000272
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Blink Personal.lnk = C:\Program Files\eEye Digital Security\Blink\BLINK.EXE
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6412F34B-201E-498F-89BE-09F1135F6683}: NameServer = 209.244.0.3 209.244.0.4
O18 - Filter: text/html - {72D50253-BE71-4c85-9B38-6331E5AD1499} - C:\Program Files\eEye Digital Security\Blink\IEMimeFilter.dll
O20 - Winlogon Notify: awtqnkk - C:\WINDOWS\SYSTEM32\awtqnkk.dll
O20 - Winlogon Notify: ddcbyaw - C:\WINDOWS\SYSTEM32\ddcbyaw.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: wintzw32 - C:\WINDOWS\SYSTEM32\wintzw32.dll
O23 - Service: eEye Blink Engine (blinksvc) - eEye Digital Security - C:\Program Files\eEye Digital Security\Blink\blinksvc.exe
O23 - Service: eEye Application Bus (eeyeevnt) - eEye Digital Security - C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 07 February 2007 - 04:33 AM

Welcome to Bleeping Computer midz :thumbsup:

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

==========================

Download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Reboot your computer into Safe Mode.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select #2 and hit Enter to delete the infected files.
You will be prompted: 'Do you want to clean the registry?' answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): 'Replace infected file ?' answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process.
The report can be found at the root of the system drive, usually at C:\rapport.txt
Post the smitfraudfix report into your next reply

==========================

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Please post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Reboot,post the smitfraudfix report,the C:\vundofix.txt,and a new Hijackthis log into your next reply please.
Posted Image
Posted Image

#3 midz

midz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 07 February 2007 - 01:56 PM

Alright I ran those tools and they did find a few nasty things so here's the logs....

Smitfraud:

SmitFraudFix v2.139

Scan done at 13:13:47.77, Wed 02/07/2007
Run from C:\Documents and Settings\t04d\Desktop\ANTIVIRUS\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts

127.0.0.1 localhost





Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\WINDOWS\svchost.exe Deleted
C:\WINDOWS\system32\svchosts.exe Deleted

Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End




Vundofix:


VundoFix V6.0.1

Checking Java version...

Java version is 1.4.2.3

Scan started at 4:30:22 PM 8/17/2006

Listing files found while scanning....

No infected files were found.


VundoFix V6.0.1

Checking Java version...

Java version is 1.4.2.3

Scan started at 5:59:33 PM 12/18/2006

Listing files found while scanning....

No infected files were found.


VundoFix V6.0.1

Checking Java version...

Java version is 1.4.2.3

Scan started at 8:20:40 PM 2/5/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.3.5

Checking Java version...

Java version is 1.4.2.3

Scan started at 1:18:00 PM 2/7/2007

Listing files found while scanning....

C:\WINDOWS\system32\awtqnkk.dll
C:\WINDOWS\system32\bunosojd.exe
C:\WINDOWS\system32\dcrjjvvo.ini
C:\WINDOWS\system32\ddcbyaw.dll
C:\WINDOWS\system32\efuspuhx.exe
C:\WINDOWS\system32\ovvjjrcd.dll
C:\WINDOWS\system32\wintzw32.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awtqnkk.dll
C:\WINDOWS\system32\awtqnkk.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\bunosojd.exe
C:\WINDOWS\system32\bunosojd.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\dcrjjvvo.ini
C:\WINDOWS\system32\dcrjjvvo.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddcbyaw.dll
C:\WINDOWS\system32\ddcbyaw.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\efuspuhx.exe
C:\WINDOWS\system32\efuspuhx.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ovvjjrcd.dll
C:\WINDOWS\system32\ovvjjrcd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wintzw32.dll
C:\WINDOWS\system32\wintzw32.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awtqnkk.dll
C:\WINDOWS\system32\awtqnkk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddcbyaw.dll
C:\WINDOWS\system32\ddcbyaw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wintzw32.dll
C:\WINDOWS\system32\wintzw32.dll Has been deleted!

Performing Repairs to the registry.
Done!


And it did report there were some files that couldn't be removed but when I rebooted the computer vundofix popped up and finished cleaning them out.

And here's my HJT:

Logfile of HijackThis v1.99.1
Scan saved at 1:51:22 PM, on 2/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\eEye Digital Security\Blink\blinksvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\PeoplePC\ISP6200\Browser\Bartshel.exe
C:\Program Files\Common Files\{C43F9BAE-0510-1033-1109-040308200001}\Update.exe
C:\Program Files\eEye Digital Security\Blink\BLINK.EXE
C:\PROGRA~1\PeoplePC\ISP6200\Browser\PPShared.exe
C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
C:\Program Files\PeoplePC\ISP6200\Browser\Bartshel.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\t04d\Desktop\STUFF\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {563AF8EA-5807-4FBC-A58E-ED7D9838F9C7} - C:\WINDOWS\system32\ddcbyaw.dll (file missing)
O2 - BHO: (no name) - {6D1A2FF3-1ADF-4935-A2A7-CA9DCE67D450} - C:\WINDOWS\system32\awtqnkk.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\PPCToolbar.dll
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\PPCToolbar.dll
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [RandMAC] C:\Documents and Settings\t04d\Desktop\MadMACs\MadMACs\MadMACs.exe doittoit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6200\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\system32\v6.exe
O4 - HKLM\..\Run: [{C43F9BAE-0510-1033-1109-040308200001}] "C:\Program Files\Common Files\{C43F9BAE-0510-1033-1109-040308200001}\Update.exe" mc-110-12-0000272
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Blink Personal.lnk = C:\Program Files\eEye Digital Security\Blink\BLINK.EXE
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6412F34B-201E-498F-89BE-09F1135F6683}: NameServer = 209.244.0.3 209.244.0.4
O18 - Filter: text/html - {72D50253-BE71-4c85-9B38-6331E5AD1499} - C:\Program Files\eEye Digital Security\Blink\IEMimeFilter.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: eEye Blink Engine (blinksvc) - eEye Digital Security - C:\Program Files\eEye Digital Security\Blink\blinksvc.exe
O23 - Service: eEye Application Bus (eeyeevnt) - eEye Digital Security - C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 07 February 2007 - 02:15 PM

Please make sure all hidden files are showing:

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

============================

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {563AF8EA-5807-4FBC-A58E-ED7D9838F9C7} - C:\WINDOWS\system32\ddcbyaw.dll (file missing)
O2 - BHO: (no name) - {6D1A2FF3-1ADF-4935-A2A7-CA9DCE67D450} - C:\WINDOWS\system32\awtqnkk.dll (file missing)
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\system32\v6.exe
O4 - HKLM\..\Run: [{C43F9BAE-0510-1033-1109-040308200001}] "C:\Program Files\Common Files\{C43F9BAE-0510-1033-1109-040308200001}\Update.exe" mc-110-12-0000272

Exit Hijackthis.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Find and delete if present:
C:\WINDOWS\system32\v6.exe
C:\Program Files\Common Files\{C43F9BAE-0510-1033-1109-040308200001}
Reboot normally.

============================

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Post the DrWeb.cvs report and a new Hijackthis log into your next reply.
Let me know how your pc is running now please.
Posted Image
Posted Image

#5 midz

midz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 08 February 2007 - 01:24 PM

Ok so here's my drweb log:

Yazzle1162OinAdmin.exe;C:\Program Files\Common Files;Adware.ClickSpring;Incurable.Deleted.;
mirc.exe;C:\Program Files\Frogger;Program.mIRC.60;;
moo.dll;C:\Program Files\mIRC;Program.MotherboardMonitor;;
mirc.exe;C:\Program Files\mIRC\backup;Program.mIRC.60;;
mirc.exe;C:\Program Files\mIRC\download\No-Fear;Program.mIRC.616;;
moo.dll;C:\Program Files\mIRC\Xcpu[1065117769];Program.MotherboardMonitor;;
system.dll;C:\RECYCLER\S-1-5-21-861567501-492894223-854245398-1006\Dc1;Trojan.DownLoader.17039;Deleted.;
Update.exe;C:\RECYCLER\S-1-5-21-861567501-492894223-854245398-1006\Dc1;Trojan.DownLoader.17040;Deleted.;
awtqnkk.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
bunosojd.exe.bad;C:\VundoFix Backups;Adware.TopSearch;Incurable.Deleted.;
ddcbyaw.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
efuspuhx.exe.bad;C:\VundoFix Backups;Adware.TopSearch;Incurable.Deleted.;
ovvjjrcd.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
wintzw32.dll.bad;C:\VundoFix Backups;Trojan.Mezzia;Deleted.;
awtqqpm.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
byxutqo.dll.vir;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
flqwswmt.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
gmbcloca.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
gpcoonms.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;Incurable.Deleted.;
rqrom.dll.vir;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
waxgkltp.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;


My HJT log afterwards:

Logfile of HijackThis v1.99.1
Scan saved at 1:19:13 PM, on 2/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\eEye Digital Security\Blink\blinksvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\PeoplePC\ISP6200\Browser\Bartshel.exe
C:\PROGRA~1\PeoplePC\ISP6200\Browser\PPShared.exe
C:\Program Files\eEye Digital Security\Blink\BLINK.EXE
C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
C:\Program Files\PeoplePC\ISP6200\Browser\Bartshel.exe
C:\Program Files\mIRC\mirc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\t04d\Desktop\ANTIVIRUS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\PPCToolbar.dll
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\PPCToolbar.dll
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [RandMAC] C:\Documents and Settings\t04d\Desktop\MadMACs\MadMACs\MadMACs.exe doittoit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6200\BIN\PPCOLink.exe -STATION
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Blink Personal.lnk = C:\Program Files\eEye Digital Security\Blink\BLINK.EXE
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6412F34B-201E-498F-89BE-09F1135F6683}: NameServer = 209.244.0.3 209.244.0.4
O18 - Filter: text/html - {72D50253-BE71-4c85-9B38-6331E5AD1499} - C:\Program Files\eEye Digital Security\Blink\IEMimeFilter.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: eEye Blink Engine (blinksvc) - eEye Digital Security - C:\Program Files\eEye Digital Security\Blink\blinksvc.exe
O23 - Service: eEye Application Bus (eeyeevnt) - eEye Digital Security - C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)



The computer has been running a lot better and I haven't seen any strange programs popping up trying to make connections. I'm gonna check my firewall settings one more time just to make sure those little buggers didn't make any rules to get past it and also check my download speed (won't be very fast cause I'm on 56k) but so far everything seems to be ok :thumbsup:

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 08 February 2007 - 01:40 PM

You're doing great :thumbsup:

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,on the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply,along with a new Hijackthis log please.
Posted Image
Posted Image

#7 midz

midz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 08 February 2007 - 09:17 PM

Wow it seems like I'll never get rid of this stuff haha I knew spyware could be nasty but I didn't think it could be this nasty! Alright so here's my logs:

SuperAntiSpyware:

SUPERAntiSpyware Scan Log
Generated 02/08/2007 at 08:54 PM

Application Version : 3.5.1016

Core Rules Database Version : 3180
Trace Rules Database Version: 1190

Scan type : Complete Scan
Total Scan Time : 00:40:15

Memory items scanned : 336
Memory threats detected : 0
Registry items scanned : 4790
Registry threats detected : 10
File items scanned : 32544
File threats detected : 26

Adware.Tracking Cookie
C:\Documents and Settings\t04d\Cookies\t04d@atdmt[2].txt
C:\Documents and Settings\t04d\Cookies\t04d@mediaplex[1].txt

Trojan.Unknown Origin
HKLM\SOFTWARE\Microsoft\MSSMGR
HKLM\SOFTWARE\Microsoft\MSSMGR#Data
HKLM\SOFTWARE\Microsoft\MSSMGR#LSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#BSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#MSLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#Brnd
HKLM\SOFTWARE\Microsoft\MSSMGR#SSTV
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2600DAF7-856A-41C3-A7E7-3D046C3B48E6}\RP127\A0042551.EXE

Adware.ClickSpring/Yazzle
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1162Oin
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1162Oin#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1162Oin#UninstallString
C:\PROGRAM FILES\COMMON FILES\YAZZLE1162OINUNINSTALLER.EXE

Trojan.Downloader-SVCHost/Fake
C:\PROGRAM FILES\COMMON FILES\SVCHOST.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2600DAF7-856A-41C3-A7E7-3D046C3B48E6}\RP127\A0039294.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2600DAF7-856A-41C3-A7E7-3D046C3B48E6}\RP128\A0043634.EXE

Adware.VSToolbar
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2600DAF7-856A-41C3-A7E7-3D046C3B48E6}\RP127\A0038257.DLL

Trojan.Downloader-WBRock
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2600DAF7-856A-41C3-A7E7-3D046C3B48E6}\RP127\A0038259.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2600DAF7-856A-41C3-A7E7-3D046C3B48E6}\RP128\A0043655.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2600DAF7-856A-41C3-A7E7-3D046C3B48E6}\RP128\A0043657.DLL

Adware.ClickSpring
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2600DAF7-856A-41C3-A7E7-3D046C3B48E6}\RP127\A0038271.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2600DAF7-856A-41C3-A7E7-3D046C3B48E6}\RP127\A0040454.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2600DAF7-856A-41C3-A7E7-3D046C3B48E6}\RP127\A0041548.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2600DAF7-856A-41C3-A7E7-3D046C3B48E6}\RP127\A0042547.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2600DAF7-856A-41C3-A7E7-3D046C3B48E6}\RP128\A0043696.EXE

Trojan.Downloader-DRVSAM
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2600DAF7-856A-41C3-A7E7-3D046C3B48E6}\RP127\A0038273.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2600DAF7-856A-41C3-A7E7-3D046C3B48E6}\RP127\A0038275.DLL

Trojan.Downloader-Gen/LIB
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2600DAF7-856A-41C3-A7E7-3D046C3B48E6}\RP127\A0038611.DLL

Trojan.Downloader-Quake11
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2600DAF7-856A-41C3-A7E7-3D046C3B48E6}\RP128\A0043649.DLL

Trojan.Downloader-SSQ
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2600DAF7-856A-41C3-A7E7-3D046C3B48E6}\RP128\A0043686.DLL

Trojan.Downloader-SpyTool
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2600DAF7-856A-41C3-A7E7-3D046C3B48E6}\RP128\A0043688.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2600DAF7-856A-41C3-A7E7-3D046C3B48E6}\RP128\A0043690.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2600DAF7-856A-41C3-A7E7-3D046C3B48E6}\RP128\A0043692.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2600DAF7-856A-41C3-A7E7-3D046C3B48E6}\RP128\A0043694.DLL

Trojan.Downloader-Gen/Win
C:\WINDOWS\SYSTEM32\UNSVCHOSTS.LZMA


And my HJT after the scan:

Logfile of HijackThis v1.99.1
Scan saved at 9:13:59 PM, on 2/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\eEye Digital Security\Blink\blinksvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\PeoplePC\ISP6200\Browser\Bartshel.exe
C:\PROGRA~1\PeoplePC\ISP6200\Browser\PPShared.exe
C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
C:\Program Files\eEye Digital Security\Blink\BLINK.EXE
C:\Program Files\PeoplePC\ISP6200\Browser\Bartshel.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\t04d\Desktop\ANTIVIRUS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\PPCToolbar.dll
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\PPCToolbar.dll
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [RandMAC] C:\Documents and Settings\t04d\Desktop\MadMACs\MadMACs\MadMACs.exe doittoit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6200\BIN\PPCOLink.exe -STATION
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Blink Personal.lnk = C:\Program Files\eEye Digital Security\Blink\BLINK.EXE
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\..\{6412F34B-201E-498F-89BE-09F1135F6683}: NameServer = 209.244.0.3 209.244.0.4
O18 - Filter: text/html - {72D50253-BE71-4c85-9B38-6331E5AD1499} - C:\Program Files\eEye Digital Security\Blink\IEMimeFilter.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: eEye Blink Engine (blinksvc) - eEye Digital Security - C:\Program Files\eEye Digital Security\Blink\blinksvc.exe
O23 - Service: eEye Application Bus (eeyeevnt) - eEye Digital Security - C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 09 February 2007 - 02:25 AM

Please download Combofix and save to the desktop:
http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a log.
Post the C:\ComboFix.txt in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


Post the C:\ComboFix.txt,and a new Hijackthis log into your next reply.
Posted Image
Posted Image

#9 midz

midz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 11 February 2007 - 09:30 PM

"t04d" - 07-02-11 21:08:52 Service Pack 2
ComboFix 07-02-11 - Running from: "C:\Documents and Settings\t04d\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2007-01-11 to 2007-02-11 ))))))))))))))))))))))))))))))))))


2007-02-08 20:23 0 --a------ C:\WINDOWS\YOURAPP.EXE
2007-02-08 20:01 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-02-08 20:01 <DIR> d-------- C:\DOCUME~1\t04d\Application Data\SUPERAntiSpyware.com
2007-02-08 20:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\SUPERAntiSpyware.com
2007-02-08 00:44 <DIR> d-------- C:\Program Files\wildchica
2007-02-07 19:55 <DIR> d-------- C:\DOCUME~1\t04d\DoctorWeb
2007-02-07 13:13 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-02-07 13:13 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-02-07 13:13 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-02-07 13:13 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-02-07 13:13 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-02-06 12:44 3,162 --a------ C:\WINDOWS\system32\tmp.reg
2007-02-05 15:59 1,058,503 ---hs---- C:\WINDOWS\system32\morqr.ini2
2007-02-04 23:45 1,005,238 ---hs---- C:\WINDOWS\system32\morqr.bak1
2007-01-31 13:59 <DIR> d-------- C:\Program Files\Phone Dialer Pro
2007-01-31 13:59 <DIR> d-------- C:\DOCUME~1\t04d\Application Data\Phone Dialer Pro
2007-01-30 18:12 <DIR> d-------- C:\cygwin
2007-01-30 14:32 14,892 --ah----- C:\WINDOWS\system32\mlfcache.dat
2007-01-29 23:28 71,680 --a------ C:\WINDOWS\ST5UNST.EXE
2007-01-29 23:28 29,696 --a------ C:\WINDOWS\system32\VB5StKit.dll
2007-01-29 18:14 <DIR> d-------- C:\DOCUME~1\t04d\Application Data\Thunderbird
2007-01-29 18:14 <DIR> d-------- C:\DOCUME~1\t04d\Application Data\Talkback
2007-01-29 18:13 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2007-01-29 00:44 466,944 --a------ C:\WINDOWS\Raging Sky.scr
2007-01-29 00:44 28,672 --a------ C:\WINDOWS\system32\ssconfig.exe
2007-01-29 00:44 180,224 --a------ C:\WINDOWS\UninstallWSST.exe
2007-01-29 00:44 1,207,600 --a------ C:\WINDOWS\Raging Sky.dat
2007-01-27 22:09 <DIR> d-------- C:\WINDOWS\peoplepc
2007-01-27 22:06 <DIR> d-------- C:\Program Files\PeoplePC Accelerated
2007-01-27 16:13 67,584 --------- C:\WINDOWS\system32\unPPC.exe
2007-01-27 16:13 62,464 --------- C:\WINDOWS\system32\unPPC6000.exe
2007-01-27 16:13 45,056 --------- C:\WINDOWS\system32\ppcwebi.dll
2007-01-27 16:13 37,376 --------- C:\WINDOWS\system32\PPCOUNIN.exe
2007-01-27 16:13 34,660 --a------ C:\WINDOWS\system32\ppaluninst.exe
2007-01-27 16:13 28,672 --------- C:\WINDOWS\system32\RegHero.exe
2007-01-27 16:13 18,432 --------- C:\WINDOWS\system32\PPCInfo.exe
2007-01-27 16:13 10,752 --------- C:\WINDOWS\system32\PopWait.exe
2007-01-27 16:13 <DIR> d-------- C:\Program Files\PeoplePC
2007-01-18 02:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Adobe
2007-01-15 17:03 155,648 --a------ C:\WINDOWS\system32\igfxres.dll
2007-01-15 16:55 90,112 --a------ C:\WINDOWS\system32\mdmxsdk.dll
2007-01-15 16:55 682,624 --a------ C:\WINDOWS\system32\drivers\HSF_CNXT.sys
2007-01-15 16:55 199,552 --a------ C:\WINDOWS\system32\drivers\HSFHWICH.sys
2007-01-15 16:55 11,043 --a------ C:\WINDOWS\system32\drivers\mdmxsdk.sys
2007-01-15 16:55 1,041,536 --a------ C:\WINDOWS\system32\drivers\HSF_DP.sys
2007-01-15 16:55 <DIR> d-------- C:\Program Files\CONEXANT


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-11 21:13 264 --a------ C:\WINDOWS\system32\winsusrm.dll
2007-02-11 21:07 -------- d-------- C:\Program Files\mirc
2007-02-11 21:07 -------- d-------- C:\DOCUME~1\t04d\Application Data\dmcache
2007-02-11 21:05 -------- d-------- C:\Program Files\mozilla firefox
2007-02-08 20:01 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-02-04 23:38 105 --a------ C:\WINDOWS\system32\mit.bat
2007-01-29 18:14 6548 --a--c--- C:\WINDOWS\mozver.dat
2007-01-29 18:14 -------- d-------- C:\DOCUME~1\t04d\Application Data\mozilla
2007-01-18 03:36 -------- d-------- C:\Program Files\ringcentral
2007-01-18 03:34 -------- d-------- C:\Program Files\net tools
2007-01-18 02:52 -------- d-------- C:\DOCUME~1\t04d\Application Data\adobeum
2007-01-17 21:18 -------- d-------- C:\Program Files\frogger
2007-01-15 16:58 -------- d-------- C:\Program Files\hpq
2007-01-15 01:29 -------- d-------- C:\Program Files\java
2007-01-12 19:03 -------- d-------- C:\DOCUME~1\t04d\Application Data\msn6
2007-01-11 18:54 -------- d-------- C:\Program Files\internet download manager
2007-01-10 20:06 -------- d-------- C:\DOCUME~1\t04d\Application Data\apple computer
2007-01-10 20:01 -------- d-------- C:\Program Files\quicktime
2007-01-09 22:25 -------- d-------- C:\Program Files\drug lord 2
2007-01-07 21:02 -------- d-------- C:\Program Files\winpcap
2007-01-04 17:43 202400 --a------ C:\WINDOWS\system32\seccomm.dll
2007-01-03 01:19 -------- d-------- C:\Program Files\visual zip password recovery processor
2007-01-01 22:26 -------- d-------- C:\DOCUME~1\t04d\Application Data\help
2006-12-28 17:42 -------- d---s---- C:\DOCUME~1\t04d\Application Data\microsoft
2006-12-28 01:35 -------- d-------- C:\DOCUME~1\t04d\Application Data\idm
2006-12-20 18:19 -------- d-------- C:\DOCUME~1\t04d\Application Data\dev-cpp
2006-12-18 17:57 858273 ---hs---- C:\WINDOWS\system32\cceeg.ini2
2006-12-15 21:46 -------- d-------- C:\Program Files\movie maker
2006-12-15 21:46 -------- d-------- C:\Program Files\messenger
2006-12-15 21:41 -------- d-------- C:\Program Files\windows nt
2006-12-14 10:36 120 --a------ C:\WINDOWS\system32\winsusrx.dll
2006-12-14 10:12 -------- d-------- C:\Program Files\eeye digital security
2006-12-14 10:12 -------- d-------- C:\Program Files\Common Files\eeye digital security
2006-12-13 15:19 -------- d-------- C:\Program Files\Common Files\symantec shared
2006-12-13 15:13 -------- d-------- C:\Program Files\symantec
2006-12-13 15:12 -------- d-------- C:\Program Files\norton antivirus
2006-12-13 15:12 -------- d-------- C:\DOCUME~1\t04d\Application Data\symantec
2006-12-13 12:17 -------- d-------- C:\Program Files\getright
2006-12-12 22:33 853954 ---hs---- C:\WINDOWS\system32\cceeg.bak1
2006-12-07 17:02 2174976 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-12-03 13:18 200704 --a------ C:\WINDOWS\system32\libssl32.dll
2006-11-20 00:42 33280 --a------ C:\WINDOWS\system32\snmp.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"HPHmon05"="C:\\WINDOWS\\System32\\hphmon05.exe"
"RandMAC"="C:\\Documents and Settings\\t04d\\Desktop\\MadMACs\\MadMACs\\MadMACs.exe doittoit"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"Bart Station"="C:\\Program Files\\PeoplePC\\ISP6200\\BIN\\PPCOLink.exe -STATION"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"IDMan"="C:\\Program Files\\Internet Download Manager\\IDMan.exe /onboot"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"eabconfg.cpl"="C:\\Program Files\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BuzMe.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\BuzMe.lnk"
"backup"="C:\\WINDOWS\\pss\\BuzMe.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\RINGCE~1\\BuzMe\\RCUI.exe "
"item"="BuzMe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight - Tray Icon.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\GetRight - Tray Icon.lnk"
"backup"="C:\\WINDOWS\\pss\\GetRight - Tray Icon.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\GetRight\\getright.exe "
"item"="GetRight - Tray Icon"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Digital Imaging Monitor.lnk"
"backup"="C:\\WINDOWS\\pss\\HP Digital Imaging Monitor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqtra08.exe "
"item"="HP Digital Imaging Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Quicken Scheduled Updates.lnk"
"backup"="C:\\WINDOWS\\pss\\Quicken Scheduled Updates.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Quicken\\bagent.exe "
"item"="Quicken Scheduled Updates"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="drvpus"
"hkey"="HKLM"
"command"="rundll32.exe C:\\WINDOWS\\System32\\drvpus.dll,startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXSUPMON]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LXSUPMON"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\LXSUPMON.EXE RUN"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="printray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\2\\printray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPEnh"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SynTPLpr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THGuard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="THGuard"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue Registry Booster]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RegistryBooster"
"hkey"="HKCU"
"command"="C:\\Program Files\\Uniblue\\Registry Booster\\RegistryBooster.exe /S"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sgtray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinHosts"=dword:00000002
"AOL ACS"=dword:00000002
"RDSessMgr"=dword:00000003
"LexBceS"=dword:00000002
"KPF4"=dword:00000002
"helpsvc"=dword:00000003
"SharedAccess"=dword:00000002


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{0AFEA888-B97B-4EDE-AC47-1FEE31D5CEE5}"=""
"{6D1A2FF3-1ADF-4935-A2A7-CA9DCE67D450}"=""
"{563AF8EA-5807-4FBC-A58E-ED7D9838F9C7}"=""
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"svchost.exe"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

detected NTDLL code modification:
ZwOpenKey, ZwOpenFile

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????4?2?2?3??????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-11 21:14:38



Logfile of HijackThis v1.99.1
Scan saved at 9:26:59 PM, on 2/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\eEye Digital Security\Blink\blinksvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
C:\Program Files\eEye Digital Security\Blink\BLINK.EXE
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\PeoplePC\ISP6200\Browser\Bartshel.exe
C:\Program Files\PeoplePC\ISP6200\Browser\Bartshel.exe
C:\PROGRA~1\PeoplePC\ISP6200\Browser\PPShared.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\t04d\Desktop\ANTIVIRUS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\PPCToolbar.dll
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\PPCToolbar.dll
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [RandMAC] C:\Documents and Settings\t04d\Desktop\MadMACs\MadMACs\MadMACs.exe doittoit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6200\BIN\PPCOLink.exe -STATION
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Blink Personal.lnk = C:\Program Files\eEye Digital Security\Blink\BLINK.EXE
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6412F34B-201E-498F-89BE-09F1135F6683}: NameServer = 209.244.0.3 209.244.0.4
O18 - Filter: text/html - {72D50253-BE71-4c85-9B38-6331E5AD1499} - C:\Program Files\eEye Digital Security\Blink\IEMimeFilter.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: eEye Blink Engine (blinksvc) - eEye Digital Security - C:\Program Files\eEye Digital Security\Blink\blinksvc.exe
O23 - Service: eEye Application Bus (eeyeevnt) - eEye Digital Security - C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users